SlideShare uma empresa Scribd logo

SSL Certificate Expiration and Howler Monkey's Inception

R
royrapoport
Tecnologia
1 de 54
Baixar para ler offline
SSL* Certificate Reporting BayLISA March 21st, 2013 @royrapoport rsr@netflix.com Friday, March 22, 13 This is the story of how we went from SSL certificates expiring without notice in production to deploying Security Monkey (later renamed Howler Monkey) and permanently eliminating SSL certificate expiration as a production-class issue.
SSL* Certificate Reporting BayLISA March 21st, 2013 @royrapoport rsr@netflix.com Friday, March 22, 13 This is the story of how we went from SSL certificates expiring without notice in production to deploying Security Monkey (later renamed Howler Monkey) and permanently eliminating SSL certificate expiration as a production-class issue.
Technology Overview @royrapoport rsr@netflix.com Friday, March 22, 13
Technology Overview • SoA, REST, Mostly Java @royrapoport rsr@netflix.com Friday, March 22, 13
Technology Overview • SoA, REST, Mostly Java • Simple overall architecture: @royrapoport rsr@netflix.com Friday, March 22, 13
Technology Overview • SoA, REST, Mostly Java • Simple overall architecture: @royrapoport rsr@netflix.com Friday, March 22, 13
Culture Overview @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
Culture Overview • Freedom and Responsibility @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
Culture Overview • Freedom and Responsibility • Distributed Operations @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
Culture Overview • Freedom and Responsibility • Distributed Operations • Get out of the way of Developers @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
So Certificates ... @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 • Source Control @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 • Source Control • EIPs @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 • Source Control • EIPs • Totally Distributed Design @royrapoport rsr@netflix.com Friday, March 22, 13
So Certificates ... • Some Certificates Weren’t[sic] @royrapoport rsr@netflix.com Friday, March 22, 13 Some certificates weren’t even SSL certificates -- we have certificates we get from a partner that cannot be accessed via SSL, and for which the answer to the question “when does this expire?” require scraping a web page.
So Certificates ... @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire • Millions of people can’t stream @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This • Excel worksheets @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This • Excel worksheets • Wiki documents @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This • Excel worksheets • Wiki documents • Events on public calendars @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
Let’s Do This Thing Cassandra Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 Start with a very simple model -- a Certificate entity, which is really just a combination of name, expiration date, and a series of locations where we can find this. It’d be trivial to feed this thing from my todo list, if I wanted to (but given the state of my todo list, probably a bad idea)
Let’s Do This Thing ELB Cassandra Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 Then start building location-aware spiders -- e.g. this spider that knows how to probe all our ELBs to see if they listen on 443 and gets their certificate if they do.
Let’s Do This Thing ELB Cassandra EC2 Instance Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 Or this spider that knows how to talk to a specific kind of EC2 instance we have with some certificates.
Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 etc ...
Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate Filesystem @royrapoport rsr@netflix.com Friday, March 22, 13
Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate Filesystem DNS @royrapoport rsr@netflix.com Friday, March 22, 13
Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate Filesystem DNS @royrapoport rsr@netflix.com Friday, March 22, 13 Once you have all this information, you can easily generate a web page showing certificates, where they are, and when they expire
Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate Filesystem DNS @royrapoport rsr@netflix.com Friday, March 22, 13 And send out emails, too -- once we built the capability for teams to subscribe to emails for a given certificate and specify how many days before expiration they should start getting notified
Since Then @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
Since Then • No Production Emergencies due to SSL certificate expiration @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
Since Then • No Production Emergencies due to SSL certificate expiration • Validated Design @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
Since Then • No Production Emergencies due to SSL certificate expiration • Validated Design • Better Subscription Capabilities @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
Soon ... @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
Soon ... • Customized, automated alerting @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
Soon ... • Customized, automated alerting • Automated renewal @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
Soon ... • Customized, automated alerting • Automated renewal • Telling you a problem is about to happen: Good @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
Soon ... • Customized, automated alerting • Automated renewal • Telling you a problem is about to happen: Good • Preventing the problem automatically: Priceless @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
Soon ... • Customized, automated alerting • Automated renewal • Telling you a problem is about to happen: Good • Preventing the problem automatically: Priceless • Open Source @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
Remember ... @royrapoport rsr@netflix.com Friday, March 22, 13
Remember ... • Be Lazy @royrapoport rsr@netflix.com Friday, March 22, 13
Remember ... • Be Lazy • Help Others Be Lazy @royrapoport rsr@netflix.com Friday, March 22, 13
Remember ... • Be Lazy • Help Others Be Lazy • Computers Are Better Than Humans @royrapoport rsr@netflix.com Friday, March 22, 13
Remember ... • Be Lazy • Help Others Be Lazy • Computers Are Better Than Humans • For some things @royrapoport rsr@netflix.com Friday, March 22, 13
Remember ... • Be Lazy • Help Others Be Lazy • Computers Are Better Than Humans • For some things • Don’t compete on their terms @royrapoport rsr@netflix.com Friday, March 22, 13
Questions? @royrapoport rsr@netflix.com Friday, March 22, 13

