Project Monterey or How I Learned to Stop Worrying and Love the Cloud

Presented at AppSec USA 2014, Sept. 18, 2014, 1 p.m. (45 minutes).

At Netflix developers deploy code hundreds of times a day. Each code push could be a production canary taking only a percentage of the total requests or a test determining which new feature is improving customer experience the best. The large number of applications along with multiple concurrent code bases creates an environment that is impractical for manual security testing. This presentation will outline and demo Project Monterey as one of many solutions that the Netflix Cloud Security Team has been developing to secure Netflix's large cloud deployment.

Monterey's main goal is to automate as much security testing as possible. It provides a framework for deploying and running traditional tools in the cloud. Taking industry standard tools such as the OWASP Zap web application scanner, NMAP, nessus, etc. and allowing them to be run in a large distributed and scalable manner. By providing a plugin interface Monterey allows security professionals to create and integrate their own tools with ease. Monterey also enables tools to be chained together; with output of one tool acting as the input of the other.

An important part of Monterey's automation is the capability to respond to the dynamic nature of Netflix's deployment process and environment. This means automatically detecting new applications or new code pushes as they happen and detecting services that are newly exposed to the internet.

Prior work in this area includes projects such as minion and graudit.

This talk will include a demo of Monterey itself, cover current use cases that Netflix has leveraged, and propose future expansion ideas, including open sourcing the project.


Presenters:

  • Kevin Glisson - Senior Cloud Security Engineer - Netflix
    When Kevin Glisson is not playing with security automation, new languages and python libraries he is an avid mountain biker and backpacker enjoying all parts of the Sierra's. Kevin is currently a Security Engineer at Netflix writing tools to help streamline security operations and make the cloud more approachable and secure. Kevin has previously worked on the Cyber Intelligence and Incident Response teams at J.P. Morgan Chase, working to streamline data collection and analysis. Along with just about any security topic talk to Kevin about his odd obsession with Serling Archer or which vim plugin is best.

Links:

Similar Presentations: