At Netflix developers deploy code hundreds of times a day. Each code push could be a production canary taking only a percentage of the total requests or a test determining which new feature is improving customer experience the best. The large number of applications along with multiple concurrent code bases creates an environment that is impractical for manual security testing. This presentation will outline and demo Project Monterey as one of many solutions that the Netflix Cloud Security Team has been developing to secure Netflix's large cloud deployment.
Monterey's main goal is to automate as much security testing as possible. It provides a framework for deploying and running traditional tools in the cloud. Taking industry standard tools such as the OWASP Zap web application scanner, NMAP, nessus, etc. and allowing them to be run in a large distributed and scalable manner. By providing a plugin interface Monterey allows security professionals to create and integrate their own tools with ease. Monterey also enables tools to be chained together; with output of one tool acting as the input of the other.
An important part of Monterey's automation is the capability to respond to the dynamic nature of Netflix's deployment process and environment. This means automatically detecting new applications or new code pushes as they happen and detecting services that are newly exposed to the internet.
Prior work in this area includes projects such as minion and graudit.
This talk will include a demo of Monterey itself, cover current use cases that Netflix has leveraged, and propose future expansion ideas, including open sourcing the project.