SlideShare a Scribd company logo

Proactive Security AppSec Case Study

Andy Hoernecke
Andy Hoernecke

Automating your way to Proactive Application Security Andy Hoernecke AppSec Engineer Netflix OWASP Atlanta 4/21/2016

1 of 42
Download to read offline
PROACTIVE SECURITY APPSEC CASE STUDY ANDY HOERNECKE
HELO Andy Hoernecke
 Application Security Engineer
 AppSec, Automation, Data Visualization
What We Will Cover • Background on Netflix • Our Security Philosophy • Walkthrough of Our Approach to AppSec
Terminology • Define technology terms: • Application • Instance • ELB (Load Balance) • AMI • Security Groups
Netflix Primer • 100's of Developers • Over 1,000 applications • Hundreds of production pushes a day • Over 50k instances • Very Pro Open Source • No Security Gates!
Continuous Delivery • Fast, Automated Deployment • Immutable Platform • Low Friction
The Challenge • Provide security in the environment described: • No security gates • Production Changes Rapidly • Multiple Codes Bases (A/B Testing) • Many Developers vs. 5 Member AppSec Team
How?
Act as enablers not gatekeepers
Application developers are responsible for the security of their application.
Security is as important as: • functionality • performance • availability • scalability
Create paved paths, that are secure by default
Proactive Security • Know your environment & weaknesses and work to improve • Find problems early and address them • Monitor for anomalies and be prepared to respond • Collect meaningful data and use it to improve • Simplify make security the easy path • Reevaluate your approach • Share what you learn with others
Implementing Proactive Security AppSec Case Study* * Note: Talk discusses new version of software yet to be open sourced
Goals 1. Understand your environment 2. Inject automated security controls 3. Tie environment and security together
Goal 1 Understand Your Environment 1. Know the components of your environment 2. Understand connections 3. Monitor for changes
Defining The Environment • Applications that make up and support the Netflix experience 1. Accessibility (How, Where, Who) 2. Functionality 3. Ownership 4. Risk Level 5. Security
Where do Applications Come From? • Binaries • Appliances • SaaS • Internally Developed (Source Code)
Where do Applications Come From? SCMDevelopers Build Bake Deploy 1. Developers push code to SCM 2. Built into a package 3. Combined with BaseAMI to form a machine image 4. Deployed as an EC2 Instance
SCMDevelopers Build Bake Deploy Dependencies BaseAMI Source Code Package Baked AMI EC2 Instance
SCMDevelopers Build Bake Deploy EC2 Instance Cluster Application Cluster Cluster EC2 InstanceEC2 Instance ELB DNS Name
SCMDevelopers Build Bake Deploy EC2 Instance Cluster Application Dependencies BaseAMI Source Code Package Baked AMI DNS Name ELB Penguin Shortbread
Penguin Shortbread • Specialized Branch of Scumblr • Tracks Applications and all their associated metadata • Repositories • Committers • DNS Names • BaseAMI Information • Dependencies • More!
Penguin Shortbread • Individual tasks for gathering different pieces of metadata • Tasks for Spinnaker, Github, Stash, Jenkins, etc. • Easy to customize, maintain, etc. • Searching and filtering based on any information stored on the application. • Examples:
 What application uses sketchy.netflix.com?
 What repos does Andy Hoernecke contribute to?
While we're at it... • Collect information about how risky an application is • Calculate a risk score • Determine which applications posed the great risk and make decisions based on this
Security Monkey • Monitor for changes in AWS environment • Get alerts for important changes • Integrations with Scumblr/Penguin Shortbread
Goal 1 Understand Your Environment 1. Know the components of your environment 2. Understand connections 3. Monitor for changes
Goal 2 Automated Security Controls 1. Select and run tools 2. Aggregate data 3. Take action
SCMDevelopers Build Bake Deploy Systems Github Stash OpenGrok Information Source Code Commit History Committer Owner Info Security Tools/Services Static Analysis
SCMDevelopers Build Bake Deploy Systems Jenkins Information Packaged Application Dependency Info Security Tools/Services Static Analysis, Dependency Checking
SCMDevelopers Build Bake Deploy Systems Spinnaker Bakery Animator Information OS/Version Animation Date BaseAMI Info Security Tools/Services Host Analysis/Hardening
SCMDevelopers Build Bake Deploy Systems Spinnaker DNS Security Monkey Information Application Name DNS Names 
 Security Groups Security Tools/Services Dynamic Scanning, Runtime Analysis, Penetration Testing
Dirty Laundry • Evolution of Scumblr
Scumblr 1.0 queryquery Results Results URLs
Scumblr 2.0 • Extended the model with Metadata • Added: • Generic Tasks • Task Ordering/Grouping • Customizable Views • Events
New vs. Old • Scumblr 1.0 Tasks:
 Search Google
 Search Twitter
 Search Facebook
 • Example Scumblr 2.0 Tasks:
 1. Get list of Stash Repos
 2. Run Brakeman on Rails Repos
 3. Save the Results and Send out Notifications
Pulling it Together • Dirty Laundry integrates with all our security tools • Can track results based on a repo, a DNS name, an API endpoint, etc. • With Penguin Shortbread, can fit things together
Action • Enhanced the ability to track status • Added standard way to store/action vulnerability data • Workflowable provides easy mechanism to create JIRA tickets, send out notifications, etc.
Goal 2 Automated Security Controls 1. Select and run tools 2. Aggregate data 3. Take action
Goal 3 Tie Environment and Security Together 1. Understand vulnerabilities in context 2. Prioritize security services and remediation efforts 3. Enable linking security risks with their source 4. Identify weak links and look for improvements Coming Soon
Open Source • Netflix Open Source • Scumblr • Security Monkey • Penguin Shortbread (soon) • Spinnaker • Animator • More: https://netflix.github.io/ • Arachni www.arachni-scanner.com • Dependency Check https://www.owasp.org/index.php/ OWASP_Dependency_Check • FindSecBugs http://find-sec-bugs.github.io/ • Brakeman http://brakemanscanner.org/ • Bandit https://github.com/openstack/bandit
Thanks!
Ad

Recommended

The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
Andy Hoernecke
 
Splitting the Check on Compliance and Security
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and Security
Jason Chan
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
CloudPassage
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
Stijn Muylle
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
DevSecCon
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
Jason Chan
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
Nick Galbreath
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
CloudPassage
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
Stephen de Vries
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
Peter Lamar
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
jtmelton
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOps
Tom Cappetta
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
Tom Stiehm
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
Alert Logic
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennai
Abhay Bhargav
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentation
Abhay Bhargav
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive security
Scott Behrens
 
Web services par l'exemple avec ruby
Web services par l'exemple avec rubyWeb services par l'exemple avec ruby
Web services par l'exemple avec ruby
Christian KAKESA
 
Ad

More Related Content

What's hot (20)

Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
CloudPassage
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
Stephen de Vries
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
Peter Lamar
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
jtmelton
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOps
Tom Cappetta
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
Tom Stiehm
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
Alert Logic
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennai
Abhay Bhargav
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentation
Abhay Bhargav
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
CloudPassage
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
Stephen de Vries
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
Peter Lamar
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
jtmelton
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOps
Tom Cappetta
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
Tom Stiehm
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
Alert Logic
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennai
Abhay Bhargav
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentation
Abhay Bhargav
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 

Viewers also liked (19)

Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive security
Scott Behrens
 
Web services par l'exemple avec ruby
Web services par l'exemple avec rubyWeb services par l'exemple avec ruby
Web services par l'exemple avec ruby
Christian KAKESA
 
Creating and operating the Riyadh Bus Network
Creating and operating the Riyadh Bus NetworkCreating and operating the Riyadh Bus Network
Creating and operating the Riyadh Bus Network
cafs-org
 
Nudg
NudgNudg
Nudg
Chris Flint
 
Deber de la comunicacion
Deber de la comunicacionDeber de la comunicacion
Deber de la comunicacion
Angiste
 
Impacto de la tecnología en la educación (1)
Impacto de la tecnología en la educación (1)Impacto de la tecnología en la educación (1)
Impacto de la tecnología en la educación (1)
wander delgadocladeron
 
ELEKS-Company-Overview
ELEKS-Company-OverviewELEKS-Company-Overview
ELEKS-Company-Overview
Andriy Yackibchuck
 
Finance Report 2009
Finance Report 2009Finance Report 2009
Finance Report 2009
Evangelical Covenant Church
 
cae_broch_8pp_med
cae_broch_8pp_medcae_broch_8pp_med
cae_broch_8pp_med
Ambar Randhawa
 
James Mead Jr. CV-resume - May 27 2015
James Mead Jr. CV-resume - May 27 2015James Mead Jr. CV-resume - May 27 2015
James Mead Jr. CV-resume - May 27 2015
James Mead, Jr
 
Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016
Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016
Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016
Chris Ippolito
 
Gina's Sports Marketing Portfolio throughout OSU Experience
Gina's Sports Marketing Portfolio throughout OSU ExperienceGina's Sports Marketing Portfolio throughout OSU Experience
Gina's Sports Marketing Portfolio throughout OSU Experience
Gina Nix
 
Scumblr, quick presentation
Scumblr, quick presentationScumblr, quick presentation
Scumblr, quick presentation
Christian KAKESA
 
Sociedad virtual. Vacío ético y legal
Sociedad virtual. Vacío ético y legalSociedad virtual. Vacío ético y legal
Sociedad virtual. Vacío ético y legal
Ricardo Cardona
 
Careers in Security
Careers in SecurityCareers in Security
Careers in Security
Jason Chan
 
Iguana iguana
Iguana iguanaIguana iguana
Iguana iguana
segundochimbolema
 
AppFolio Owner & Tenant Portals (Customer Webinar Recap)
AppFolio Owner & Tenant Portals (Customer Webinar Recap)AppFolio Owner & Tenant Portals (Customer Webinar Recap)
AppFolio Owner & Tenant Portals (Customer Webinar Recap)
AppFolio
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets
n|u - The Open Security Community
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive security
Scott Behrens
 
Web services par l'exemple avec ruby
Web services par l'exemple avec rubyWeb services par l'exemple avec ruby
Web services par l'exemple avec ruby
Christian KAKESA
 
Creating and operating the Riyadh Bus Network
Creating and operating the Riyadh Bus NetworkCreating and operating the Riyadh Bus Network
Creating and operating the Riyadh Bus Network
cafs-org
 
Nudg
NudgNudg
Nudg
Chris Flint
 
Deber de la comunicacion
Deber de la comunicacionDeber de la comunicacion
Deber de la comunicacion
Angiste
 
Impacto de la tecnología en la educación (1)
Impacto de la tecnología en la educación (1)Impacto de la tecnología en la educación (1)
Impacto de la tecnología en la educación (1)
wander delgadocladeron
 
ELEKS-Company-Overview
ELEKS-Company-OverviewELEKS-Company-Overview
ELEKS-Company-Overview
Andriy Yackibchuck
 
Finance Report 2009
Finance Report 2009Finance Report 2009
Finance Report 2009
Evangelical Covenant Church
 
cae_broch_8pp_med
cae_broch_8pp_medcae_broch_8pp_med
cae_broch_8pp_med
Ambar Randhawa
 
James Mead Jr. CV-resume - May 27 2015
James Mead Jr. CV-resume - May 27 2015James Mead Jr. CV-resume - May 27 2015
James Mead Jr. CV-resume - May 27 2015
James Mead, Jr
 
Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016
Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016
Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016
Chris Ippolito
 
Gina's Sports Marketing Portfolio throughout OSU Experience
Gina's Sports Marketing Portfolio throughout OSU ExperienceGina's Sports Marketing Portfolio throughout OSU Experience
Gina's Sports Marketing Portfolio throughout OSU Experience
Gina Nix
 
Scumblr, quick presentation
Scumblr, quick presentationScumblr, quick presentation
Scumblr, quick presentation
Christian KAKESA
 
Sociedad virtual. Vacío ético y legal
Sociedad virtual. Vacío ético y legalSociedad virtual. Vacío ético y legal
Sociedad virtual. Vacío ético y legal
Ricardo Cardona
 