Recomendados

Cloud Tech III: Actionable Metrics
Cloud Tech III: Actionable MetricsCloud Tech III: Actionable Metrics
Cloud Tech III: Actionable Metricsroyrapoport
 
Python Through the Back Door: Netflix Presentation at CodeMash 2014
Python Through the Back Door: Netflix Presentation at CodeMash 2014Python Through the Back Door: Netflix Presentation at CodeMash 2014
Python Through the Back Door: Netflix Presentation at CodeMash 2014royrapoport
 
Operational Insight: Concepts and Examples (w/o Presenter Notes)
Operational Insight: Concepts and Examples (w/o Presenter Notes)Operational Insight: Concepts and Examples (w/o Presenter Notes)
Operational Insight: Concepts and Examples (w/o Presenter Notes)royrapoport
 
Operational Insight: Concepts and Examples
Operational Insight: Concepts and ExamplesOperational Insight: Concepts and Examples
Operational Insight: Concepts and Examplesroyrapoport
 
Gluecon keynote
Gluecon keynoteGluecon keynote
Gluecon keynoteAdrian Cockcroft
 
Keeping Movies Running Amid Thunderstorms!
Keeping Movies Running Amid Thunderstorms!Keeping Movies Running Amid Thunderstorms!
Keeping Movies Running Amid Thunderstorms!Sid Anand
 
Gluecon 2013 - NetflixOSS Cloud Native Tutorial Introduction
Gluecon 2013 - NetflixOSS Cloud Native Tutorial IntroductionGluecon 2013 - NetflixOSS Cloud Native Tutorial Introduction
Gluecon 2013 - NetflixOSS Cloud Native Tutorial IntroductionAdrian Cockcroft
 
SV Forum Platform Architecture SIG - Netflix Open Source Platform
SV Forum Platform Architecture SIG - Netflix Open Source PlatformSV Forum Platform Architecture SIG - Netflix Open Source Platform
SV Forum Platform Architecture SIG - Netflix Open Source PlatformAdrian Cockcroft
 

Recomendados

Cloud Tech III: Actionable Metrics
Cloud Tech III: Actionable MetricsCloud Tech III: Actionable Metrics
Cloud Tech III: Actionable Metricsroyrapoport
 
Python Through the Back Door: Netflix Presentation at CodeMash 2014
Python Through the Back Door: Netflix Presentation at CodeMash 2014Python Through the Back Door: Netflix Presentation at CodeMash 2014
Python Through the Back Door: Netflix Presentation at CodeMash 2014royrapoport
 
Operational Insight: Concepts and Examples (w/o Presenter Notes)
Operational Insight: Concepts and Examples (w/o Presenter Notes)Operational Insight: Concepts and Examples (w/o Presenter Notes)
Operational Insight: Concepts and Examples (w/o Presenter Notes)royrapoport
 
Operational Insight: Concepts and Examples
Operational Insight: Concepts and ExamplesOperational Insight: Concepts and Examples
Operational Insight: Concepts and Examplesroyrapoport
 
Gluecon keynote
Gluecon keynoteGluecon keynote
Gluecon keynoteAdrian Cockcroft
 
Keeping Movies Running Amid Thunderstorms!
Keeping Movies Running Amid Thunderstorms!Keeping Movies Running Amid Thunderstorms!
Keeping Movies Running Amid Thunderstorms!Sid Anand
 
Gluecon 2013 - NetflixOSS Cloud Native Tutorial Introduction
Gluecon 2013 - NetflixOSS Cloud Native Tutorial IntroductionGluecon 2013 - NetflixOSS Cloud Native Tutorial Introduction
Gluecon 2013 - NetflixOSS Cloud Native Tutorial IntroductionAdrian Cockcroft
 
