 Thanks appreciate it Thank you. I think my job is going to be easier now Thanks everybody for coming in and thank you very much for having me certainly my pleasure to be here for you with you today So I'm going to talk about relationships between Software engineering teams and the security teams they work with so I've been in security pretty much my whole career And this is definitely one of the more complicated relationships that I've had to navigate but I do think it's important that these groups work together and I want to talk a bit about why have these relationships been problematic and maybe what we can do about it But I work at Netflix, so I think it's important to start with movie trivia So does anybody recognize this handsome fella on the right hand side or maybe the movie it comes from? Yes, Monty Python and the Holy Grail Which happens to be streaming on Netflix if you haven't seen it I'm going to give some spoilers for this movie, but I think it's about 40 years old So hopefully you forgive me so the bridge keeper in in the movie if you want to cross the bridge You go talk to the bridge keeper and he's going to ask you some questions, right? Which seems reasonable But the problem is you have no you would have no reason to know the answers to the questions He's going to ask and if you get them wrong You don't just like come back the next day and maybe try again He shoots you into a pit of lava, so it's pretty pretty serious consequences for Getting the wrong answers, but I think this is how software engineers think about the security people they work with Right there they're they're kind of like strange looking and they ask me these confusing questions I don't know how they're making decisions. They're trying to slow me down They're trying to stop me from getting where I want to go, but I don't want to be too one-sided So this is how security teams think about developers, right? They're they always want to use the the latest Technology they're not thinking about the risk that they're that they're exposing the business to But when you when you dig in a little bit to what motivates each of these groups, it's really not surprising So developers right this is kind of the mantra for the modern developer Of course, this is from Facebook from a few years ago But the idea is that if you're not breaking things every once every once in a while You're probably not moving fast enough because we all know when developers when they deliver cool stuff, right? They get their pictures taken they get gold medals they get, you know, they're famous, right? But security teams this is kind of our mantra so we spend a lot of our time and energy trying to prevent bad things from happening and One strategy to prevent bad things from happening is to just prevent all things from happening and that's kind of how we get that That reputation as being the bridgekeeper because this is what security people want We want to be the dog like laying in front of the fireplace. Everything is quiet. It's calm No one's bothering us. There's nothing bad happening So you put these two things side by side and you say, okay Well, it makes sense that this is going to be kind of problematic a bit of friction And maybe this is just kind of the technology equivalent to cats and dogs And I think it's somewhat true But what I would say is now we really don't have the option to kind of Sort of tolerate this level of dysfunction and it's really driven from from both sides of this So on the software side, this is this is a quote from I think 2011 But the idea is that for many companies their ability to deliver software is tied directly to their ability to be successful Right, that's certainly how we think of things at Netflix And there's just more and more software out there at, you know, higher velocity I think a lot of the tools and the innovation and the technology here about at this conference is really around letting developers move faster Right and on the security side We kind of have this seat at the proverbial table now, right? Nobody is really thinking. Hey security is not important So believe it or not the first half of my career I spent a lot of time trying to convince people that security was important But I think generally people get it now. There's really a tremendous amount of demand in the security space So we hear a lot of a lot of times about this skill shortage where there's just not enough people So this kind when you take a kind of naturally dysfunctional relationship and then you layer on these elements It can kind of feel like this is a disaster waiting to happen like this is just not going to end well But that's where actually I've had this kind of pleasant Professional irony. I've been able to experience and say the last ten years And that's really that the the tools and the techniques the operational patterns the sort of practices that developers are Latching on to to deliver faster and to deliver at bigger scale Those are the same things that security teams can latch on to to catch up with the security with their software teams And what I believe is to make the relationships better and also I think meaningfully improve security So I don't know if we can quite end up like this kind of dog-and-cat relationship But I do think we can move move closer and I think we need to so I want to spend the rest of the Time talking about what I view as some principles that security teams can embrace and then talk about a few examples of Some open source that we built at Netflix to help kind of make this Take theory into practice. So the the first principle I have I think it's super important is around transparency So I think it's it's important for security teams to expose their decision-making and how they're deciding about certain things to developers It shouldn't be opaque. We shouldn't be like the bridgekeeper where who knows how we're going to decide We need to think about friction and reducing friction and any kind of interaction where it could be potentially problematic We need to think about how we can Kind of lower the intensity of that and make it go smoother and then finally of course a scale So if we're producing more software if we have this this cybersecurity skill shortage We need to think about