Netflix proudly displays its developers’ ‘Dirty Laundry’
Netflix has created a platform to monitor their own programmer’s mistakes, using tools that are soon to be released as open source. The aim is to become proactive about data leakage and boost security of assets via in-house technology.
Netflix’s latest security repo, dubbed the ‘Dirty Laundry’ Project, is designed to help monitor unintentional data leakage of sensitive assets by staff. The in-house development is soon to join an already growing arsenal of security tools that have been open-sourced by the video streaming site.
Introducing the platform at the recent SchmooCon 2015 event, Netflix engineers Scott Behrens and Andy Hoernecke said it contributed to proactive security as a solution to challenges of a modern infrastructure, namely operations that are primarily in the cloud.
With roughly over 1,000 developers working at Netflix, and no security gates when pushing production, this platform has been designed to help ensure that developers aren’t “putting us at risk” by allowing applications to be exposed “with all the ports available”.
To spearhead their proactive security approach, Behrens demonstrated how Dirty Laundry plugged into other open source tools such as Monterey, Scumblr and Sketchy to provide contextual analysis on any given app. Monetery tracks assets and scans for vulnerability, Scumblr actions those findings, and Sketchy collects status codes, text scrapes and generates screenshots.
An additional tool mentioned by Behrens was Speedbump, referred to as “a WAF, proxy and firewall on steroids” because of its inclusion of application intelligence. This kind of app was necessary for the duo to build into the app layer so as to detect attacks and enforce security policies automatically:
The app layer is the smartest place to roll this kind of functionality in because the app is going to have the most knowledge of what is going on. A lot of times, we think about the network layer, but really the app layer is where it’s all happening.
Netflix has a record of sharing its wares with the open source community, with a number of tools available for monitoring security within the AWS cloud (Security Monkey: Python), deployments and general cloud management (Asgard: Groovy) and token and centralized configuration management for Cassandra (Priam: Java).