Travis McPeak

Friday, Feb 23, 2018 at 11:30 AM in 373 Soda Hall

Title: Least Privilege: Security Gain without Developer Pain

Abstract: The principle and benefits of Least Privilege are long established in Computer Security—dating back to the 1970s. Despite this it is far from universally adopted. Technologies used to define and enforce Least Privilege policy are arcane to most in the computing industry. Software developers are incentivized to ship products and features, so they focus on what helps them work fast: wildcards in policies, if they even have one. Traditional attempts to counter this typically require system administrators or security staff to perform manual reviews and craft security policies in response. As application complexity and development velocity increase it becomes impractical to manually determine Least Privilege ahead of time. A central policy gatekeeper doesn't scale efficiently and is likely to negatively impact delivery velocity. Our approach at Netflix combines gathering data about how applications interact with their environment and automatically adjusting the permissions in their security policy. Unused permissions are automatically removed from application policies across our environment without manual effort from developers or the security team. This approach gives us the best of both worlds: the security team gets least privilege policies and developers maintain high velocity. During this talk we’ll describe how this works in our environment, challenges we’ve overcome along the way, and recommend other applications for the same methodology.

Bio: Travis works at Netflix on the Cloud Security team. He enjoys building automation to increase security while boosting developer productivity. Travis is a core developer of Bandit and has presented at security conferences including BlackHat USA, AppSec Cali, and BSides SF. He currently serves on the Bay Area OWASP leadership team, and in previous roles has served on the OpenStack Security team and was a founding member of the Cloud Foundry Security Team.

Current Seminar Schedule

Security Lab