how we can more effectively address a really really large portfolio of software So let's kind of walk through a couple of examples here of some some work We've done at Netflix and the first example it seems really simple, but it's probably one of the gnarliest Security developer interactions that you can have and that's how do you provide developers access to what they need? How do you give them the permissions they need and I'm going to use this opportunity to use my favorite grace hopper quote I don't think she was talking about Developer permissions I could be wrong, but when when you read that quote It kind of gives you the the gist of the problem is that sometimes when you're asking permission, right? It's going to take some time. There's a risk that your request will be denied So sometimes you just kind of want to do your thing, right? You just want to sort of move fast and maybe break some things and some of what we've seen Historically can kind of make that seem like a good idea because usually when you need permissions or you need to some kind of You see needs some new capability You have to go take it to somebody who decides whether or not you get it Maybe it's a change review board or it's an architecture review board or it's the security team or whatever it is in your organization Somebody has the opportunity to be the bridgekeeper for you right and to tell you no and then on the on the security side This is probably so I don't remember but it's probably something I've done in my career But it's sometimes what we'll do in security is we'll see a permission We'll see a firewall rule. We don't know what it is So we say well, let's just disable it and see who complains But like this is not the kind of behavior that builds trust right if you do this kind of thing And then somebody's app breaks over the weekend and they get paged they're not gonna be happy So is there is can we do something better than this? This seems pretty dysfunctional So I'm gonna talk about how we do cloud permissions at Netflix So we primarily use Amazon web services and I There's probably a better phrase for this but I kind of call it the magic of infrastructure as a service because I think when you The cloud is not really about like let's take an app from the data center and just kind of run it in the cloud Right to me I think you really get a lot of leverage when you start using the other services that your cloud provider gives you So for example if your app needs to send email to your customers instead of managing this massive email delivery infrastructure You just call an API right you have a ton of velocity a ton of capability just by using those services But this is where some of the some of the tricky part comes in because and how do you provide the developers the permissions they need? Because it's not clear the nice thing is that many cloud providers including AWS give you pretty detailed information about how you're using the cloud and So AWS has two services one's called cloud trail the other one's called access adviser that gives you insight into how you're using the cloud And then what we do what the security team does is we then use that information to help make better decisions So if you were a developer at Netflix and you wanted to create whatever app you wanted to create What we would do is give you a base set of permissions So we've observed thousands of applications over many years and we have a good sense of how most applications interact with AWS So what we do is we give you that base set of permissions and you can you can imagine there Well, it's it's slightly over provisioned right because you're gonna have permissions You don't need but we believe that that to start with is a pretty good trade-off because it allows every developer You don't need to come ask anybody. You just kind of go and do stuff We think that's a good trade-off between velocity and security and then what we do is once your app is running We just watch what it does All right, we take a look well What is your app doing and it doesn't matter what you think your app does or what you ask for? The only thing that matters is the data and what your app how your app actually interacts with the cloud And then what we do is we just take a delta So we have what permissions you have and what you what you haven't used and we just remove those permissions But what we don't do is we don't just blindly get rid of those and you know, hope nothing breaks What we do is we we push notifications to developers through our standard change notification platform We let you know. Hey your app hasn't used these permissions We're gonna go ahead and take him away if you have any questions go check out the docs come come talk to us on our slack channel So if everything's fine, there's no there's no interaction needed right it just all works So we built that and we open sourced that as a tool called repo kid So if that's at all interest to you go go take a look at it We've got a lot of good contributions and feedback from the community and and what we do with repo kid It's just transparent and automated right there's no there's no permissions You don't have to ask anybody right you just it just works It simplifies the developer experience it minimizes the human interaction and it really and it introduces one of the core Philosophies that we have at Netflix from a security perspective is this idea of guardrails instead of gates, right? So how do we let people move fast but stay safe at the same time? It's that kind of balance between velocity and security So the next item I want to talk about is what we call application risk assessment Maybe you you might call this something different at your place of employment But it's really the process where the security team comes to no context about new systems that are being developed new applications And so we can decide how much to invest in How much security effort to invest so are you building like the next generation global payments infrastructure? That's going to be handling all kinds of credit cards, or are you building an app to show the lunch menu, right? So we're going to invest differentially there as you would imagine But how do we determine who's building the payments infrastructure