Uploaded byroyrapoport
1,204 views

SSL Certificate Expiration and Howler Monkey's Inception

The document discusses how Netflix moved from SSL certificates expiring without notice in production to deploying Security Monkey (later renamed Howler Monkey) to permanently eliminate SSL certificate expiration as an issue. Netflix had dozens of certificates in various environments that needed monitoring and faced potential outages if certificates expired. The standard approach of tracking certificates manually in Excel worksheets was not feasible for Netflix's complex infrastructure.

Embed presentation

Downloaded 10 times
SSL* Certificate Reporting BayLISA March 21st, 2013 @royrapoport rsr@netflix.com Friday, March 22, 13 This is the story of how we went from SSL certificates expiring without notice in production to deploying Security Monkey (later renamed Howler Monkey) and permanently eliminating SSL certificate expiration as a production-class issue.
SSL* Certificate Reporting BayLISA March 21st, 2013 @royrapoport rsr@netflix.com Friday, March 22, 13 This is the story of how we went from SSL certificates expiring without notice in production to deploying Security Monkey (later renamed Howler Monkey) and permanently eliminating SSL certificate expiration as a production-class issue.
Technology Overview @royrapoport rsr@netflix.com Friday, March 22, 13
Technology Overview • SoA, REST, Mostly Java @royrapoport rsr@netflix.com Friday, March 22, 13
Technology Overview • SoA, REST, Mostly Java • Simple overall architecture: @royrapoport rsr@netflix.com Friday, March 22, 13
Technology Overview • SoA, REST, Mostly Java • Simple overall architecture: @royrapoport rsr@netflix.com Friday, March 22, 13
Culture Overview @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
Culture Overview • Freedom and Responsibility @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
Culture Overview • Freedom and Responsibility • Distributed Operations @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
Culture Overview • Freedom and Responsibility • Distributed Operations • Get out of the way of Developers @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
So Certificates ... @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 • Source Control @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 • Source Control • EIPs @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 • Source Control • EIPs • Totally Distributed Design @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Some Certificates Weren’t[sic] @royrapoport rsr@netflix.com Friday, March 22, 13 Some certificates weren’t even SSL certificates -- we have certificates we get from a partner that cannot be accessed via SSL, and for which the answer to the question “when does this expire?” require scraping a web page.
So Certificates ... @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire • Millions of people can’t stream @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This • Excel worksheets @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This • Excel worksheets • Wiki documents @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This • Excel worksheets • Wiki documents • Events on public calendars @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
Let’s Do This Thing Cassandra Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 Start with a very simple model -- a Certificate entity, which is really just a combination of name, expiration date, and a series of locations where we can find this. It’d be trivial to feed this thing from my todo list, if I wanted to (but given the state of my todo list, probably a bad idea)
Let’s Do This Thing ELB Cassandra Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 Then start building location-aware spiders -- e.g. this spider that knows how to probe all our ELBs to see if they listen on 443 and gets their certificate if they do.
Let’s Do This Thing ELB Cassandra EC2 Instance Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 Or this spider that knows how to talk to a specific kind of EC2 instance we have with some certificates.
Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 etc ...
Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate Filesystem @royrapoport rsr@netflix.com Friday, March 22, 13
Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate Filesystem DNS @royrapoport rsr@netflix.com Friday, March 22, 13
Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate Filesystem DNS @royrapoport rsr@netflix.com Friday, March 22, 13 Once you have all this information, you can easily generate a web page showing certificates, where they are, and when they expire
Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate Filesystem DNS @royrapoport rsr@netflix.com Friday, March 22, 13 And send out emails, too -- once we built the capability for teams to subscribe to emails for a given certificate and specify how many days before expiration they should start getting notified
Since Then @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
Since Then • No Production Emergencies due to SSL certificate expiration @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
Since Then • No Production Emergencies due to SSL certificate expiration • Validated Design @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
Since Then • No Production Emergencies due to SSL certificate expiration • Validated Design • Better Subscription Capabilities @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
Soon ... @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
Soon ... • Customized, automated alerting @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
Soon ... • Customized, automated alerting • Automated renewal @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
Soon ... • Customized, automated alerting • Automated renewal • Telling you a problem is about to happen: Good @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
Soon ... • Customized, automated alerting • Automated renewal • Telling you a problem is about to happen: Good • Preventing the problem automatically: Priceless @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
Soon ... • Customized, automated alerting • Automated renewal • Telling you a problem is about to happen: Good • Preventing the problem automatically: Priceless • Open Source @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
Remember ... @royrapoport rsr@netflix.com Friday, March 22, 13
Remember ... • Be Lazy @royrapoport rsr@netflix.com Friday, March 22, 13
Remember ... • Be Lazy • Help Others Be Lazy @royrapoport rsr@netflix.com Friday, March 22, 13
Remember ... • Be Lazy • Help Others Be Lazy • Computers Are Better Than Humans @royrapoport rsr@netflix.com Friday, March 22, 13
Remember ... • Be Lazy • Help Others Be Lazy • Computers Are Better Than Humans • For some things @royrapoport rsr@netflix.com Friday, March 22, 13
Remember ... • Be Lazy • Help Others Be Lazy • Computers Are Better Than Humans • For some things • Don’t compete on their terms @royrapoport rsr@netflix.com Friday, March 22, 13
Questions? @royrapoport rsr@netflix.com Friday, March 22, 13

More Related Content

PDF
Cloud Tech III: Actionable Metrics
byroyrapoport
 
PDF
Python Through the Back Door: Netflix Presentation at CodeMash 2014
byroyrapoport
 
PDF
Operational Insight: Concepts and Examples (w/o Presenter Notes)
byroyrapoport
 
PDF
Operational Insight: Concepts and Examples
byroyrapoport
 
PPTX
Gluecon keynote
byAdrian Cockcroft
 
PDF
Keeping Movies Running Amid Thunderstorms!
bySid Anand
 
PPTX
Gluecon 2013 - NetflixOSS Cloud Native Tutorial Introduction
byAdrian Cockcroft
 
PDF
SV Forum Platform Architecture SIG - Netflix Open Source Platform
byAdrian Cockcroft
 
Cloud Tech III: Actionable Metrics
byroyrapoport
 
Python Through the Back Door: Netflix Presentation at CodeMash 2014
byroyrapoport
 
Operational Insight: Concepts and Examples (w/o Presenter Notes)
byroyrapoport
 
Operational Insight: Concepts and Examples
byroyrapoport
 
Gluecon keynote
byAdrian Cockcroft
 
Keeping Movies Running Amid Thunderstorms!
bySid Anand
 
Gluecon 2013 - NetflixOSS Cloud Native Tutorial Introduction
byAdrian Cockcroft
 
SV Forum Platform Architecture SIG - Netflix Open Source Platform
byAdrian Cockcroft
 

Viewers also liked

PDF
Canary Analyze All the Things
byroyrapoport
 
PPTX
CMG2013 Workshop: Netflix Cloud Native, Capacity, Performance and Cost Optimi...
byAdrian Cockcroft
 
PPTX
Traffic anomaly detection and attack
byQrator Labs
 
PPTX
Anomaly Detection for Security
byCody Rioux
 
PPTX
The Dark of Building an Production Incident Syste
byAlois Reitbauer
 
PPTX
Cassandra Performance and Scalability on AWS
byAdrian Cockcroft
 
PPTX
Anomaly Detection for Real-World Systems
byManojit Nandi
 
PPTX
Where is Data Going? - RMDC Keynote
byTed Dunning
 
PDF
Parallel Programming in Python: Speeding up your analysis
byManojit Nandi
 
PPTX
Monitoring large scale Docker production environments
byAlois Reitbauer
 
PPTX
Can a monitoring tool pass the turing test
byAlois Reitbauer
 
PPTX
The Dark Art of Production Alerting
byAlois Reitbauer
 
PPTX
Monitoring without alerts
byAlois Reitbauer
 
PPTX
PyGotham 2016
byManojit Nandi
 
PPTX
The definition of normal - An introduction and guide to anomaly detection.
byAlois Reitbauer
 
PPTX
Monitoring Docker Application in Production
byAlois Reitbauer
 
PPTX
Ruxit - How we launched a global monitoring platform on AWS in 80 days.
byAlois Reitbauer
 
PPTX
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
bytboubez
 
PDF
Anomaly Detection for Global Scale at Netflix
byExtract Data Conference
 
Canary Analyze All the Things
byroyrapoport
 
CMG2013 Workshop: Netflix Cloud Native, Capacity, Performance and Cost Optimi...
byAdrian Cockcroft
 
Traffic anomaly detection and attack
byQrator Labs
 
Anomaly Detection for Security
byCody Rioux
 
The Dark of Building an Production Incident Syste
byAlois Reitbauer
 
Cassandra Performance and Scalability on AWS
byAdrian Cockcroft
 
Anomaly Detection for Real-World Systems
byManojit Nandi
 
Where is Data Going? - RMDC Keynote
byTed Dunning
 
Parallel Programming in Python: Speeding up your analysis
byManojit Nandi
 
Monitoring large scale Docker production environments
byAlois Reitbauer
 
Can a monitoring tool pass the turing test
byAlois Reitbauer
 
The Dark Art of Production Alerting
byAlois Reitbauer
 
Monitoring without alerts
byAlois Reitbauer
 
PyGotham 2016
byManojit Nandi
 
The definition of normal - An introduction and guide to anomaly detection.
byAlois Reitbauer
 
Monitoring Docker Application in Production
byAlois Reitbauer
 
Ruxit - How we launched a global monitoring platform on AWS in 80 days.
byAlois Reitbauer
 
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
bytboubez
 
Anomaly Detection for Global Scale at Netflix
byExtract Data Conference
 

Similar to SSL Certificate Expiration and Howler Monkey's Inception

PDF
netflix-real-time-data-strata-talk
byDanny Yuan
 
PPTX
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
byNicholas Davis
 
PDF
Digi cert newsletter-2013-02
byPittayakom Sa-ingtong
 
PDF
Searching anything, anywhere with Workplace Search
byElasticsearch
 
PPT
talk
byJohn Hines
 
PPTX
Масштабируя TLS
byQrator Labs
 
PPTX
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
byOntico
 
PDF
Securing the Elastic Stack for free
byElasticsearch
 
PPTX
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
byDavid Ochel
 
PDF
Infotec 2010 Ben Rothke - social networks and information security
byBen Rothke
 
PPTX
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
byMatt Tesauro
 
PPTX
NetflixOSS for Triangle Devops Oct 2013
byaspyker
 
PDF
Netflix AIM Engineering Manager
byKaren Casella
 
PDF
SSL: Past, Present and Future
byTiago Mendo
 
PDF
SSL: Past, Present and Future
byLuis Grangeia
 
PDF
Get involved with the security community at Elastic
byElasticsearch
 
PPTX
2012 re:Invent Netflix: embracing the cloud final
byYuryIzrailevsky
 
PPTX
Netflix Story of Embracing the Cloud
byKate Karniouchina
 
PDF
SiddharthAnand_NetflixsCloudDataArchitecture
byKostas Mavridis
 
PPTX
Web Scale Applications using NeflixOSS Cloud Platform
bySudhir Tonse
 
netflix-real-time-data-strata-talk
byDanny Yuan
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
byNicholas Davis
 
Digi cert newsletter-2013-02
byPittayakom Sa-ingtong
 
Searching anything, anywhere with Workplace Search
byElasticsearch
 
talk
byJohn Hines
 
Масштабируя TLS
byQrator Labs
 
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
byOntico
 
Securing the Elastic Stack for free
byElasticsearch
 
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
byDavid Ochel
 
Infotec 2010 Ben Rothke - social networks and information security
byBen Rothke
 
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
byMatt Tesauro
 
NetflixOSS for Triangle Devops Oct 2013
byaspyker
 
Netflix AIM Engineering Manager
byKaren Casella
 
SSL: Past, Present and Future
byTiago Mendo
 
SSL: Past, Present and Future
byLuis Grangeia
 
Get involved with the security community at Elastic
byElasticsearch
 
2012 re:Invent Netflix: embracing the cloud final
byYuryIzrailevsky
 
Netflix Story of Embracing the Cloud
byKate Karniouchina
 
SiddharthAnand_NetflixsCloudDataArchitecture
byKostas Mavridis
 
Web Scale Applications using NeflixOSS Cloud Platform
bySudhir Tonse
 

Recently uploaded

PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
PDF
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PDF
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
PDF
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Designing a Blog Using Wordpress
bymarkzubi50
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 

SSL Certificate Expiration and Howler Monkey's Inception

  • 1.
    SSL* Certificate Reporting BayLISA March 21st, 2013 @royrapoport rsr@netflix.com Friday, March 22, 13 This is the story of how we went from SSL certificates expiring without notice in production to deploying Security Monkey (later renamed Howler Monkey) and permanently eliminating SSL certificate expiration as a production-class issue.
  • 2.
    SSL* Certificate Reporting BayLISA March 21st, 2013 @royrapoport rsr@netflix.com Friday, March 22, 13 This is the story of how we went from SSL certificates expiring without notice in production to deploying Security Monkey (later renamed Howler Monkey) and permanently eliminating SSL certificate expiration as a production-class issue.
  • 3.
    Technology Overview @royrapoport rsr@netflix.com Friday, March 22, 13
  • 4.
    Technology Overview • SoA, REST, Mostly Java @royrapoport rsr@netflix.com Friday, March 22, 13
  • 5.
    Technology Overview • SoA, REST, Mostly Java • Simple overall architecture: @royrapoport rsr@netflix.com Friday, March 22, 13
  • 6.
    Technology Overview • SoA, REST, Mostly Java • Simple overall architecture: @royrapoport rsr@netflix.com Friday, March 22, 13
  • 7.
    Culture Overview @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
  • 8.
    Culture Overview •Freedom and Responsibility @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
  • 9.
    Culture Overview •Freedom and Responsibility • Distributed Operations @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
  • 10.
    Culture Overview •Freedom and Responsibility • Distributed Operations • Get out of the way of Developers @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
  • 11.
    So Certificates ... @royrapoport rsr@netflix.com Friday, March 22, 13
  • 12.
    So Certificates ... • Dozens of Certificates @royrapoport rsr@netflix.com Friday, March 22, 13
  • 13.
    So Certificates ... • Dozens of Certificates • Different kinds of places @royrapoport rsr@netflix.com Friday, March 22, 13
  • 14.
    So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private @royrapoport rsr@netflix.com Friday, March 22, 13
  • 15.
    So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB @royrapoport rsr@netflix.com Friday, March 22, 13
  • 16.
    So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs @royrapoport rsr@netflix.com Friday, March 22, 13
  • 17.
    So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 @royrapoport rsr@netflix.com Friday, March 22, 13
  • 18.
    So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 • Source Control @royrapoport rsr@netflix.com Friday, March 22, 13
  • 19.
    So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 • Source Control • EIPs @royrapoport rsr@netflix.com Friday, March 22, 13
  • 20.
    So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 • Source Control • EIPs • Totally Distributed Design @royrapoport rsr@netflix.com Friday, March 22, 13
  • 21.
    So Certificates ... • Some Certificates Weren’t[sic] @royrapoport rsr@netflix.com Friday, March 22, 13 Some certificates weren’t even SSL certificates -- we have certificates we get from a partner that cannot be accessed via SSL, and for which the answer to the question “when does this expire?” require scraping a web page.
  • 22.
    So Certificates ... @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 23.
    So Certificates ... • SSL Certificates expire @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 24.
    So Certificates ... • SSL Certificates expire • Millions of people can’t stream @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 25.
    So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 26.
    So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 27.
    So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This • Excel worksheets @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 28.
    So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This • Excel worksheets • Wiki documents @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 29.
    So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This • Excel worksheets • Wiki documents • Events on public calendars @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 30.
    Let’s Do ThisThing Cassandra Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 Start with a very simple model -- a Certificate entity, which is really just a combination of name, expiration date, and a series of locations where we can find this. It’d be trivial to feed this thing from my todo list, if I wanted to (but given the state of my todo list, probably a bad idea)
  • 31.
    Let’s Do ThisThing ELB Cassandra Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 Then start building location-aware spiders -- e.g. this spider that knows how to probe all our ELBs to see if they listen on 443 and gets their certificate if they do.
  • 32.
    Let’s Do ThisThing ELB Cassandra EC2 Instance Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 Or this spider that knows how to talk to a specific kind of EC2 instance we have with some certificates.
  • 33.
    Let’s Do ThisThing ELB Cassandra EC2 Instance IP Range Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 etc ...
  • 34.
    Let’s Do ThisThing ELB Cassandra EC2 Instance IP Range Certificate Filesystem @royrapoport rsr@netflix.com Friday, March 22, 13
  • 35.
    Let’s Do ThisThing ELB Cassandra EC2 Instance IP Range Certificate Filesystem DNS @royrapoport rsr@netflix.com Friday, March 22, 13
  • 36.
    Let’s Do ThisThing ELB Cassandra EC2 Instance IP Range Certificate Filesystem DNS @royrapoport rsr@netflix.com Friday, March 22, 13 Once you have all this information, you can easily generate a web page showing certificates, where they are, and when they expire
  • 37.
    Let’s Do ThisThing ELB Cassandra EC2 Instance IP Range Certificate Filesystem DNS @royrapoport rsr@netflix.com Friday, March 22, 13 And send out emails, too -- once we built the capability for teams to subscribe to emails for a given certificate and specify how many days before expiration they should start getting notified
  • 38.
    Since Then @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
  • 39.
    Since Then • No Production Emergencies due to SSL certificate expiration @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
  • 40.
    Since Then • No Production Emergencies due to SSL certificate expiration • Validated Design @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
  • 41.
    Since Then • No Production Emergencies due to SSL certificate expiration • Validated Design • Better Subscription Capabilities @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
  • 42.
    Soon ... @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
  • 43.
    Soon ... • Customized, automated alerting @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
  • 44.
    Soon ... • Customized, automated alerting • Automated renewal @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
  • 45.
    Soon ... • Customized, automated alerting • Automated renewal • Telling you a problem is about to happen: Good @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
  • 46.
    Soon ... • Customized, automated alerting • Automated renewal • Telling you a problem is about to happen: Good • Preventing the problem automatically: Priceless @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
  • 47.
    Soon ... • Customized, automated alerting • Automated renewal • Telling you a problem is about to happen: Good • Preventing the problem automatically: Priceless • Open Source @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
  • 48.
    Remember ... @royrapoport rsr@netflix.com Friday, March 22, 13
  • 49.
    Remember ... • Be Lazy @royrapoport rsr@netflix.com Friday, March 22, 13
  • 50.
    Remember ... • Be Lazy • Help Others Be Lazy @royrapoport rsr@netflix.com Friday, March 22, 13
  • 51.
    Remember ... • Be Lazy • Help Others Be Lazy • Computers Are Better Than Humans @royrapoport rsr@netflix.com Friday, March 22, 13
  • 52.
    Remember ... • Be Lazy • Help Others Be Lazy • Computers Are Better Than Humans • For some things @royrapoport rsr@netflix.com Friday, March 22, 13
  • 53.
    Remember ... • Be Lazy • Help Others Be Lazy • Computers Are Better Than Humans • For some things • Don’t compete on their terms @royrapoport rsr@netflix.com Friday, March 22, 13
  • 54.
    Questions? @royrapoport rsr@netflix.com Friday, March 22, 13