From Gates to Guardrails:
Alternate Approaches to
Product Security
LASCON 2013
Jason Chan
chan@netflix.com
About Me
•  Engineering Director @ Netflix:
–  Security: Product, App, Ops, IR, etc.

•  Previously:
–  Led security team ...
About Netflix
AGILE/CD/CLOUD/DEVOPS
CHARACTERISTICS
SAFELY HANDLING
SPEED & SCALE
Netflix Environment
• 
• 
• 
• 
• 
• 

~200 production pushes/day
40m+ subscribers
Support for 1000+ devices
Service in 40...
CULTURE
Recruiting
Infrastructure/Systems/
Cloud

AppSec

Development

Monitoring & Response

Online Operations
Waiting, working,
Easy planning and
complete
reporting
Per-user
filters
VISIBILITY
Dashboards for
Security Data
Sub- Services
and
Dashboards

Dashboards for
Regional
SecurityDrill-down
Relevant Events
for ...
Meaningful
subject
Alert
configuration

What to do?

Useful links
for more data

Embedded
graph
Access to changes
by app, region,
environment, etc.

Lookback in time
as needed
Chat integration
lets engineers
easily access info
App
name
Jenkins
(CI) job

Currently
running clusters
by region/
environment
Cluster
ID

Deployment
details
AMI version
SCM commit
Link to
relevant
JIRA(s)

Modified
files

Source
diffs
AUTOMATION
1000+ tests to
compare proposed vs.
existing
AWS
components
Configuration
history

Details (rules)
ImmutableServer Pattern
•  “ . . . a server that once deployed, is
never modified, merely replaced with a
new updated inst...
Wrapping Up
•  Cloud/DevOps/Agile/CD are
transformative (for org & security)
•  Orgs embracing tend to deal in speed
and s...
Summary
Meeting’s Over – Questions?
Netflix Links
•  http://techblog.netflix.com
•  http://netflix.github.io/#repo
•  http://www.slideshare.net/netflix
Photo Credits
• 
• 
• 
• 
• 
• 
• 
• 

Conzelman Road: http://www.california-travels.com/2012/05/04/pointbonita-lighthouse...
From Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product Security
Upcoming SlideShare
Loading in...5
×

From Gates to Guardrails: Alternate Approaches to Product Security

1,148

Published on

P

Published in: Technology, Business

Transcript of "From Gates to Guardrails: Alternate Approaches to Product Security"

  1. 1. From Gates to Guardrails: Alternate Approaches to Product Security LASCON 2013 Jason Chan chan@netflix.com
  2. 2. About Me •  Engineering Director @ Netflix: –  Security: Product, App, Ops, IR, etc. •  Previously: –  Led security team @ VMware –  Consultant - @stake, iSEC Partners
  3. 3. About Netflix
  4. 4. AGILE/CD/CLOUD/DEVOPS CHARACTERISTICS
  5. 5. SAFELY HANDLING SPEED & SCALE
  6. 6. Netflix Environment •  •  •  •  •  •  ~200 production pushes/day 40m+ subscribers Support for 1000+ devices Service in 40+ countries Concurrent delivery from 3 AWS regions ~1/3 of US download bandwidth at peak
  7. 7. CULTURE
  8. 8. Recruiting Infrastructure/Systems/ Cloud AppSec Development Monitoring & Response Online Operations
  9. 9. Waiting, working, Easy planning and complete reporting Per-user filters
  10. 10. VISIBILITY
  11. 11. Dashboards for Security Data Sub- Services and Dashboards Dashboards for Regional SecurityDrill-down Relevant Events for Key Services and Lookback
  12. 12. Meaningful subject Alert configuration What to do? Useful links for more data Embedded graph
  13. 13. Access to changes by app, region, environment, etc. Lookback in time as needed
  14. 14. Chat integration lets engineers easily access info
  15. 15. App name Jenkins (CI) job Currently running clusters by region/ environment
  16. 16. Cluster ID Deployment details AMI version SCM commit
  17. 17. Link to relevant JIRA(s) Modified files Source diffs
  18. 18. AUTOMATION
  19. 19. 1000+ tests to compare proposed vs. existing
  20. 20. AWS components
  21. 21. Configuration history Details (rules)
  22. 22. ImmutableServer Pattern •  “ . . . a server that once deployed, is never modified, merely replaced with a new updated instance.” –  http://martinfowler.com/bliki/ ImmutableServer.html
  23. 23. Wrapping Up •  Cloud/DevOps/Agile/CD are transformative (for org & security) •  Orgs embracing tend to deal in speed and scale •  Look to culture, visibility, and automation as security enablers in these environments
  24. 24. Summary Meeting’s Over – Questions?
  25. 25. Netflix Links •  http://techblog.netflix.com •  http://netflix.github.io/#repo •  http://www.slideshare.net/netflix
  26. 26. Photo Credits •  •  •  •  •  •  •  •  Conzelman Road: http://www.california-travels.com/2012/05/04/pointbonita-lighthouse/ Canary: http://www.lafebervet.com/avian-medicine-list/basicinformation-sheets-for-the-canary/ Visibility: http://photography.nationalgeographic.com/wallpaper/ photography/photo-tips/city-photos/golden-gate-bridge-fog/ Scale: http://www.livestockscales.info/ Guinea fowl: http://danrouthphotography.blogspot.com/2009/07/ running-bird.html Culture Club: http://www.last.fm/music/Culture+Club/This+Time:+The +First+Four+Years Babou: http://wildstar-central.com/index.php?threads/extaticaswallpapers-post-my-1200-post-_.4400/ Derek: http://www.fastcocreate.com/3016905/kindness-is-the-newirony-ricky-gervais-on-bringing-an-unlikely-hero-to-netflix-with-derek

×