QCon10Years
SAVE THE DATE FOR QCON SF 2017

Conference: Nov 13-15, 2017
Workshops: Nov 16-17, 2017

Presentation: The Psychology of Security Automation

Track: 
//TODO: Security <-- fix this

Duration

Duration: 
10:35am - 11:25am

Persona:

  • Security Professional

More talks on:

Key Takeaways

  • Hear modern approaches to building security software that help improve developer velocity, not hinder it.
  • Learn tools and techniques in use at Netflix today to bridge the gap between security and development teams.
  • Hear about some of the internal automation used by security teams at Netflix.

Abstract

Historically, relationships between developers and security teams have been challenging. Security teams sometimes see developers as careless and ignorant of risk, while developers might see security teams as dogmatic barriers to productivity.

Can technologies and approaches such as the cloud, APIs, and automation lead to happier developers and more secure systems? Netflix has had success pursuing this approach, by leaning into the fundamental cloud concept of self-service, the Netflix cultural value of transparency in decision making, and the engineering efficiency principle of facilitating a “paved road.”​

​This session explores how security teams can use thoughtful tools and automation to improve relationships with development teams while creating a more secure and manageable environment.

Interview

Question: 
QCon:Can you tell me a bit about your role at Netflix today?
Answer: 

Jason: My title is Engineering Director for Cloud Security, and I lead a few different areas of security for Netflix. We work on operational security for our Amazon environment, application security (helping developers build and operate more secure systems), incident response, privacy engineering, risk management, and fraud. We are also responsible for corporate information security, what you might more typically think of as traditional IT security.

Question: 
QCon: What’s the goal for the talk that you are giving at QCon?
Answer: 

Jason: Considering what’s going on in the tech world today (advances in automation and tooling, companies moving more to cloud, and APIs becoming more ubiquitous), these technologies are increasingly becoming available to security teams.  What I want to walk through is how security teams can use these technologies to their advantage and improve their relationship with an engineering organization. In some cases, maybe even heal past wounds that some engineers might have experienced in previous companies.  

What I found is that many times engineering teams have an adversarial relationship with security. What’s going on in the general tech world can be leveraged to make that relationship a lot more functional and mutually beneficial. That’s the overall goal.

Question: 
QCon: Can you give us some ideas of the things you’ll talk about?
Answer: 

Jason: It’s by no means a formal taxonomy, but I’ll discuss a few security automation solutions and how system designers can use them to improve that relationship. I will discuss automations that the security teams can build for developers to use. One of the examples I’ll use is a system we open sourced last year to do SSL certificate management (which has been typically problematic to work with). That’s one class of automation, a developer self-service tool.

Another class is integrations and automations that you can build to help real-time collaboration between engineers and security teams. To illustrate this, I’ll discuss some of the security automation we’ve integrated and enabled via ChatOps. 

The third class of automation is examples on internally built automation tools for security teams that helped them become more efficient and also build better relationships with developers. You are not just finding bugs and handing developers these really long and confusing PDF reports about some vulnerability that they need to fix. These tools make that a lot more efficient and effective.

Question: 
QCon: Is it correct to say that the talk is about tooling and automation, not as much about culture?
Answer: 

Jason: It’s a shift in culture. These migrations to cloud, self-service, and continuous deployment are really all optimized for moving faster. People want to get features out more quickly, that’s a new reality, and that’s how innovation happens. Traditionally speaking, a good day for a security team is when nothing happens. The idea is, if I am trying to stop bad things from happening, let me stop everything from happening. 

But that’s in direct opposition with this idea of developer velocity. Then how can security teams be successful given this approach to doing business? Moving very quickly and all of the developer tools, languages, systems are optimized for this approach. For security teams to be successful in this culture, they need to change their mindset. It’s about that culture shift and how we can use technology to assist with that culture shift.

Question: 
QCon: Who are you talking to in the talk the security team members or the developers?
Answer: 

Jason: There’s going to be a little bit for each of those audiences. The folks that might get the most out of it would not be security teams, but general software engineers who may be working on security systems. Security engineers who are trying to figure out how to work with developers more effectively in an agile environment.  The talk will also try to help general software engineers who have had bad experiences with security teams in the past understand why those experiences went wrong, and how the mind of a security person works. Hopefully, the talk will help  bridge the gap between the different teams.

Question: 
QCon: What do you want someone who comes to your talk to walk away with?
Answer: 

Jason: Ideally, if it was just one thing to take away, it would be that security does not necessarily slow things down. Hopefully, this will open up the perspective. What I’ve found is that many times, because of some negative past experiences, engineers will tend to try to avoid security teams because they are going to slow things down, and they are not going to add any value. 

I’ll provide real world examples showing that proactively engaging with security teams and thoughtfully designed security automation and tools can keep things moving as quickly as possible and also bring quite a lot of value.

Speaker: Jason Chan

Director of Engineering - Cloud Security @Netflix

Jason Chan is an Engineering Director at Netflix. His areas of responsibility include application, infrastructure, and operational security for the Netflix streaming video service as well as corporate information security. Prior to joining Netflix, he led the information security team at VMware and spent most of his earlier career in security consulting for firms such as @stake and iSEC Partners.

Find Jason Chan at

Speaker page

@chanjbs
LinkedIn

Similar Talks

Stranger Things: The Forces that Disrupt Netflix
Senior Software Engineer, Playback Features @Netflix
Haley Tucker
99.99% Availability via Smart Real-Time Alerting
Data Science Manager @Uber
Franziska Bell
Creating A Culture of Observability at Stripe
Observability Specialist @Stripe
Cory Watson
Migrating to a Fault Tolerant System with Spanner
Software Engineer @Google
Edwin Fuquen
Freeing the Whale: How to Fail at Scale
CTO @Buoyant
Oliver Gould
Automating Chaos Experiments In Production
Senior Software Engineer @Netflix
Ali Basiri
Architecting for Failure in a Containerized World
Principle Data Analysis Leader @Infolace
Tom Faulhaber
Scaling Quality On Quora Using Machine Learning
Engineering Manager @Quora
Nikhil Garg
Query Understanding: a Manifesto
Data Scientist, Author of "Faceted Search"
Daniel Tunkelang

.

Tracks

Monday Nov 7

Tuesday Nov 8

Wednesday Nov 9

SCHEDULE

Conference for Professional Software Developers

Follow QCon

Contact

Menu

QCons around the World

Qcon