5. Netflix Primer
• 100's of Developers
• Over 1,000 applications
• Hundreds of production pushes a day
• Over 50k instances
• Very Pro Open Source
• No Security Gates!
7. The Challenge
• Provide security in the environment described:
• No security gates
• Production Changes Rapidly
• Multiple Codes Bases (A/B Testing)
• Many Developers vs. 5 Member AppSec Team
13. Proactive Security
• Know your environment & weaknesses and work to improve
• Find problems early and address them
• Monitor for anomalies and be prepared to respond
• Collect meaningful data and use it to improve
• Simplify make security the easy path
• Reevaluate your approach
• Share what you learn with others
15. Goals
1. Understand your environment
2. Inject automated security controls
3. Tie environment and security together
16. Goal 1
Understand Your Environment
1. Know the components of your environment
2. Understand connections
3. Monitor for changes
17. Defining The Environment
• Applications that make up and support the
Netflix experience
1. Accessibility (How, Where, Who)
2. Functionality
3. Ownership
4. Risk Level
5. Security
18. Where do Applications Come
From?
• Binaries
• Appliances
• SaaS
• Internally Developed (Source Code)
19. Where do Applications Come
From?
SCMDevelopers Build Bake Deploy
1. Developers push code to SCM
2. Built into a package
3. Combined with BaseAMI to form a machine image
4. Deployed as an EC2 Instance
21. SCMDevelopers Build Bake Deploy
EC2 Instance
Cluster
Application
Cluster Cluster
EC2 InstanceEC2 Instance
ELB DNS Name
22. SCMDevelopers Build Bake Deploy
EC2 Instance
Cluster
Application
Dependencies BaseAMI
Source
Code
Package Baked AMI
DNS
Name
ELB
Penguin Shortbread
23. Penguin Shortbread
• Specialized Branch of Scumblr
• Tracks Applications and all their associated
metadata
• Repositories
• Committers
• DNS Names
• BaseAMI Information
• Dependencies
• More!
24. Penguin Shortbread
• Individual tasks for gathering different pieces of
metadata
• Tasks for Spinnaker, Github, Stash, Jenkins, etc.
• Easy to customize, maintain, etc.
• Searching and filtering based on any information
stored on the application.
• Examples:
What application uses sketchy.netflix.com?
What repos does Andy Hoernecke contribute to?
25. While we're at it...
• Collect information about how risky an
application is
• Calculate a risk score
• Determine which applications posed the great
risk and make decisions based on this
26. Security Monkey
• Monitor for changes in AWS environment
• Get alerts for important changes
• Integrations with Scumblr/Penguin Shortbread
27. Goal 1
Understand Your Environment
1. Know the components of your environment
2. Understand connections
3. Monitor for changes
29. SCMDevelopers Build Bake Deploy
Systems
Github
Stash
OpenGrok
Information
Source Code
Commit History
Committer
Owner Info
Security Tools/Services
Static Analysis
30. SCMDevelopers Build Bake Deploy
Systems
Jenkins
Information
Packaged Application
Dependency Info
Security Tools/Services
Static Analysis, Dependency Checking
31. SCMDevelopers Build Bake Deploy
Systems
Spinnaker
Bakery
Animator
Information
OS/Version
Animation Date
BaseAMI Info
Security Tools/Services
Host Analysis/Hardening
32. SCMDevelopers Build Bake Deploy
Systems
Spinnaker
DNS
Security Monkey
Information
Application Name
DNS Names
Security Groups
Security Tools/Services
Dynamic Scanning, Runtime Analysis, Penetration Testing
35. Scumblr 2.0
• Extended the model with Metadata
• Added:
• Generic Tasks
• Task Ordering/Grouping
• Customizable Views
• Events
36. New vs. Old
• Scumblr 1.0 Tasks:
Search Google
Search Twitter
Search Facebook
• Example Scumblr 2.0 Tasks:
1. Get list of Stash Repos
2. Run Brakeman on Rails Repos
3. Save the Results and Send out Notifications
37. Pulling it Together
• Dirty Laundry integrates with all our security tools
• Can track results based on a repo, a DNS name, an
API endpoint, etc.
• With Penguin Shortbread, can fit things together
38. Action
• Enhanced the ability to track status
• Added standard way to store/action vulnerability
data
• Workflowable provides easy mechanism to create
JIRA tickets, send out notifications, etc.
40. Goal 3
Tie Environment and Security Together
1. Understand vulnerabilities in context
2. Prioritize security services and remediation efforts
3. Enable linking security risks with their source
4. Identify weak links and look for improvements
Coming Soon