SV Forum Platform Architecture SIG - Netflix Open Source Platform
SV Forum Platform Architecture SIG - Netflix Open Source PlatformSV Forum Platform Architecture SIG - Netflix Open Source Platform
SV Forum Platform Architecture SIG - Netflix Open Source PlatformAdrian Cockcroft
 
Canary Analyze All the Things
Canary Analyze All the ThingsCanary Analyze All the Things
Canary Analyze All the Thingsroyrapoport
 
CMG2013 Workshop: Netflix Cloud Native, Capacity, Performance and Cost Optimi...
CMG2013 Workshop: Netflix Cloud Native, Capacity, Performance and Cost Optimi...CMG2013 Workshop: Netflix Cloud Native, Capacity, Performance and Cost Optimi...
CMG2013 Workshop: Netflix Cloud Native, Capacity, Performance and Cost Optimi...Adrian Cockcroft
 
Traffic anomaly detection and attack
Traffic anomaly detection and attackTraffic anomaly detection and attack
Traffic anomaly detection and attackQrator Labs
 
Anomaly Detection for Security
Anomaly Detection for SecurityAnomaly Detection for Security
Anomaly Detection for SecurityCody Rioux
 
The Dark of Building an Production Incident Syste
The Dark of Building an Production Incident SysteThe Dark of Building an Production Incident Syste
The Dark of Building an Production Incident SysteAlois Reitbauer
 
Cassandra Performance and Scalability on AWS
Cassandra Performance and Scalability on AWSCassandra Performance and Scalability on AWS
Cassandra Performance and Scalability on AWSAdrian Cockcroft
 
Anomaly Detection for Real-World Systems
Anomaly Detection for Real-World SystemsAnomaly Detection for Real-World Systems
Anomaly Detection for Real-World SystemsManojit Nandi
 
Where is Data Going? - RMDC Keynote
Where is Data Going? - RMDC KeynoteWhere is Data Going? - RMDC Keynote
Where is Data Going? - RMDC KeynoteTed Dunning
 
Parallel Programming in Python: Speeding up your analysis
Parallel Programming in Python: Speeding up your analysisParallel Programming in Python: Speeding up your analysis
Parallel Programming in Python: Speeding up your analysisManojit Nandi
 
Monitoring large scale Docker production environments
Monitoring large scale Docker production environmentsMonitoring large scale Docker production environments
Monitoring large scale Docker production environmentsAlois Reitbauer
 
Can a monitoring tool pass the turing test
Can a monitoring tool pass the turing testCan a monitoring tool pass the turing test
Can a monitoring tool pass the turing testAlois Reitbauer
 
The Dark Art of Production Alerting
The Dark Art of Production AlertingThe Dark Art of Production Alerting
The Dark Art of Production AlertingAlois Reitbauer
 
Monitoring without alerts
Monitoring without alertsMonitoring without alerts
Monitoring without alertsAlois Reitbauer
 
PyGotham 2016
PyGotham 2016PyGotham 2016
PyGotham 2016Manojit Nandi
 
The definition of normal - An introduction and guide to anomaly detection.
The definition of normal - An introduction and guide to anomaly detection. The definition of normal - An introduction and guide to anomaly detection.
The definition of normal - An introduction and guide to anomaly detection. Alois Reitbauer
 
Monitoring Docker Application in Production
Monitoring Docker Application in ProductionMonitoring Docker Application in Production
Monitoring Docker Application in ProductionAlois Reitbauer
 
Ruxit - How we launched a global monitoring platform on AWS in 80 days.
Ruxit - How we launched a global monitoring platform on AWS in 80 days. Ruxit - How we launched a global monitoring platform on AWS in 80 days.
Ruxit - How we launched a global monitoring platform on AWS in 80 days. Alois Reitbauer
 
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...tboubez
 
Anomaly Detection for Global Scale at Netflix
Anomaly Detection for Global Scale at NetflixAnomaly Detection for Global Scale at Netflix
Anomaly Detection for Global Scale at NetflixExtract Data Conference
 
PyData Texas 2015 Keynote
PyData Texas 2015 KeynotePyData Texas 2015 Keynote
PyData Texas 2015 KeynotePeter Wang
 
JAZOON'13 - Abdelmonaim Remani - The Economies of Scaling Software
JAZOON'13 - Abdelmonaim Remani - The Economies of Scaling SoftwareJAZOON'13 - Abdelmonaim Remani - The Economies of Scaling Software
JAZOON'13 - Abdelmonaim Remani - The Economies of Scaling Softwarejazoon13
 
Mastery
MasteryMastery
MasteryGary Haran
 

Mais conteúdo relacionado

Destaque

Canary Analyze All the Things
Canary Analyze All the ThingsCanary Analyze All the Things
Canary Analyze All the Thingsroyrapoport
 
CMG2013 Workshop: Netflix Cloud Native, Capacity, Performance and Cost Optimi...
CMG2013 Workshop: Netflix Cloud Native, Capacity, Performance and Cost Optimi...CMG2013 Workshop: Netflix Cloud Native, Capacity, Performance and Cost Optimi...
CMG2013 Workshop: Netflix Cloud Native, Capacity, Performance and Cost Optimi...Adrian Cockcroft
 
Traffic anomaly detection and attack
Traffic anomaly detection and attackTraffic anomaly detection and attack
Traffic anomaly detection and attackQrator Labs
 
Anomaly Detection for Security
Anomaly Detection for SecurityAnomaly Detection for Security
Anomaly Detection for SecurityCody Rioux
 
The Dark of Building an Production Incident Syste
The Dark of Building an Production Incident SysteThe Dark of Building an Production Incident Syste
The Dark of Building an Production Incident SysteAlois Reitbauer
 
Cassandra Performance and Scalability on AWS
Cassandra Performance and Scalability on AWSCassandra Performance and Scalability on AWS
Cassandra Performance and Scalability on AWSAdrian Cockcroft
 
Anomaly Detection for Real-World Systems
Anomaly Detection for Real-World SystemsAnomaly Detection for Real-World Systems
Anomaly Detection for Real-World SystemsManojit Nandi
 
Where is Data Going? - RMDC Keynote
Where is Data Going? - RMDC KeynoteWhere is Data Going? - RMDC Keynote
Where is Data Going? - RMDC KeynoteTed Dunning
 
Parallel Programming in Python: Speeding up your analysis
Parallel Programming in Python: Speeding up your analysisParallel Programming in Python: Speeding up your analysis
Parallel Programming in Python: Speeding up your analysisManojit Nandi
 
Monitoring large scale Docker production environments
Monitoring large scale Docker production environmentsMonitoring large scale Docker production environments
Monitoring large scale Docker production environmentsAlois Reitbauer
 
Can a monitoring tool pass the turing test
Can a monitoring tool pass the turing testCan a monitoring tool pass the turing test
Can a monitoring tool pass the turing testAlois Reitbauer
 
The Dark Art of Production Alerting
The Dark Art of Production AlertingThe Dark Art of Production Alerting
The Dark Art of Production AlertingAlois Reitbauer
 
Monitoring without alerts
Monitoring without alertsMonitoring without alerts
Monitoring without alertsAlois Reitbauer
 
The definition of normal - An introduction and guide to anomaly detection.
The definition of normal - An introduction and guide to anomaly detection. The definition of normal - An introduction and guide to anomaly detection.
The definition of normal - An introduction and guide to anomaly detection. Alois Reitbauer
 
Monitoring Docker Application in Production
Monitoring Docker Application in ProductionMonitoring Docker Application in Production
Monitoring Docker Application in ProductionAlois Reitbauer
 
Ruxit - How we launched a global monitoring platform on AWS in 80 days.
Ruxit - How we launched a global monitoring platform on AWS in 80 days. Ruxit - How we launched a global monitoring platform on AWS in 80 days.
Ruxit - How we launched a global monitoring platform on AWS in 80 days. Alois Reitbauer
 
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...tboubez
 
Anomaly Detection for Global Scale at Netflix
Anomaly Detection for Global Scale at NetflixAnomaly Detection for Global Scale at Netflix
Anomaly Detection for Global Scale at NetflixExtract Data Conference
 

Destaque (19)

Canary Analyze All the Things
Canary Analyze All the ThingsCanary Analyze All the Things
Canary Analyze All the Things
 
CMG2013 Workshop: Netflix Cloud Native, Capacity, Performance and Cost Optimi...
CMG2013 Workshop: Netflix Cloud Native, Capacity, Performance and Cost Optimi...CMG2013 Workshop: Netflix Cloud Native, Capacity, Performance and Cost Optimi...
CMG2013 Workshop: Netflix Cloud Native, Capacity, Performance and Cost Optimi...
 