and who's building the lunch menu? so what we've typically done as a security industry is We will ask people to fill out spreadsheets or surveys So tell us about your app so then we can decide what we think about it The problem is is that your people are going to avoid you you're not going to catch everybody and One of the things I've found which may or may not be surprising to the audience is that sometimes people lie And it's not necessarily the malicious, but they they just fill the thing out incorrectly We we may ask a question that we think is simple like does this application process secure data? Sound simple the problem is what is secure data? Is it intellectual property? Is it credit cards? Is it social security numbers? You're very it's going to be very unlikely you get consistent answers to this and also what we typically do with this survey process Is we ask one time right when you're first building the app and of course? We all know applications never change functionality over their lifetime, right? It's whatever it you start with that's how it always intended So what we end up with is an incomplete data set that's incorrect and out of date Right, but this is what security teams have to use to in decide where they're going to invest That's not really a great situation So one of it one of the neat things about you know as technology Advances and as new patterns emerge and as new capabilities emerge you start to have the Capabilities to start thinking about problems in kind of a fundamentally different way And I think this tweet from from years ago captures it pretty well so Netflix is a large proponent of microservice architectures and you really There's there's just a lot of them you can't really think about how they all fit together It doesn't really work in your brain, but you know there's apis. There's data. There's you know IPC mechanism We use there's a bunch of information at your disposal to let you automate your reasoning about the environment So that's what we set out to do We wanted to create a an automated risk analysis from microservice architectures so instead of Asking developers to fill out a spreadsheet or a survey or rely on human judgment. What we wanted to do was observe Right, so what's the connectivity look like? You know, how is the cloud configured? How is the app configured? And then we want to develop a risk scoring based on observations that we're making And we do it continuously right it's not just when you first create it So we we we can tell when things change in the environment and we can adjust our classification So the the heart of this system is based on what we would call an observation and this is an example observation This one here. We called dependent applications so just imagine you run a service and say 300 other services depend on your service I Might use that data and say oh, okay Well, that might be a critical service because you have a lot of services are depending on you being available So what we can do is then use that data to kind of nudge a risk for up or down based on what we think about that But that's just one observation, right? So there's other observations you have there's is the system on the Internet Does it connect to a sensitive data store? How many instances run in its scaling group or does it run in a sensitive cloud environment? and really the key is that it's a flexible framework and you can add more observations and What we believe is that the more observations we make the better sense We have about the true risk and the true criticality of the system And then what we do is we add that with some other metadata To help our team become more efficient and more effective when they're working through say security incidents or security vulnerabilities So these are these are other elements of what you might call security support ability So for any given application like what's the what's the what team owns it? What's their on-call rotation? You know, where is their Jenkins jobs? Where is their source code repo all these kind of things you want to have at hand when you're working security issues? So it kind of aggregates all this data and then this is just an example scorecard Of a few different measures and sort of how it rolls up and what you can imagine is that we have a number of measures that are Continuously sort of polling the and evaluating the environment and the portfolio is is you know Say many or several thousand applications and then what this does is it provides a security team a good start for thinking about where they're going to invest So the heart of the system what we built it on was called scum blur So we open source scum blur a few years ago It's really a mechanism for kind of running these kind of data evaluation jobs and bringing them back And then the takeaways there Really there's to me the key is that there's no no human requirement, right? There's nobody there's no survey provided There's no wondering did somebody answer the question correctly. They're just observations, right? And this really helps us move away from that bridgekeeper model because it's very clear how we're evaluating the risk score and how we're generating that So it's objective. It's transparent. It's continuous so just wrapping up kind of getting back to those principles I Brought up at the beginning transparency is really important I think this is perhaps the number one thing when you're thinking about building trust between a security team and a software team You have to be transparent. You can't have this feeling that you're just making arbitrary decisions So anything we can do with technology that will promote this we want to invest in Second right friction lowering friction to me the best way to lower friction in a human interaction is to not have the human interaction Right so if we can remove the human interaction It's going to make it much simpler and then it's also going to lead to that last principle Which is scale because we know we're going to be constrained resource-wise But we know somehow the the engineering teams keep building more software So we have to figure out how to address that so I know that was a bunch of information, but I that's it for me I certainly appreciate your time. Thanks for having me