From Gates to Guardrails: Alternate Approaches to Product Security
14 likes3,439 views
1. Jason Chan, an engineering director at Netflix, gave a presentation about product security approaches at Netflix. 2. Netflix has an agile development culture with over 200 daily production pushes across 1000+ supported devices in 40 countries. This results in a need for security approaches that can handle Netflix's scale and speed. 3. Netflix employs approaches like visibility into security-related data, automation through over 1000 tests, and an immutable server pattern to enable security in their fast-paced, cloud-based environment.
From Gates to Guardrails: Alternate Approaches to Product Security
- 1. From Gates to Guardrails: Alternate Approaches to Product Security LASCON 2013 Jason Chan chan@netflix.com
- 2. About Me • Engineering Director @ Netflix: – Security: Product, App, Ops, IR, etc. • Previously: – Led security team @ VMware – Consultant - @stake, iSEC Partners
- 7. SAFELY HANDLING SPEED & SCALE
- 11. Netflix Environment • • • • • • ~200 production pushes/day 40m+ subscribers Support for 1000+ devices Service in 40+ countries Concurrent delivery from 3 AWS regions ~1/3 of US download bandwidth at peak
- 12. CULTURE
- 15. Recruiting Infrastructure/Systems/ Cloud AppSec Development Monitoring & Response Online Operations
- 16. Waiting, working, Easy planning and complete reporting Per-user filters
- 17. VISIBILITY
- 18. Dashboards for Security Data Sub- Services and Dashboards Dashboards for Regional SecurityDrill-down Relevant Events for Key Services and Lookback
- 19. Meaningful subject Alert configuration What to do? Useful links for more data Embedded graph
- 20. Access to changes by app, region, environment, etc. Lookback in time as needed
- 21. Chat integration lets engineers easily access info
- 22. App name Jenkins (CI) job Currently running clusters by region/ environment
- 26. AUTOMATION
- 28. 1000+ tests to compare proposed vs. existing
- 30. AWS components
- 33. ImmutableServer Pattern • “ . . . a server that once deployed, is never modified, merely replaced with a new updated instance.” – http://martinfowler.com/bliki/ ImmutableServer.html
- 34. Wrapping Up • Cloud/DevOps/Agile/CD are transformative (for org & security) • Orgs embracing tend to deal in speed and scale • Look to culture, visibility, and automation as security enablers in these environments
- 35. Summary Meeting’s Over – Questions?
- 36. Netflix Links • http://techblog.netflix.com • http://netflix.github.io/#repo • http://www.slideshare.net/netflix
- 37. Photo Credits • • • • • • • • Conzelman Road: http://www.california-travels.com/2012/05/04/pointbonita-lighthouse/ Canary: http://www.lafebervet.com/avian-medicine-list/basicinformation-sheets-for-the-canary/ Visibility: http://photography.nationalgeographic.com/wallpaper/ photography/photo-tips/city-photos/golden-gate-bridge-fog/ Scale: http://www.livestockscales.info/ Guinea fowl: http://danrouthphotography.blogspot.com/2009/07/ running-bird.html Culture Club: http://www.last.fm/music/Culture+Club/This+Time:+The +First+Four+Years Babou: http://wildstar-central.com/index.php?threads/extaticaswallpapers-post-my-1200-post-_.4400/ Derek: http://www.fastcocreate.com/3016905/kindness-is-the-newirony-ricky-gervais-on-bringing-an-unlikely-hero-to-netflix-with-derek