Traffic anomaly detection and attack
Traffic anomaly detection and attackTraffic anomaly detection and attack
Traffic anomaly detection and attack
 
Anomaly Detection for Security
Anomaly Detection for SecurityAnomaly Detection for Security
Anomaly Detection for Security
 
The Dark of Building an Production Incident Syste
The Dark of Building an Production Incident SysteThe Dark of Building an Production Incident Syste
The Dark of Building an Production Incident Syste
 
Cassandra Performance and Scalability on AWS
Cassandra Performance and Scalability on AWSCassandra Performance and Scalability on AWS
Cassandra Performance and Scalability on AWS
 
Anomaly Detection for Real-World Systems
Anomaly Detection for Real-World SystemsAnomaly Detection for Real-World Systems
Anomaly Detection for Real-World Systems
 
Where is Data Going? - RMDC Keynote
Where is Data Going? - RMDC KeynoteWhere is Data Going? - RMDC Keynote
Where is Data Going? - RMDC Keynote
 
Parallel Programming in Python: Speeding up your analysis
Parallel Programming in Python: Speeding up your analysisParallel Programming in Python: Speeding up your analysis
Parallel Programming in Python: Speeding up your analysis
 
Monitoring large scale Docker production environments
Monitoring large scale Docker production environmentsMonitoring large scale Docker production environments
Monitoring large scale Docker production environments
 
Can a monitoring tool pass the turing test
Can a monitoring tool pass the turing testCan a monitoring tool pass the turing test
Can a monitoring tool pass the turing test
 
The Dark Art of Production Alerting
The Dark Art of Production AlertingThe Dark Art of Production Alerting
The Dark Art of Production Alerting
 
Monitoring without alerts
Monitoring without alertsMonitoring without alerts
Monitoring without alerts
 
PyGotham 2016
PyGotham 2016PyGotham 2016
PyGotham 2016
 
The definition of normal - An introduction and guide to anomaly detection.
The definition of normal - An introduction and guide to anomaly detection. The definition of normal - An introduction and guide to anomaly detection.
The definition of normal - An introduction and guide to anomaly detection.
 
Monitoring Docker Application in Production
Monitoring Docker Application in ProductionMonitoring Docker Application in Production
Monitoring Docker Application in Production
 
Ruxit - How we launched a global monitoring platform on AWS in 80 days.
Ruxit - How we launched a global monitoring platform on AWS in 80 days. Ruxit - How we launched a global monitoring platform on AWS in 80 days.
Ruxit - How we launched a global monitoring platform on AWS in 80 days.
 
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
 
Anomaly Detection for Global Scale at Netflix
Anomaly Detection for Global Scale at NetflixAnomaly Detection for Global Scale at Netflix
Anomaly Detection for Global Scale at Netflix
 

Semelhante a SSL Certificate Expiration and Howler Monkey's Inception

PyData Texas 2015 Keynote
PyData Texas 2015 KeynotePyData Texas 2015 Keynote
PyData Texas 2015 KeynotePeter Wang
 
JAZOON'13 - Abdelmonaim Remani - The Economies of Scaling Software
JAZOON'13 - Abdelmonaim Remani - The Economies of Scaling SoftwareJAZOON'13 - Abdelmonaim Remani - The Economies of Scaling Software
JAZOON'13 - Abdelmonaim Remani - The Economies of Scaling Softwarejazoon13
 
Intro to Web3 and Polygon.pdf
Intro to Web3 and Polygon.pdfIntro to Web3 and Polygon.pdf
Intro to Web3 and Polygon.pdfTinaBregovi
 
Understanding Blockchain
Understanding BlockchainUnderstanding Blockchain
Understanding BlockchainTony Willenberg
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the CloudTeri Radichel
 
The Economies of Scaling Software
The Economies of Scaling SoftwareThe Economies of Scaling Software
The Economies of Scaling SoftwareAbdelmonaim Remani
 
The economies of scaling software - Abdel Remani
The economies of scaling software - Abdel RemaniThe economies of scaling software - Abdel Remani
The economies of scaling software - Abdel Remanijaxconf
 
