Netflix airs its developers' Dirty Laundry
Open source tool will show skid marks left on clean code to help bug-spotters
Netflix has developed a platform, using soon-to-be open source tools, that probes for vulnerabilities and monitor data leakage.
One initiative dubbed the "Dirty Laundry Project" monitors for Netflix assets unintentionally exposed by its staff.
Engineers Scott Behrens and Andy Hoernecke (pictured above) told the Shmoocon conference last month the platform uses a variety of in-house developed tools, some available as open source, that help make security defences proactive.
"Maybe a developer screwed something up in a build and left stack traces on, or exposed some sensitive keys, " Behrens said. "Dirty Laundry will give some visibility into that."
The aptly-named platform plugged into Netflix open source tools Monterey, Scumblr and Sketchy which could each provide contextual analysis on a given app.
The former tool was soon to be published as open source and granted a kind of slick GUI bird's eye view into published apps using Netflix plugins to flag suspect vulnerabilities which security administrators could later inspect.
If flaws are found, notes of almost any form can be left behind to notify the developer to build a fix.
Plugins, or 'monklets', could be developed quickly using Python to add functionality such as vulnerability scanning. Many already existed for tools including Arachni, Qualys, and Nmap.
"If you can write something in Python and make a wrapper for a tool, you can run it in Monterey," Behrens said.
Additional Amazon instances could be fired up to reduce scan times for projects on tight deadlines, he said.
In a demonstration of the capabilities of the platform the team developed a Monterey monklet after the ShellShock SSL vulnerability was disclosed that could spider pages within each Netflix app to assess exposure.
The Netflix duo had also developed new functionality for the already open source Scumblr plugin allowing it to comb and report vulnerabilities in third-party applications that were posted to the Full Disclosure mailing list.
The app joined an armada of simian-inspired open source tools released by the video king pin that "proactively wrecks your environment" including apps and load balancers to test resiliency of platforms.
"[There's] a trend here; almost all [our] tools have the exact same steps; identify something interesting automatically, create some sort of notification, and provide a mechanism to handle the issue quickly using work flows," Behrens said.
The work was in part made possible thanks to a tool dubbed Penguin Shortbread which the pair developed to help understand the vast assets running in Netflix's environment.
That tool, earmarked for publication as open source, helped catalogue assets, measure attributes and calculate risk, Hoernecke said
"You'll be lucky to walk into a company and get a spreadsheet of applications they are exposing on the internet, and that's not scalable when you are talking about hundreds of thousands of applications," Hoernecke said.
"We really want to open source it but at the moment it is really reliant on Netflix assets so we will have to make it more generic."
The platform, also wrapped in a clean GUI, provides admins with metrics showcasing dependencies and security risk of given apps, code repositories and details of app owners.
Enterprises could adjust risk settings to reflect different tolerances, Hoernecke said.
He also revealed another platform it was developing dubbed 'Danger, Danger' that would flag vulnerabilities including CVEs that exist for libraries a developer may wish to use. The system is a work in progress and requires more development, Hoernecke said.
The engineer said security teams should work to assist developers not simply block them, and called for colleagues to share their tools and experiences to aid the wider IT industry.
"If security is the easy part developers will do it. If security is the hard part, they will probably blow right past it."
A video of the pair's talk can be found here. ®