Snapshot: Netflix’s Open Source Projects for Cloud Security

Netflix’s Cloud Security team has been a major player in the open source community for years now. Some of cloud security’s most vexing problems have actually been ironed out on GitHub and through OSS experiments. To commemorate Netflix’s third year of open source software development, here’s a recap of some of their major OSS projects.

Netflix released its first OSS project, Security Monkey, in June of 2014. Security Monkey helps developers monitor their cloud environments, especially Amazon’s AWS infrastructure. The program produces alerts for sudden code changes, vulnerabilities, and misconfigurations. It also troubleshoots and responds to common errors and security issues. Security Monkey is still widely used and relevant to cloud security—so much so that Google just integrated their Cloud Platform to Security Monkey this past March.

In August 2014, Netflix released a trio of workflow platforms to help developers automate functionality and resolve security issues quickly. Scumblr identifies and analyzes data sources like Github repositories and URLs to provide solutions to security issues. Sketchy allows a developer to scrape text from websites and take screenshots. And Workflowable introduces an interface to configure workflows, trigger automatic actions and create flow stages. These tools add to Netflix’s security portfolio but move a bit into the workflow space with intuitive designs.

Even though the OSS code is no longer maintained, Netflix’s Fully Integrated Defense Operation (FIDO) emerged in 2015 as the company’s security response framework. FIDO performs the copious manual analytical work needed to detect and respond to incoming malware.

In the fall of 2015, Netflix released Sleepy Puppy, a program designed to manage and track cross-site scripting (XSS) propagation over time. Security engineers looking for client side injections may not find them within the specific application they are testing. Sleepy Puppy facilitates XSS testing and helps engineers pinpoint injections across multiple applications. Netflix later released Burp Proxy, a similar tool for testing app security.

A month after releasing Sleepy Puppy, Netflix released Lemur. Lemur manages the creation of SSL/TLS certificates, a notoriously difficult problem for developers. Lemur brought unique automation tech to the process, making it easier to revoke and reissue certificates with so-called “sane” defaults.

In the spring of 2016, Netflix released Bastion’s Lambda Ephemeral SSH Service (BLESS), which is an SSH Certificate Authority (CA) used to sign public SSH keys. BLESS uses an AWS Lambda to control access to public or private hosts and provides an array of options for authorizing keys. Lyft even created a client to help users access BLESS certificates straight from their laptops instead of the BLESS bastion.

Earlier this year, Netflix released HubCommander, a Slack bot developers can use to manage GitHub organizations. GitHub managers can control the sometimes loose structures inherent to GitHub coalitions with audit logs and access controls. Nowadays, HubCommander often acts as a more generalized bot framework.

Soon after releasing HubCommander, Netflix introduced Stethoscope, which delivers specific instructions to users on how to better secure their devices. The program collects user device data and filters a number of parameters to ensure that devices are properly updated and protected.

The last few months have seen a still steady stream of OSS projects. BetterTLS helps HTTPS clients detect and avoid falsely issued Name Constraints certificates. Repokid and Aardvark get developers closer to the principle of least privilege when running an AWS. They work in sync to streamline processes within an AWS Identity and Access Management system and eliminate redundant or unnecessary actions.

Finally, this July Netflix released Repulsive Grizzly and Cloudy Kraken as part of their Skunkworks umbrella project. The programs simulate and help prepare developers for DDoS attacks. Repulsive Grizzly tests high throughput request types to detect possible DDoS attacks. Cloudy Kraken helps scale up DDoS attack testing.

Netflix’s OSS production has been steady and at times highly experimental. OSS projects essentially help crowdsource creative solutions to difficult problems. Innovation often comes in small steps and at unusual crossroads. The Skunkworks library is a testament to Netflix’s continued engagement with the OSS community and certainly a marker for what’s still to come.