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...Дмитрий Плахов
 
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)PROIDEA
 
Rest + Oauth Integration by Lightning By Mohammed Rizwan
Rest + Oauth Integration by Lightning By Mohammed RizwanRest + Oauth Integration by Lightning By Mohammed Rizwan
Rest + Oauth Integration by Lightning By Mohammed RizwanBLRDEVX
 
Blockchain in Photography
Blockchain in PhotographyBlockchain in Photography
Blockchain in PhotographyMariaKessler
 
Killing Shark-Riding Dinosaurs with ORM
Killing Shark-Riding Dinosaurs with ORMKilling Shark-Riding Dinosaurs with ORM
Killing Shark-Riding Dinosaurs with ORMOrtus Solutions, Corp
 
Introduction to Blockchain Technology By Professor Lili Saghafi
Introduction to Blockchain Technology By Professor Lili SaghafiIntroduction to Blockchain Technology By Professor Lili Saghafi
Introduction to Blockchain Technology By Professor Lili SaghafiProfessor Lili Saghafi
 
BlockChain: Challenges & Opportunities Across Multiple Industries - by Juan L...
BlockChain: Challenges & Opportunities Across Multiple Industries - by Juan L...BlockChain: Challenges & Opportunities Across Multiple Industries - by Juan L...
BlockChain: Challenges & Opportunities Across Multiple Industries - by Juan L...Globant
 
03 - VMUGIT - Lecce 2018 - Massimiliano Mortillaro, Tech Unplugged
03 - VMUGIT - Lecce 2018 - Massimiliano Mortillaro, Tech Unplugged03 - VMUGIT - Lecce 2018 - Massimiliano Mortillaro, Tech Unplugged
03 - VMUGIT - Lecce 2018 - Massimiliano Mortillaro, Tech UnpluggedVMUG IT
 
Gateway and secure micro services
Gateway and secure micro servicesGateway and secure micro services
Gateway and secure micro servicesJordan Valdma
 
State of Pyramid - Brasilia 2013
State of Pyramid - Brasilia 2013State of Pyramid - Brasilia 2013
State of Pyramid - Brasilia 2013plonepaul
 
Ethereum for visionary dummies
Ethereum for visionary dummiesEthereum for visionary dummies
Ethereum for visionary dummiesSebastien Arbogast
 

Semelhante a SSL Certificate Expiration and Howler Monkey's Inception (20)

PyData Texas 2015 Keynote
PyData Texas 2015 KeynotePyData Texas 2015 Keynote
PyData Texas 2015 Keynote
 
JAZOON'13 - Abdelmonaim Remani - The Economies of Scaling Software
JAZOON'13 - Abdelmonaim Remani - The Economies of Scaling SoftwareJAZOON'13 - Abdelmonaim Remani - The Economies of Scaling Software
JAZOON'13 - Abdelmonaim Remani - The Economies of Scaling Software
 
Mastery
MasteryMastery
Mastery
 
Intro to Web3 and Polygon.pdf
Intro to Web3 and Polygon.pdfIntro to Web3 and Polygon.pdf
Intro to Web3 and Polygon.pdf
 
Understanding Blockchain
Understanding BlockchainUnderstanding Blockchain
Understanding Blockchain
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
 
The Economies of Scaling Software
The Economies of Scaling SoftwareThe Economies of Scaling Software
The Economies of Scaling Software
 
The economies of scaling software - Abdel Remani
The economies of scaling software - Abdel RemaniThe economies of scaling software - Abdel Remani
The economies of scaling software - Abdel Remani
 
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
Доклад Владимира Бичева на третьем митапе сообщества блокчейн-разработчиков С...
 
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
 
No sql findings
No sql findingsNo sql findings
No sql findings
 
Rest + Oauth Integration by Lightning By Mohammed Rizwan
Rest + Oauth Integration by Lightning By Mohammed RizwanRest + Oauth Integration by Lightning By Mohammed Rizwan
Rest + Oauth Integration by Lightning By Mohammed Rizwan
 
Blockchain in Photography
Blockchain in PhotographyBlockchain in Photography
Blockchain in Photography
 
Killing Shark-Riding Dinosaurs with ORM
Killing Shark-Riding Dinosaurs with ORMKilling Shark-Riding Dinosaurs with ORM
Killing Shark-Riding Dinosaurs with ORM
 
Introduction to Blockchain Technology By Professor Lili Saghafi
Introduction to Blockchain Technology By Professor Lili SaghafiIntroduction to Blockchain Technology By Professor Lili Saghafi
Introduction to Blockchain Technology By Professor Lili Saghafi
 
BlockChain: Challenges & Opportunities Across Multiple Industries - by Juan L...
BlockChain: Challenges & Opportunities Across Multiple Industries - by Juan L...BlockChain: Challenges & Opportunities Across Multiple Industries - by Juan L...
BlockChain: Challenges & Opportunities Across Multiple Industries - by Juan L...
 
