Netflix treats security ills with Stethoscope: Open-source self-probing tool
Software scrutinizes device defenses, is better than just yelling IT policies at staff
Netflix has released the source code of a web application called Stethoscope for evaluating the security of mobile and desktop computing devices.
The software, covered by the Apache 2.0 license, intended for employees of organizations that use a device management service. Netflix hopes that employees using the toolkit will learn from it and apply the app's recommendations to personal devices that are not under active management.
Stethoscope relies on a Python backend, a React frontend, and a Nginx foundation for serving static files. Ready to run in a Docker container, it's designed to collect security-related information from devices when the user visits the application web page.
Device information is used to query data sources involved in device management, such as Google MDM (for mobile devices), JAMF (for Macs), and LANDESK (for Windows). Support for osquery, an open-source framework for device analytics, is being developed.
In essence, Stethoscope provides a security checkup that spans multiple device management services. After accessing the web app, device users will be presented with specific security-oriented recommendations having to do with disk encryption, firewall configuration, automatic updates, update installation, or other things.
The app can also serve as an interface for presenting and responding to notifications, such as device access warnings designed to alert users to logins from unexpected IP addresses or locations.
Netflix engineers Jesse Kriss and Andrew White suggest the app's advice for managed devices can help employees make better decisions with their personal devices, thereby making Netflix more secure.
"It's important to us that people understand what simple steps they can take to improve the security state of their devices, because personal devices – which we don't control – may very well be the first target of attack for phishing, malware, and other exploits," the pair said in a blog post. "If they fall for a phishing attack on their personal laptop, that may be the first step in an attack on our systems here at Netflix."
Netflix's approach to device security involves working with employees on security rather than against them. Stethoscope thus offers low-key security guidance instead of heavy-handed policies that restrict device usage or require IT department intervention.
The project reflects Netflix's focus on what it calls "User Focused Security." As Kriss explained in a presentation about Stethoscope at ShmooCon in January, "We want our employees to be secure, not just the endpoints." ®