SlideShare a Scribd company logo

Proactive Security AppSec Case Study

Andy Hoernecke
Andy Hoernecke

Automating your way to Proactive Application Security Andy Hoernecke AppSec Engineer Netflix OWASP Atlanta 4/21/2016

Internet
1 of 42
Download to read offline
PROACTIVE SECURITY APPSEC CASE STUDY ANDY HOERNECKE
HELO Andy Hoernecke
 Application Security Engineer
 AppSec, Automation, Data Visualization
What We Will Cover • Background on Netflix • Our Security Philosophy • Walkthrough of Our Approach to AppSec
Terminology • Define technology terms: • Application • Instance • ELB (Load Balance) • AMI • Security Groups
Netflix Primer • 100's of Developers • Over 1,000 applications • Hundreds of production pushes a day • Over 50k instances • Very Pro Open Source • No Security Gates!
Continuous Delivery • Fast, Automated Deployment • Immutable Platform • Low Friction
The Challenge • Provide security in the environment described: • No security gates • Production Changes Rapidly • Multiple Codes Bases (A/B Testing) • Many Developers vs. 5 Member AppSec Team
How?
Act as enablers not gatekeepers
Application developers are responsible for the security of their application.
Security is as important as: • functionality • performance • availability • scalability
Create paved paths, that are secure by default
Proactive Security • Know your environment & weaknesses and work to improve • Find problems early and address them • Monitor for anomalies and be prepared to respond • Collect meaningful data and use it to improve • Simplify make security the easy path • Reevaluate your approach • Share what you learn with others
Implementing Proactive Security AppSec Case Study* * Note: Talk discusses new version of software yet to be open sourced
Goals 1. Understand your environment 2. Inject automated security controls 3. Tie environment and security together
Goal 1 Understand Your Environment 1. Know the components of your environment 2. Understand connections 3. Monitor for changes
Defining The Environment • Applications that make up and support the Netflix experience 1. Accessibility (How, Where, Who) 2. Functionality 3. Ownership 4. Risk Level 5. Security
Where do Applications Come From? • Binaries • Appliances • SaaS • Internally Developed (Source Code)
Where do Applications Come From? SCMDevelopers Build Bake Deploy 1. Developers push code to SCM 2. Built into a package 3. Combined with BaseAMI to form a machine image 4. Deployed as an EC2 Instance
SCMDevelopers Build Bake Deploy Dependencies BaseAMI Source Code Package Baked AMI EC2 Instance
SCMDevelopers Build Bake Deploy EC2 Instance Cluster Application Cluster Cluster EC2 InstanceEC2 Instance ELB DNS Name
SCMDevelopers Build Bake Deploy EC2 Instance Cluster Application Dependencies BaseAMI Source Code Package Baked AMI DNS Name ELB Penguin Shortbread
Penguin Shortbread • Specialized Branch of Scumblr • Tracks Applications and all their associated metadata • Repositories • Committers • DNS Names • BaseAMI Information • Dependencies • More!
Penguin Shortbread • Individual tasks for gathering different pieces of metadata • Tasks for Spinnaker, Github, Stash, Jenkins, etc. • Easy to customize, maintain, etc. • Searching and filtering based on any information stored on the application. • Examples:
 What application uses sketchy.netflix.com?
 What repos does Andy Hoernecke contribute to?
While we're at it... • Collect information about how risky an application is • Calculate a risk score • Determine which applications posed the great risk and make decisions based on this
Security Monkey • Monitor for changes in AWS environment • Get alerts for important changes • Integrations with Scumblr/Penguin Shortbread
Goal 1 Understand Your Environment 1. Know the components of your environment 2. Understand connections 3. Monitor for changes
Goal 2 Automated Security Controls 1. Select and run tools 2. Aggregate data 3. Take action
SCMDevelopers Build Bake Deploy Systems Github Stash OpenGrok Information Source Code Commit History Committer Owner Info Security Tools/Services Static Analysis
SCMDevelopers Build Bake Deploy Systems Jenkins Information Packaged Application Dependency Info Security Tools/Services Static Analysis, Dependency Checking
SCMDevelopers Build Bake Deploy Systems Spinnaker Bakery Animator Information OS/Version Animation Date BaseAMI Info Security Tools/Services Host Analysis/Hardening
SCMDevelopers Build Bake Deploy Systems Spinnaker DNS Security Monkey Information Application Name DNS Names 
 Security Groups Security Tools/Services Dynamic Scanning, Runtime Analysis, Penetration Testing
Dirty Laundry • Evolution of Scumblr
Scumblr 1.0 queryquery Results Results URLs
Scumblr 2.0 • Extended the model with Metadata • Added: • Generic Tasks • Task Ordering/Grouping • Customizable Views • Events
New vs. Old • Scumblr 1.0 Tasks:
 Search Google
 Search Twitter
 Search Facebook
 • Example Scumblr 2.0 Tasks:
 1. Get list of Stash Repos
 2. Run Brakeman on Rails Repos
 3. Save the Results and Send out Notifications
Pulling it Together • Dirty Laundry integrates with all our security tools • Can track results based on a repo, a DNS name, an API endpoint, etc. • With Penguin Shortbread, can fit things together
Action • Enhanced the ability to track status • Added standard way to store/action vulnerability data • Workflowable provides easy mechanism to create JIRA tickets, send out notifications, etc.
Goal 2 Automated Security Controls 1. Select and run tools 2. Aggregate data 3. Take action
Goal 3 Tie Environment and Security Together 1. Understand vulnerabilities in context 2. Prioritize security services and remediation efforts 3. Enable linking security risks with their source 4. Identify weak links and look for improvements Coming Soon
Open Source • Netflix Open Source • Scumblr • Security Monkey • Penguin Shortbread (soon) • Spinnaker • Animator • More: https://netflix.github.io/ • Arachni www.arachni-scanner.com • Dependency Check https://www.owasp.org/index.php/ OWASP_Dependency_Check • FindSecBugs http://find-sec-bugs.github.io/ • Brakeman http://brakemanscanner.org/ • Bandit https://github.com/openstack/bandit
Thanks!