03 - VMUGIT - Lecce 2018 - Massimiliano Mortillaro, Tech Unplugged
03 - VMUGIT - Lecce 2018 - Massimiliano Mortillaro, Tech Unplugged03 - VMUGIT - Lecce 2018 - Massimiliano Mortillaro, Tech Unplugged
03 - VMUGIT - Lecce 2018 - Massimiliano Mortillaro, Tech Unplugged
 
Gateway and secure micro services
Gateway and secure micro servicesGateway and secure micro services
Gateway and secure micro services
 
State of Pyramid - Brasilia 2013
State of Pyramid - Brasilia 2013State of Pyramid - Brasilia 2013
State of Pyramid - Brasilia 2013
 
Ethereum for visionary dummies
Ethereum for visionary dummiesEthereum for visionary dummies
Ethereum for visionary dummies
 

Último

Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Último (20)

Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

SSL Certificate Expiration and Howler Monkey's Inception

  • 1. SSL* Certificate Reporting BayLISA March 21st, 2013 @royrapoport rsr@netflix.com Friday, March 22, 13 This is the story of how we went from SSL certificates expiring without notice in production to deploying Security Monkey (later renamed Howler Monkey) and permanently eliminating SSL certificate expiration as a production-class issue.
  • 2. SSL* Certificate Reporting BayLISA March 21st, 2013 @royrapoport rsr@netflix.com Friday, March 22, 13 This is the story of how we went from SSL certificates expiring without notice in production to deploying Security Monkey (later renamed Howler Monkey) and permanently eliminating SSL certificate expiration as a production-class issue.
  • 3. Technology Overview @royrapoport rsr@netflix.com Friday, March 22, 13
  • 4. Technology Overview • SoA, REST, Mostly Java @royrapoport rsr@netflix.com Friday, March 22, 13
  • 5. Technology Overview • SoA, REST, Mostly Java • Simple overall architecture: @royrapoport rsr@netflix.com Friday, March 22, 13
  • 6. Technology Overview • SoA, REST, Mostly Java • Simple overall architecture: @royrapoport rsr@netflix.com Friday, March 22, 13
  • 7. Culture Overview @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
  • 8. Culture Overview • Freedom and Responsibility @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
  • 9. Culture Overview • Freedom and Responsibility • Distributed Operations @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
  • 10. Culture Overview • Freedom and Responsibility • Distributed Operations • Get out of the way of Developers @royrapoport rsr@netflix.com Friday, March 22, 13 We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
  • 11. So Certificates ... @royrapoport rsr@netflix.com Friday, March 22, 13
  • 12. So Certificates ... • Dozens of Certificates @royrapoport rsr@netflix.com Friday, March 22, 13
  • 13. So Certificates ... • Dozens of Certificates • Different kinds of places @royrapoport rsr@netflix.com Friday, March 22, 13
  • 14. So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private @royrapoport rsr@netflix.com Friday, March 22, 13
  • 15. So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB @royrapoport rsr@netflix.com Friday, March 22, 13
  • 16. So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs @royrapoport rsr@netflix.com Friday, March 22, 13
  • 17. So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 @royrapoport rsr@netflix.com Friday, March 22, 13
  • 18. So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 • Source Control @royrapoport rsr@netflix.com Friday, March 22, 13
  • 19. So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 • Source Control • EIPs @royrapoport rsr@netflix.com Friday, March 22, 13
  • 20. So Certificates ... • Dozens of Certificates • Different kinds of places • Datacenter/private • Datacenter/public/LB • ELBs • EC2 • Source Control • EIPs • Totally Distributed Design @royrapoport rsr@netflix.com Friday, March 22, 13
  • 21. So Certificates ... • Some Certificates Weren’t[sic] @royrapoport rsr@netflix.com Friday, March 22, 13 Some certificates weren’t even SSL certificates -- we have certificates we get from a partner that cannot be accessed via SSL, and for which the answer to the question “when does this expire?” require scraping a web page.
  • 22. So Certificates ... @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 23. So Certificates ... • SSL Certificates expire @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 24. So Certificates ... • SSL Certificates expire • Millions of people can’t stream @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 25. So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 26. So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 27. So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This • Excel worksheets @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 28. So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This • Excel worksheets • Wiki documents @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 29. So Certificates ... • SSL Certificates expire • Millions of people can’t stream • Hilarity ensues • Standard Ways to Solve This • Excel worksheets • Wiki documents • Events on public calendars @royrapoport rsr@netflix.com Friday, March 22, 13 (obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
