1. Jason Chan, an engineering director at Netflix, gave a presentation about product security approaches at Netflix. 2. Netflix has an agile development culture with over 200 daily production pushes across 1000+ supported devices in 40 countries. This results in a need for security approaches that can handle Netflix's scale and speed. 3. Netflix employs approaches like visibility into security-related data, automation through over 1000 tests, and an immutable server pattern to enable security in their fast-paced, cloud-based environment.

1. From Gates to Guardrails:
Alternate Approaches to
Product Security
LASCON 2013
Jason Chan
chan@netflix.com

2. About Me
• Engineering Director @ Netflix:
– Security: Product, App, Ops, IR, etc.
• Previously:
– Led security team @ VMware
– Consultant - @stake, iSEC Partners

3. About Netflix

4. AGILE/CD/CLOUD/DEVOPS
CHARACTERISTICS

7. SAFELY HANDLING
SPEED & SCALE

11. Netflix Environment
•
•
•
•
•
•
~200 production pushes/day
40m+ subscribers
Support for 1000+ devices
Service in 40+ countries
Concurrent delivery from 3 AWS regions
~1/3 of US download bandwidth at peak

12. CULTURE

15. Recruiting
Infrastructure/Systems/
Cloud
AppSec
Development
Monitoring & Response
Online Operations

16. Waiting, working,
Easy planning and
complete
reporting
Per-user
filters

17. VISIBILITY

18. Dashboards for
Security Data
Sub- Services
and
Dashboards
Dashboards for
Regional
SecurityDrill-down
Relevant Events
for Key Services and Lookback

19. Meaningful
subject
Alert
configuration
What to do?
Useful links
for more data
Embedded
graph

20. Access to changes
by app, region,
environment, etc.
Lookback in time
as needed

21. Chat integration
lets engineers
easily access info

22. App
name
Jenkins
(CI) job
Currently
running clusters
by region/
environment

23. Cluster
ID
Deployment
details
AMI version
SCM commit

24. Link to
relevant
JIRA(s)
Modified
files
Source
diffs

26. AUTOMATION

28. 1000+ tests to
compare proposed vs.
existing

30. AWS
components

31. Configuration
history
Details (rules)

33. ImmutableServer Pattern
• “ . . . a server that once deployed, is
never modified, merely replaced with a
new updated instance.”
– http://martinfowler.com/bliki/
ImmutableServer.html

34. Wrapping Up
• Cloud/DevOps/Agile/CD are
transformative (for org & security)
• Orgs embracing tend to deal in speed
and scale
• Look to culture, visibility, and automation
as security enablers in these
environments

35. Summary
Meeting’s Over – Questions?

36. Netflix Links
• http://techblog.netflix.com
• http://netflix.github.io/#repo
• http://www.slideshare.net/netflix

37. Photo Credits
•
•
•
•
•
•
•
•
Conzelman Road: http://www.california-travels.com/2012/05/04/pointbonita-lighthouse/
Canary: http://www.lafebervet.com/avian-medicine-list/basicinformation-sheets-for-the-canary/
Visibility: http://photography.nationalgeographic.com/wallpaper/
photography/photo-tips/city-photos/golden-gate-bridge-fog/
Scale: http://www.livestockscales.info/
Guinea fowl: http://danrouthphotography.blogspot.com/2009/07/
running-bird.html
Culture Club: http://www.last.fm/music/Culture+Club/This+Time:+The
+First+Four+Years
Babou: http://wildstar-central.com/index.php?threads/extaticaswallpapers-post-my-1200-post-_.4400/
Derek: http://www.fastcocreate.com/3016905/kindness-is-the-newirony-ricky-gervais-on-bringing-an-unlikely-hero-to-netflix-with-derek