Building a secure system is like constructing a good pizza – each individual layer adds flavor that ultimately builds to the perfect bite. At Netflix we have hand-crafted ingredients that by themselves are scrumptious, but when placed together strategically on the crust (read: cloud), constructs a pizza so large that any pizza lover (read: attacker) would be challenged to finish.
Attendees will learn the secret to the sauce that is Netflix Infrastructure Security and how even defensive appsec tooling like Signal Sciences can be used in the mix to be better equipped to start baking pizza in their own kitchen, and leave satisfied.
1. Netflix’s Layered Approach
to Reducing Risk of
Credential Compromise
Will Bengston
Sr. Security Engineer, Netflix
Travis McPeak
Sr. Security Engineer, Netflix
2. The picture can't be displayed.
Next-gen WAF and RASP
Defensive Technology
Designed to unify the efforts of engineering, security
and operations to increase security and maintain site
reliability without sacrificing speed or scale.
3. Web App Attacks Are the #1 Source of Data Breaches
Attacks are Up 300% from 2014 – Incumbent Products Aren’t Solving the
Problem
Less Than 5% of
data center security budgets
are spent on AppSec
Web App Attacks
POS Intrusions
Miscellaneous Errors
Privilege Misuse
Cyber-Espionage
Everything Else
Payment Card
Skimmers
Physical Theft / Loss
Crimeware
Denial Of Service
90
852
519
717
215
512
58
6
1
4
9
5
6
20
%
10
%
40
%
30
%
Percent of
Breaches
Sources: Gartner,
Verizon
4. The Security Problem
You Can’t Secure
New App Tech with
Legacy App Sec
Account Takeover
Direct Object Reference
Forceful Browsing
Feature Abuse
Evasion Techniques
Subdomain Takeover
Misconfiguration
• Legacy WAFs focus on the
same threats as 15 years ago
• False positives result from generic
signatures without context
• Rarely used in blocking mode
OWASP Injection
Attacks
Real-World Problems
5. Power Rules
A powerful platform with an
intuitive UI to define,
monitor, and take action on
any transaction
• Use cases address application logic
beyond OWASP attacks
• ATO attacks
• Application and feature abuse
• Auto-blocking OFAC traffic
• Application CVEs
• Virtual patching
• …and more
6. Active Protection Everywhere
See, Secure and Scale Across:
Any App
Cloud Containers, PaaS
& Serverless
Web Servers & Languages
Gateways & Proxies
Any Attack
OWASP Injection Attacks
PLUS:
Application DDoS
Brute Force Attacks
Application Abuse & Misuse
Request Rate Limiting
Account Takeover
Bad Bots
Virtual Patching
Any DevOps Toolchain
INCLUDING:
Generic Webhooks & Any Custom
Tools via Full RESTFul/JSON API