  • 30. Let’s Do This Thing Cassandra Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 Start with a very simple model -- a Certificate entity, which is really just a combination of name, expiration date, and a series of locations where we can find this. It’d be trivial to feed this thing from my todo list, if I wanted to (but given the state of my todo list, probably a bad idea)
  • 31. Let’s Do This Thing ELB Cassandra Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 Then start building location-aware spiders -- e.g. this spider that knows how to probe all our ELBs to see if they listen on 443 and gets their certificate if they do.
  • 32. Let’s Do This Thing ELB Cassandra EC2 Instance Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 Or this spider that knows how to talk to a specific kind of EC2 instance we have with some certificates.
  • 33. Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate @royrapoport rsr@netflix.com Friday, March 22, 13 etc ...
  • 34. Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate Filesystem @royrapoport rsr@netflix.com Friday, March 22, 13
  • 35. Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate Filesystem DNS @royrapoport rsr@netflix.com Friday, March 22, 13
  • 36. Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate Filesystem DNS @royrapoport rsr@netflix.com Friday, March 22, 13 Once you have all this information, you can easily generate a web page showing certificates, where they are, and when they expire
  • 37. Let’s Do This Thing ELB Cassandra EC2 Instance IP Range Certificate Filesystem DNS @royrapoport rsr@netflix.com Friday, March 22, 13 And send out emails, too -- once we built the capability for teams to subscribe to emails for a given certificate and specify how many days before expiration they should start getting notified
  • 38. Since Then @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
  • 39. Since Then • No Production Emergencies due to SSL certificate expiration @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
  • 40. Since Then • No Production Emergencies due to SSL certificate expiration • Validated Design @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
  • 41. Since Then • No Production Emergencies due to SSL certificate expiration • Validated Design • Better Subscription Capabilities @royrapoport rsr@netflix.com Friday, March 22, 13 We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
  • 42. Soon ... @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
  • 43. Soon ... • Customized, automated alerting @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
  • 44. Soon ... • Customized, automated alerting • Automated renewal @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
  • 45. Soon ... • Customized, automated alerting • Automated renewal • Telling you a problem is about to happen: Good @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
  • 46. Soon ... • Customized, automated alerting • Automated renewal • Telling you a problem is about to happen: Good • Preventing the problem automatically: Priceless @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
  • 47. Soon ... • Customized, automated alerting • Automated renewal • Telling you a problem is about to happen: Good • Preventing the problem automatically: Priceless • Open Source @royrapoport rsr@netflix.com Friday, March 22, 13 We should be able to figure out who owns a certificate, most of the time, and alert them directly even if they don’t set up a subscription.
  • 48. Remember ... @royrapoport rsr@netflix.com Friday, March 22, 13
  • 49. Remember ... • Be Lazy @royrapoport rsr@netflix.com Friday, March 22, 13
  • 50. Remember ... • Be Lazy • Help Others Be Lazy @royrapoport rsr@netflix.com Friday, March 22, 13
  • 51. Remember ... • Be Lazy • Help Others Be Lazy • Computers Are Better Than Humans @royrapoport rsr@netflix.com Friday, March 22, 13
  • 52. Remember ... • Be Lazy • Help Others Be Lazy • Computers Are Better Than Humans • For some things @royrapoport rsr@netflix.com Friday, March 22, 13
  • 53. Remember ... • Be Lazy • Help Others Be Lazy • Computers Are Better Than Humans • For some things • Don’t compete on their terms @royrapoport rsr@netflix.com Friday, March 22, 13
  • 54. Questions? @royrapoport rsr@netflix.com Friday, March 22, 13