Careers in Security
Careers in SecurityCareers in Security
Careers in Security
Jason Chan
 
Iguana iguana
Iguana iguanaIguana iguana
Iguana iguana
segundochimbolema
 
AppFolio Owner & Tenant Portals (Customer Webinar Recap)
AppFolio Owner & Tenant Portals (Customer Webinar Recap)AppFolio Owner & Tenant Portals (Customer Webinar Recap)
AppFolio Owner & Tenant Portals (Customer Webinar Recap)
AppFolio
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets
n|u - The Open Security Community
 
Ad

Similar to Proactive Security AppSec Case Study (20)

Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
drewz lin
 
DevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous DeliveryDevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous Delivery
Mikhail Prudnikov
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
JasonOstrom1
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
 
A Journey to Improve Infrastructure Compliance With InSpec
A Journey to Improve Infrastructure Compliance With InSpecA Journey to Improve Infrastructure Compliance With InSpec
A Journey to Improve Infrastructure Compliance With InSpec
Cliffano Subagio
 
Getting your mobile test automation process in place - using Cucumber and Cal...
Getting your mobile test automation process in place - using Cucumber and Cal...Getting your mobile test automation process in place - using Cucumber and Cal...
Getting your mobile test automation process in place - using Cucumber and Cal...
Niels Frydenholm
 
Laying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on SparkLaying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on Spark
Ionic Security
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
Sonarjenkins ajip
Sonarjenkins ajipSonarjenkins ajip
Sonarjenkins ajip
Makarand Bhatambarekar
 
20140708 - Jeremy Edberg: How Netflix Delivers Software
20140708 - Jeremy Edberg: How Netflix Delivers Software20140708 - Jeremy Edberg: How Netflix Delivers Software
20140708 - Jeremy Edberg: How Netflix Delivers Software
DevOps Chicago
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
Integrating Splunk into your Spring Applications
Integrating Splunk into your Spring ApplicationsIntegrating Splunk into your Spring Applications
Integrating Splunk into your Spring Applications
Damien Dallimore
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool
sangam biradar
 
JCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptxJCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptx
Grace Jansen
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...
Docker, Inc.
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
Jason Chan
 
Canada DevOps Summit 2020 Presentation Nov_03_2020
Canada DevOps Summit 2020 Presentation Nov_03_2020Canada DevOps Summit 2020 Presentation Nov_03_2020
Canada DevOps Summit 2020 Presentation Nov_03_2020
Varun Manik
 
Selenium for everyone
Selenium for everyoneSelenium for everyone
Selenium for everyone
Tft Us
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
drewz lin
 
DevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous DeliveryDevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous Delivery
Mikhail Prudnikov
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
JasonOstrom1
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
 
A Journey to Improve Infrastructure Compliance With InSpec
A Journey to Improve Infrastructure Compliance With InSpecA Journey to Improve Infrastructure Compliance With InSpec
A Journey to Improve Infrastructure Compliance With InSpec
Cliffano Subagio
 
Getting your mobile test automation process in place - using Cucumber and Cal...
Getting your mobile test automation process in place - using Cucumber and Cal...Getting your mobile test automation process in place - using Cucumber and Cal...
Getting your mobile test automation process in place - using Cucumber and Cal...
Niels Frydenholm
 
Laying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on SparkLaying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on Spark
Ionic Security
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
Sonarjenkins ajip
Sonarjenkins ajipSonarjenkins ajip
Sonarjenkins ajip
Makarand Bhatambarekar
 
20140708 - Jeremy Edberg: How Netflix Delivers Software
20140708 - Jeremy Edberg: How Netflix Delivers Software20140708 - Jeremy Edberg: How Netflix Delivers Software
20140708 - Jeremy Edberg: How Netflix Delivers Software
DevOps Chicago
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
Integrating Splunk into your Spring Applications
Integrating Splunk into your Spring ApplicationsIntegrating Splunk into your Spring Applications
Integrating Splunk into your Spring Applications
Damien Dallimore
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool
sangam biradar
 
JCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptxJCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptx
Grace Jansen
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...
Docker, Inc.
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
Jason Chan
 
Canada DevOps Summit 2020 Presentation Nov_03_2020
Canada DevOps Summit 2020 Presentation Nov_03_2020Canada DevOps Summit 2020 Presentation Nov_03_2020
Canada DevOps Summit 2020 Presentation Nov_03_2020
Varun Manik
 
Selenium for everyone
Selenium for everyoneSelenium for everyone
Selenium for everyone
Tft Us
 
Ad

Recently uploaded (19)

IT Services Workflow From Request to Resolution
IT Services Workflow From Request to ResolutionIT Services Workflow From Request to Resolution
IT Services Workflow From Request to Resolution
mzmziiskd
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
project_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptxproject_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptx
redzuriel13
 
5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx
andani26
 
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation TemplateSmart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
yojeari421237
 
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
DataProvider1
 
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 
Computers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers NetworksComputers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers Networks
Tito208863
 
OSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description fOSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description f
cbr49917
 
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry SweetserAPNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
Understanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep WebUnderstanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep Web
nabilajabin35
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
Perguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolhaPerguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolha
socaslev
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
White and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptxWhite and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptx
canumatown
 
IT Services Workflow From Request to Resolution
IT Services Workflow From Request to ResolutionIT Services Workflow From Request to Resolution
IT Services Workflow From Request to Resolution
mzmziiskd
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
project_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptxproject_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptx
redzuriel13
 
5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx
andani26
 
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation TemplateSmart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
yojeari421237
 
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
DataProvider1
 
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 
Computers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers NetworksComputers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers Networks
Tito208863
 
OSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description fOSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description f
cbr49917
 
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry SweetserAPNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
Understanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep WebUnderstanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep Web
nabilajabin35
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
Perguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolhaPerguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolha
socaslev
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
White and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptxWhite and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptx
canumatown
 

Proactive Security AppSec Case Study

  • 1. PROACTIVE SECURITY APPSEC CASE STUDY ANDY HOERNECKE
  • 2. HELO Andy Hoernecke
 Application Security Engineer
 AppSec, Automation, Data Visualization
  • 3. What We Will Cover • Background on Netflix • Our Security Philosophy • Walkthrough of Our Approach to AppSec
  • 4. Terminology • Define technology terms: • Application • Instance • ELB (Load Balance) • AMI • Security Groups
  • 5. Netflix Primer • 100's of Developers • Over 1,000 applications • Hundreds of production pushes a day • Over 50k instances • Very Pro Open Source • No Security Gates!
  • 6. Continuous Delivery • Fast, Automated Deployment • Immutable Platform • Low Friction
  • 7. The Challenge • Provide security in the environment described: • No security gates • Production Changes Rapidly • Multiple Codes Bases (A/B Testing) • Many Developers vs. 5 Member AppSec Team
  • 9. Act as enablers not gatekeepers
  • 10. Application developers are responsible for the security of their application.
  • 11. Security is as important as: • functionality • performance • availability • scalability
  • 12. Create paved paths, that are secure by default
  • 13. Proactive Security • Know your environment & weaknesses and work to improve • Find problems early and address them • Monitor for anomalies and be prepared to respond • Collect meaningful data and use it to improve • Simplify make security the easy path • Reevaluate your approach • Share what you learn with others
  • 14. Implementing Proactive Security AppSec Case Study* * Note: Talk discusses new version of software yet to be open sourced
  • 15. Goals 1. Understand your environment 2. Inject automated security controls 3. Tie environment and security together
  • 16. Goal 1 Understand Your Environment 1. Know the components of your environment 2. Understand connections 3. Monitor for changes
  • 17. Defining The Environment • Applications that make up and support the Netflix experience 1. Accessibility (How, Where, Who) 2. Functionality 3. Ownership 4. Risk Level 5. Security
  • 18. Where do Applications Come From? • Binaries • Appliances • SaaS • Internally Developed (Source Code)
  • 19. Where do Applications Come From? SCMDevelopers Build Bake Deploy 1. Developers push code to SCM 2. Built into a package 3. Combined with BaseAMI to form a machine image 4. Deployed as an EC2 Instance
  • 20. SCMDevelopers Build Bake Deploy Dependencies BaseAMI Source Code Package Baked AMI EC2 Instance
  • 21. SCMDevelopers Build Bake Deploy EC2 Instance Cluster Application Cluster Cluster EC2 InstanceEC2 Instance ELB DNS Name
  • 22. SCMDevelopers Build Bake Deploy EC2 Instance Cluster Application Dependencies BaseAMI Source Code Package Baked AMI DNS Name ELB Penguin Shortbread
  • 23. Penguin Shortbread • Specialized Branch of Scumblr • Tracks Applications and all their associated metadata • Repositories • Committers • DNS Names • BaseAMI Information • Dependencies • More!
  • 24. Penguin Shortbread • Individual tasks for gathering different pieces of metadata • Tasks for Spinnaker, Github, Stash, Jenkins, etc. • Easy to customize, maintain, etc. • Searching and filtering based on any information stored on the application. • Examples:
 What application uses sketchy.netflix.com?
 What repos does Andy Hoernecke contribute to?
  • 25. While we're at it... • Collect information about how risky an application is • Calculate a risk score • Determine which applications posed the great risk and make decisions based on this
  • 26. Security Monkey • Monitor for changes in AWS environment • Get alerts for important changes • Integrations with Scumblr/Penguin Shortbread
  • 27. Goal 1 Understand Your Environment 1. Know the components of your environment 2. Understand connections 3. Monitor for changes
  • 28. Goal 2 Automated Security Controls 1. Select and run tools 2. Aggregate data 3. Take action
  • 29. SCMDevelopers Build Bake Deploy Systems Github Stash OpenGrok Information Source Code Commit History Committer Owner Info Security Tools/Services Static Analysis
  • 30. SCMDevelopers Build Bake Deploy Systems Jenkins Information Packaged Application Dependency Info Security Tools/Services Static Analysis, Dependency Checking
  • 31. SCMDevelopers Build Bake Deploy Systems Spinnaker Bakery Animator Information OS/Version Animation Date BaseAMI Info Security Tools/Services Host Analysis/Hardening
  • 32. SCMDevelopers Build Bake Deploy Systems Spinnaker DNS Security Monkey Information Application Name DNS Names 
 Security Groups Security Tools/Services Dynamic Scanning, Runtime Analysis, Penetration Testing
  • 35. Scumblr 2.0 • Extended the model with Metadata • Added: • Generic Tasks • Task Ordering/Grouping • Customizable Views • Events
  • 36. New vs. Old • Scumblr 1.0 Tasks:
 Search Google
 Search Twitter
 Search Facebook
 • Example Scumblr 2.0 Tasks:
 1. Get list of Stash Repos
 2. Run Brakeman on Rails Repos
 3. Save the Results and Send out Notifications
  • 37. Pulling it Together • Dirty Laundry integrates with all our security tools • Can track results based on a repo, a DNS name, an API endpoint, etc. • With Penguin Shortbread, can fit things together
  • 38. Action • Enhanced the ability to track status • Added standard way to store/action vulnerability data • Workflowable provides easy mechanism to create JIRA tickets, send out notifications, etc.
  • 39. Goal 2 Automated Security Controls 1. Select and run tools 2. Aggregate data 3. Take action
  • 40. Goal 3 Tie Environment and Security Together 1. Understand vulnerabilities in context 2. Prioritize security services and remediation efforts 3. Enable linking security risks with their source 4. Identify weak links and look for improvements Coming Soon
  • 41. Open Source • Netflix Open Source • Scumblr • Security Monkey • Penguin Shortbread (soon) • Spinnaker • Animator • More: https://netflix.github.io/ • Arachni www.arachni-scanner.com • Dependency Check https://www.owasp.org/index.php/ OWASP_Dependency_Check • FindSecBugs http://find-sec-bugs.github.io/ • Brakeman http://brakemanscanner.org/ • Bandit https://github.com/openstack/bandit