fast forward - qcon · wall-e rate limit ip blacklist authentication authorization sigsci waf...
TRANSCRIPT
![Page 1: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/1.jpg)
Fast Forward
Reflecting on a Life of Watching Movies and a Career in Security
Jason ChanVP, Information Security @ Netflix@chanjbs
![Page 2: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/2.jpg)
![Page 3: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/3.jpg)
![Page 4: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/4.jpg)
Credit: @LoulouHoltz
![Page 5: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/5.jpg)
![Page 6: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/6.jpg)
![Page 7: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/7.jpg)
![Page 8: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/8.jpg)
![Page 9: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/9.jpg)
So . . . what does this have to do with security?
![Page 10: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/10.jpg)
![Page 11: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/11.jpg)
![Page 12: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/12.jpg)
![Page 13: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/13.jpg)
![Page 14: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/14.jpg)
![Page 15: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/15.jpg)
![Page 16: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/16.jpg)
![Page 17: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/17.jpg)
Credit: @matt_tesauro
![Page 18: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/18.jpg)
Back to the movies . . .
![Page 19: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/19.jpg)
![Page 20: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/20.jpg)
Core Functionality
Security
MigrationsUpgrades
Other Campaigns
Change
DeploymentInfrastructure
Technology Standards Operations
Basics
Observability
Performance Reliability
Scalability
Non-Functional Requirements
![Page 21: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/21.jpg)
Reducing Cognitive Load for Developers
![Page 22: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/22.jpg)
![Page 23: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/23.jpg)
![Page 24: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/24.jpg)
![Page 25: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/25.jpg)
Simplifying the Security Interface for Developers
![Page 26: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/26.jpg)
Are you trying to make your engineers security experts?
Or do you just want them to build and operate secure systems?
![Page 27: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/27.jpg)
What security functions can we abstract to simplify the developer experience?
![Page 28: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/28.jpg)
Netflix Studio Engineering
![Page 29: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/29.jpg)
![Page 30: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/30.jpg)
![Page 31: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/31.jpg)
Netflix Studio EngineeringOptimize production from “pitch to play”Lots of innovation and iteration
![Page 32: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/32.jpg)
Netflix Studio User
Studio LOB App A
Studio LOB App N
Netflix Studio Apps
![Page 33: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/33.jpg)
Simplify and Improve Security through Functionality Abstraction
![Page 34: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/34.jpg)
Leverage Netflix OSS - Zuul“built to enable dynamic routing, monitoring, resiliency and security”
https://github.com/Netflix/zuul/wiki
![Page 35: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/35.jpg)
Netflix Studio User
Studio LOB App A
Studio LOB App N
Netflix Studio Apps with Zuul and Wall-E
Wall-E
Rate LimitIP Blacklist
AuthenticationAuthorizationSigSci WAF
Schema Check
Schema CheckSec Headers
DLP
Pre-Filters Post-Filters
![Page 36: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/36.jpg)
![Page 37: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/37.jpg)
ResultsLower cognitive load for onboarding security Centralized and managed functionalityFrees developers to build the Netflix Studio!
![Page 38: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/38.jpg)
![Page 39: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/39.jpg)
Monolith to microservices: networkImmutable infra: OS, custom app, middleware Infra as code: Everything!
Blurring Lines: App and Infra
![Page 40: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/40.jpg)
Tackling App and Infra Integration:Seamless Least Privilege
![Page 41: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/41.jpg)
Instances
Hadoop
Email Services
Storage
Database
Message Queue
The Magic of IaaS
![Page 42: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/42.jpg)
Ex: Cloud Based Word Processor
![Page 43: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/43.jpg)
Ex: Cloud Based Word Processor{
"Effect": "Allow",
"Action": ["*:*"]
"Resource": "*"
}
![Page 44: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/44.jpg)
Ex: Cloud Based Word Processor{
"Effect": "Allow",
"Action": ["s3:*"]
"Resource": "*"
}
![Page 45: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/45.jpg)
Ex: Cloud Based Word Processor{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject"]
"Resource": "*"
}
![Page 46: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/46.jpg)
Ex: Cloud Based Word Processor{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject"]
"Resource": "arn:aws:s3:::wp_bucket"
}
![Page 47: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/47.jpg)
![Page 48: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/48.jpg)
AWS provides data about API use
This data acts as a basis for action
![Page 49: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/49.jpg)
When a new application is created, we provide a base set of permissions
s3:GetObjects3:PutObject............sqs:ReceiveMessage
![Page 50: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/50.jpg)
We observe the application to see which permissions are actually used
![Page 51: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/51.jpg)
We then remove unused permissions
s3:GetObjects3:PutObject............sqs:ReceiveMessage
![Page 52: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/52.jpg)
We then remove unused permissions
s3:GetObjects3:PutObject............sqs:ReceiveMessage
![Page 53: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/53.jpg)
Available as OSS - Repokid
https://github.com/Netflix/repokid
![Page 54: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/54.jpg)
![Page 55: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/55.jpg)
ResultsLow-risk access reductionTransparent and versioned opsInnovation and high-velocity development without friction
![Page 56: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/56.jpg)
![Page 57: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/57.jpg)
Potential for “Controlled” AnarchyMicroservices YBIYRI Polyglot and multiple tech stacks Independent deployments
Intentionally decentralized governance leads to increased attack surface
![Page 58: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/58.jpg)
![Page 59: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/59.jpg)
![Page 60: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/60.jpg)
Managing the Anarchy
![Page 61: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/61.jpg)
![Page 62: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/62.jpg)
● Well-supported solutions from central teams● Clarifies and evangelizes successful patterns and
practices● Automated observation and evaluation of adoption● Provides a standard way of interfacing with engineering
teams about security● Uncover risk and reward operational excellence
The Security Paved Road
![Page 63: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/63.jpg)
Security Paved Road (ex.)Example Solutions & Measures
Per-app IAM rolePer-app Security GroupNo secrets in codeInstance identityUpdated machine image
![Page 64: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/64.jpg)
Security Paved RoadQuarterly Change Cycle
Commit to update once per quarter to pull in upgrades, library changes, and modifications to paved road components
![Page 65: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/65.jpg)
![Page 66: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/66.jpg)
Security Paved RoadSecurity Brain
Make our expectations, asks, and recommendations explicit and easy to navigate
![Page 67: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/67.jpg)
Customized view for the user
Open security issuesRecommended
practices
![Page 68: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/68.jpg)
Most security backlog is standard;explicitly limit bespoke/custom backlog
![Page 69: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/69.jpg)
![Page 70: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/70.jpg)
![Page 71: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/71.jpg)
In closing . . .
![Page 72: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/72.jpg)
Overall TakeawaysStay attuned to trendsSimplify and standardize Favor transparent decisionsMeasure adoption and uptakeGet comfortable with tradeoffs
![Page 73: Fast Forward - QCon · Wall-E Rate Limit IP Blacklist Authentication Authorization SigSci WAF Schema Check Schema Check Sec Headers DLP Pre-Filters Post-Filters. Results ... Per-app](https://reader034.vdocuments.site/reader034/viewer/2022052021/603518299affe1120b1e33c7/html5/thumbnails/73.jpg)
Thank you!@chanjbs