AppSec USA 2016

Like many cutting-edge companies, the environment at Netflix is constantly changing. New applications are deployed everyday, code is pushed every hour, and systems are spun-up and down at will to support changing demand patterns of online video streaming. This, combined with Netflix's 100% cloud model, provides significant challenges in understanding our assets, the risk they pose, and the vulnerabilities they expose.

In order to help address these issues we developed and released an open-source tool call Scumblr in 2014. Scumblr was initially focused on the outside--find interesting intelligence from the Internet and bring it to our attention. Internally at Netflix, however, we've set our sights on new challenges and have found new and innovative ways to use the Scumblr platform to make an AppSec engineer's life a little bit easier. Through a series of small tweaks as well as larger architectural changes, Scumblr has become a versatile tool that allows us to track a wide range of information including changes to endpoints on netflix.com, risk profiles for each application in our environment, and the status of vulnerabilities across a thousands of applications. We've made changes to Scumblr to make it faster, more flexible, and more powerful and we're ready to share these changes with the open source community.

Attendees of this talk will get an understanding for how we designed a tool that has been successful in tackling a broad range of security challenges. We'll share our latest uses for the tools include details on how we're using Scumblr for vulnerability management, application risk tracking and other uses. Finally, we'll discuss how you can replicate what we've done by sharing new plugins that integrate with Arachni, AppSpider, Github, while also showing just how easy it is to create new integrations that open up new opportunities for automation, data collection and analysis.