Recommended

The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
Andy Hoernecke
 
Splitting the Check on Compliance and Security
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and Security
Jason Chan
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
CloudPassage
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
Stijn Muylle
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
DevSecCon
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
Jason Chan
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
Nick Galbreath
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 

Recommended

The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
Andy Hoernecke
 
Splitting the Check on Compliance and Security
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and Security
Jason Chan
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
CloudPassage
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
Stijn Muylle
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
DevSecCon
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
Jason Chan
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
Nick Galbreath
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
CloudPassage
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
Stephen de Vries
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
Peter Lamar
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
jtmelton
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOps
Tom Cappetta
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
Tom Stiehm
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
Alert Logic
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennai
Abhay Bhargav
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentation
Abhay Bhargav
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive security
Scott Behrens
 
Web services par l'exemple avec ruby
Web services par l'exemple avec rubyWeb services par l'exemple avec ruby
Web services par l'exemple avec ruby
Christian KAKESA
 

More Related Content

What's hot

Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
CloudPassage
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 

What's hot (20)

Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOps
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennai
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentation
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
 

Viewers also liked

James Mead Jr. CV-resume - May 27 2015
James Mead Jr. CV-resume - May 27 2015James Mead Jr. CV-resume - May 27 2015
James Mead Jr. CV-resume - May 27 2015
James Mead, Jr
 
Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016
Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016
Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016
Chris Ippolito
 
Gina's Sports Marketing Portfolio throughout OSU Experience
Gina's Sports Marketing Portfolio throughout OSU ExperienceGina's Sports Marketing Portfolio throughout OSU Experience
Gina's Sports Marketing Portfolio throughout OSU Experience
Gina Nix
 

Viewers also liked (19)

Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive security
 
Web services par l'exemple avec ruby
Web services par l'exemple avec rubyWeb services par l'exemple avec ruby
Web services par l'exemple avec ruby
 
Creating and operating the Riyadh Bus Network
Creating and operating the Riyadh Bus NetworkCreating and operating the Riyadh Bus Network
Creating and operating the Riyadh Bus Network
 
Nudg
NudgNudg
Nudg
 
Deber de la comunicacion
Deber de la comunicacionDeber de la comunicacion
Deber de la comunicacion
 
Impacto de la tecnología en la educación (1)
Impacto de la tecnología en la educación (1)Impacto de la tecnología en la educación (1)
Impacto de la tecnología en la educación (1)
 
ELEKS-Company-Overview
ELEKS-Company-OverviewELEKS-Company-Overview
ELEKS-Company-Overview
 
Finance Report 2009
Finance Report 2009Finance Report 2009
Finance Report 2009
 
cae_broch_8pp_med
cae_broch_8pp_medcae_broch_8pp_med
cae_broch_8pp_med
 
James Mead Jr. CV-resume - May 27 2015
James Mead Jr. CV-resume - May 27 2015James Mead Jr. CV-resume - May 27 2015
James Mead Jr. CV-resume - May 27 2015
 
Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016
Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016
Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016
 
Gina's Sports Marketing Portfolio throughout OSU Experience
Gina's Sports Marketing Portfolio throughout OSU ExperienceGina's Sports Marketing Portfolio throughout OSU Experience
Gina's Sports Marketing Portfolio throughout OSU Experience
 
Scumblr, quick presentation
Scumblr, quick presentationScumblr, quick presentation
Scumblr, quick presentation
 
Sociedad virtual. Vacío ético y legal
Sociedad virtual. Vacío ético y legalSociedad virtual. Vacío ético y legal
Sociedad virtual. Vacío ético y legal
 
Careers in Security
Careers in SecurityCareers in Security
Careers in Security
 
Iguana iguana
Iguana iguanaIguana iguana
Iguana iguana
 
AppFolio Owner & Tenant Portals (Customer Webinar Recap)
AppFolio Owner & Tenant Portals (Customer Webinar Recap)AppFolio Owner & Tenant Portals (Customer Webinar Recap)
AppFolio Owner & Tenant Portals (Customer Webinar Recap)
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets
 

Similar to Proactive Security AppSec Case Study

Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
drewz lin
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 

Similar to Proactive Security AppSec Case Study (20)

Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle Management
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - Toronto
 
DevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous DeliveryDevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous Delivery
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
A Journey to Improve Infrastructure Compliance With InSpec
A Journey to Improve Infrastructure Compliance With InSpecA Journey to Improve Infrastructure Compliance With InSpec
A Journey to Improve Infrastructure Compliance With InSpec
 
SRV312 DevOps on AWS: Building Systems to Deliver Faster
SRV312 DevOps on AWS: Building Systems to Deliver FasterSRV312 DevOps on AWS: Building Systems to Deliver Faster
SRV312 DevOps on AWS: Building Systems to Deliver Faster
 
Getting your mobile test automation process in place - using Cucumber and Cal...
Getting your mobile test automation process in place - using Cucumber and Cal...Getting your mobile test automation process in place - using Cucumber and Cal...
Getting your mobile test automation process in place - using Cucumber and Cal...
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Laying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on SparkLaying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on Spark
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon Inspector
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Sonarjenkins ajip
Sonarjenkins ajipSonarjenkins ajip
Sonarjenkins ajip
 
20140708 - Jeremy Edberg: How Netflix Delivers Software
20140708 - Jeremy Edberg: How Netflix Delivers Software20140708 - Jeremy Edberg: How Netflix Delivers Software
20140708 - Jeremy Edberg: How Netflix Delivers Software
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 

Recently uploaded

audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
lolsDocherty
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
abhinandnam9997
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
aagad
 

Recently uploaded (13)

The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case Study
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
 
The Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI StudioThe Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI Studio
 
How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdf
 
Case study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptxCase study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptx
 
Bug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's GuideBug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's Guide
 
Pvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdf
 

Proactive Security AppSec Case Study

  • 1. PROACTIVE SECURITY APPSEC CASE STUDY ANDY HOERNECKE
  • 2. HELO Andy Hoernecke
 Application Security Engineer
 AppSec, Automation, Data Visualization
  • 3. What We Will Cover • Background on Netflix • Our Security Philosophy • Walkthrough of Our Approach to AppSec
  • 4. Terminology • Define technology terms: • Application • Instance • ELB (Load Balance) • AMI • Security Groups
  • 5. Netflix Primer • 100's of Developers • Over 1,000 applications • Hundreds of production pushes a day • Over 50k instances • Very Pro Open Source • No Security Gates!
  • 6. Continuous Delivery • Fast, Automated Deployment • Immutable Platform • Low Friction
  • 7. The Challenge • Provide security in the environment described: • No security gates • Production Changes Rapidly • Multiple Codes Bases (A/B Testing) • Many Developers vs. 5 Member AppSec Team
  • 9. Act as enablers not gatekeepers
  • 10. Application developers are responsible for the security of their application.
  • 11. Security is as important as: • functionality • performance • availability • scalability
  • 12. Create paved paths, that are secure by default
  • 13. Proactive Security • Know your environment & weaknesses and work to improve • Find problems early and address them • Monitor for anomalies and be prepared to respond • Collect meaningful data and use it to improve • Simplify make security the easy path • Reevaluate your approach • Share what you learn with others
  • 14. Implementing Proactive Security AppSec Case Study* * Note: Talk discusses new version of software yet to be open sourced
  • 15. Goals 1. Understand your environment 2. Inject automated security controls 3. Tie environment and security together
  • 16. Goal 1 Understand Your Environment 1. Know the components of your environment 2. Understand connections 3. Monitor for changes
  • 17. Defining The Environment • Applications that make up and support the Netflix experience 1. Accessibility (How, Where, Who) 2. Functionality 3. Ownership 4. Risk Level 5. Security
  • 18. Where do Applications Come From? • Binaries • Appliances • SaaS • Internally Developed (Source Code)
  • 19. Where do Applications Come From? SCMDevelopers Build Bake Deploy 1. Developers push code to SCM 2. Built into a package 3. Combined with BaseAMI to form a machine image 4. Deployed as an EC2 Instance
  • 20. SCMDevelopers Build Bake Deploy Dependencies BaseAMI Source Code Package Baked AMI EC2 Instance
  • 21. SCMDevelopers Build Bake Deploy EC2 Instance Cluster Application Cluster Cluster EC2 InstanceEC2 Instance ELB DNS Name
  • 22. SCMDevelopers Build Bake Deploy EC2 Instance Cluster Application Dependencies BaseAMI Source Code Package Baked AMI DNS Name ELB Penguin Shortbread
  • 23. Penguin Shortbread • Specialized Branch of Scumblr • Tracks Applications and all their associated metadata • Repositories • Committers • DNS Names • BaseAMI Information • Dependencies • More!
  • 24. Penguin Shortbread • Individual tasks for gathering different pieces of metadata • Tasks for Spinnaker, Github, Stash, Jenkins, etc. • Easy to customize, maintain, etc. • Searching and filtering based on any information stored on the application. • Examples:
 What application uses sketchy.netflix.com?
 What repos does Andy Hoernecke contribute to?
  • 25. While we're at it... • Collect information about how risky an application is • Calculate a risk score • Determine which applications posed the great risk and make decisions based on this
  • 26. Security Monkey • Monitor for changes in AWS environment • Get alerts for important changes • Integrations with Scumblr/Penguin Shortbread
  • 27. Goal 1 Understand Your Environment 1. Know the components of your environment 2. Understand connections 3. Monitor for changes
  • 28. Goal 2 Automated Security Controls 1. Select and run tools 2. Aggregate data 3. Take action
  • 29. SCMDevelopers Build Bake Deploy Systems Github Stash OpenGrok Information Source Code Commit History Committer Owner Info Security Tools/Services Static Analysis
  • 30. SCMDevelopers Build Bake Deploy Systems Jenkins Information Packaged Application Dependency Info Security Tools/Services Static Analysis, Dependency Checking
  • 31. SCMDevelopers Build Bake Deploy Systems Spinnaker Bakery Animator Information OS/Version Animation Date BaseAMI Info Security Tools/Services Host Analysis/Hardening
  • 32. SCMDevelopers Build Bake Deploy Systems Spinnaker DNS Security Monkey Information Application Name DNS Names 
 Security Groups Security Tools/Services Dynamic Scanning, Runtime Analysis, Penetration Testing
  • 35. Scumblr 2.0 • Extended the model with Metadata • Added: • Generic Tasks • Task Ordering/Grouping • Customizable Views • Events
  • 36. New vs. Old • Scumblr 1.0 Tasks:
 Search Google
 Search Twitter
 Search Facebook
 • Example Scumblr 2.0 Tasks:
 1. Get list of Stash Repos
 2. Run Brakeman on Rails Repos
 3. Save the Results and Send out Notifications
  • 37. Pulling it Together • Dirty Laundry integrates with all our security tools • Can track results based on a repo, a DNS name, an API endpoint, etc. • With Penguin Shortbread, can fit things together
  • 38. Action • Enhanced the ability to track status • Added standard way to store/action vulnerability data • Workflowable provides easy mechanism to create JIRA tickets, send out notifications, etc.
  • 39. Goal 2 Automated Security Controls 1. Select and run tools 2. Aggregate data 3. Take action
  • 40. Goal 3 Tie Environment and Security Together 1. Understand vulnerabilities in context 2. Prioritize security services and remediation efforts 3. Enable linking security risks with their source 4. Identify weak links and look for improvements Coming Soon
  • 41. Open Source • Netflix Open Source • Scumblr • Security Monkey • Penguin Shortbread (soon) • Spinnaker • Animator • More: https://netflix.github.io/ • Arachni www.arachni-scanner.com • Dependency Check https://www.owasp.org/index.php/ OWASP_Dependency_Check • FindSecBugs http://find-sec-bugs.github.io/ • Brakeman http://brakemanscanner.org/ • Bandit https://github.com/openstack/bandit