AppSecUSA Day 2

by Gene Kim on



  • Late to Netflix infosec guys talking. Looks fantastic. cc @adrianco
  • Make the right way easy and secure: many uses of crypto cryptex: encrypt/decypt,
  • Make the right way easy and secure: provide libraries to make it easy for Dev o tuse tools
  • CloudSSO: access to WorkDay:
  • Linux, Java, Tomcat: we built one line to get single signon, using Workday to enterprise apps
  • Netflix fosters culture of 'freedom and responsibility' precludes traditional centralized, command and control approach
  • Netflix doesn't have change control or architecture boards: but they do have Simian Army instead of archtecture review
  • Linux, Java, Tomcat
  • Cloud APIs (AWS) make it very easy/straightforward to verify and analyze config and running states
  • Netflix: Security Monkey enforces configs, cert checking, firewall analysis, identity entity analysis, limit warnings
  • Netflix: Limit warnings in AWS are biggest self-DOS risk: e.g., you're allowed 20 instances, creating 21st fails
  • .@chanjbs: just gave kudos to Gauntlet team, while describing Netflix Simian Army @wickett @jshirk
  • Linux, Java, Tomcat
  • .@chanjbs: AWS Elastic Load Balancer doesn't have any security control: cluster connected to ELB is accessible to internet
  • .@chanjbs: They use gauntlt to auto-generate attack tests in continuous deployment pipeline: uses curl to test response codes
  • .@chanjbs: Asgard (open sourced) allows allows Dev to configure their own firewall rules, ties w/Security Monkey
  • .@chanjbs: Netflix makes up 1/3 of all Internet traffic
  • .@chanjbs: "Newer techniques like cloud and DevOps requires different security tatics"
  • Again, I'm amazed at the culture of innovation & sharing at Netflix. Great preso by @chanjbs. Worthy of @adrianco. :)
  • (Had great chat with
  • .@chanjbs: "Q: how do we handle zero-days if we don't ever change prod systems?" "A: we deploy it like any other chg"
  • .@chanjbs: "Average age of Netflix AWS instance: 24 days; 60% are less than 1 week old"
  • .@chanjbs: "In order to launch anything into production, it must first run in test with autoscaling."
  • .@chanjbs: Uses Hyperguard, bought by Zeus; why? can't use appliances or virtual appliances: it's an Apache module
  • Thx! Great info here. @chanjbs: "Look for my slides at"
  • .@chanjbs: "Our hardware failed at a time, thus created PaaS. We wanted features that Dev wanted to use. Not worried about Amazon stuff."
  • .@chanjbs: "As platform engineering team, our goal is to make Dev productive, and not need to know about AWS stuff"
  • (Netflix & Twitter talk reinforces suspicion that infosec needs coding skills to be relevant in DevOps-style work streams...)
  • .@chanjbs: Wow!! "5-10% of Netflix traffic is from households to datacenter" (application telemetry)
  • @RealGeneKim: Thx! Great info here. @chanjbs: "Look for my slides at"
  • Haha. RT @RealGeneKim: Thx! Great info here. @chanjbs: "Look for my slides at"
  • .@chanjbs: "PCI is one of my challenges this year; cardholder info not in cloud yet; desire to move it to cloud"