There’s a new sheriff in town; dynamic security group recommendations with Grouper and Dredge

Presented at AppSec USA 2017, Sept. 21, 2017, 11:30 a.m. (45 minutes).

At Netflix Security, we try our best to enable developers by removing roadblocks and providing systems with "sane" defaults that keep everyone from shooting themselves in the foot. When dealing with AWS security groups, not shooting yourself in the foot is important. VPCs, subnets, CIDR ranges, group membership, are all part of the security group vocabulary and essential in ensuring that applications can only talk to each other on an as-needed basis.   How many times have you heard fellow engineers mutter, "Well adding 0.0.0.0/0 seems to work. We will fix it later." Grouper and Dredge together provide a solution for generating AWS security group rules based on current network data, ensuring that least privilege isn't a future milestone. Both Grouper and Dredge are deeply integrated into our stack providing developer network insights that were previously unsurfaced. -- unsurfaced is an interesting word choice.   This talk will focus on the history of our security group infrastructure. The challenges of security groups in a large environment (limitations on the number of rules, multiple accounts, lack of cross region security groups, etc.,). Our current security group management and maturity strategy. How Grouper aligns with the freedom and responsibility culture at Netflix.   The Netflix cloud security team has a strong commitment towards open source. Given interest and maturity in these projects, we are open to open-sourcing them in the fu

Presenters:

  • Kevin Glisson - Senior Cloud Security Engineer - Netflix
    When Kevin Glisson is not playing with security automation, new languages and python libraries he is an avid mountain biker and backpacker enjoying all parts of the Sierra's. Kevin is currently a Security Engineer at Netflix writing tools to help streamline security operations and make the cloud more approachable and secure. Kevin has previously worked on the Cyber Intelligence and Incident Response teams at J.P. Morgan Chase, working to streamline data collection and analysis. Along with just about any security topic talk to Kevin about his odd obsession with Serling Archer or which vim plugin is best.

Links:

Similar Presentations: