AppSec USA 2016 has ended
Back To Schedule
Thursday, October 13 • 2:15pm - 3:15pm
Cleaning Your Applications' Dirty Laundry with Scumblr

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Like many cutting-edge companies, the environment at Netflix is constantly changing. New applications are deployed everyday, code is pushed every hour, and systems are spun-up and down at will to support changing demand patterns of online video streaming. This, combined with Netflix's 100% cloud model, provides significant challenges in understanding our assets, the risk they pose, and the vulnerabilities they expose.

In order to help address these issues we developed and released an open-source tool call Scumblr in 2014. Scumblr was initially focused on the outside--find interesting intelligence from the Internet and bring it to our attention. Internally at Netflix, however, we've set our sights on new challenges and have found new and innovative ways to use the Scumblr platform to make an AppSec engineer's life a little bit easier. Through a series of small tweaks as well as larger architectural changes, Scumblr has become a versatile tool that allows us to track a wide range of information including changes to endpoints on netflix.com, risk profiles for each application in our environment, and the status of vulnerabilities across a thousands of applications. We've made changes to Scumblr to make it faster, more flexible, and more powerful and we're ready to share these changes with the open source community.

Attendees of this talk will get an understanding for how we designed a tool that has been successful in tackling a broad range of security challenges. We'll share our latest uses for the tools include details on how we're using Scumblr for vulnerability management, application risk tracking and other uses. Finally, we'll discuss how you can replicate what we've done by sharing new plugins that integrate with Arachni, AppSpider, Github, while also showing just how easy it is to create new integrations that open up new opportunities for automation, data collection and analysis.

avatar for Scott Behrens

Scott Behrens

Senior Application Security Engineer, Netflix
Scott Behrens is a senior application security engineer for Netflix. Before Netflix, Scott worked as a senior security consultant at Neohapsis (Cisco) and as an adjunct professor at DePaul University where he taught a graduate course on software security assessment. Scott's expertise... Read More →
avatar for Andrew Hoernecke

Andrew Hoernecke

Andy Hoernecke is a Senior Application Security Engineer on the Product and Application Security Team at Netflix where he spends his time on security automation, identifying and driving systemic security improvements to the Netflix architecture, and developing open source security... Read More →

Thursday October 13, 2016 2:15pm - 3:15pm EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001