Security for netflix billing & payments (meetup)
•
8 gefällt mir•79,353 views
Poornaprajna Udupi and Rudra Peram representing the Product and Application Security team at Netflix, discuss making security consumable in the form of tools, libraries and self-service applications to enable developers attain a rapid velocity of feature delivery while simultaneously being secure. This presentation to the audience of billing and payments enthusiasts, covers a few security techniques: infrastructure segmentation, tokenization, utilization of big data for fraud and abuse detection, prevention and sanitization. Some of the open source security projects such as Scumblr, Sketchy and others in the pipeline also get mentioned
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Empfohlen
Empfohlen (20)
Security for netflix billing & payments (meetup)
- 1. Security for Billing & Payments Billing & Payments Meetup - March 18, 2015 Poorna Udupi & Rudra Peram Product & Application Security
- 2. Product & Application Security Consult, Educate, Evaluate, Design & Develop security solutions Enablers vs. Gatekeepers Agile, Adaptive, Pragmatic
- 4. Tokenization
- 5. Fraud & Abuse - Detect, Prevent, Sanitize
- 8. Billing & Payments Meetup - March 18, 2015 poorna@netflix.com (@poornaudupi) rperam@netflix.com
Hinweis der Redaktion
- Personal Intro Discuss how we think about security for the Netflix billing and payments.
- Responsible for security of the Netflix product. Teams and developers are constantly striving for rapid velocity of feature delivery. We make security consumable in the form of tools, libraries, self-service applications and services so that developers can be agile and simultaneously secure.
- From an infrastructure perspective we segment sensitive data and apps that access/process sensitive data into a segregated environment. Sensitive data could be credit card information, account details, etc. The high security environment has higher level of security controls including but not limited to •Firewalling - using separate AWS accounts, security groups, mutual SSL, •detailed audit logs - cloud trail logs, speedbump logs, •restricted and authorized access using SSO etc. •traffic monitoring - cloud passage egress monitoring •file integrity monitoring - cloudpassage •configuration monitoring - cloudpassage •Periodic third-party security assessments for compliance e.g. PCI
- Once we move mission critical security product to migrate B&P to the cloud, we want to take a stance such that in the worst case scenarios, even if a part of our infrastructure gets compromised, sensitive information is safe. e.g. We do not want to store credit card information in unencrypted form. But, we need to access the credit card in various forms for : -- fully decrypted for monthly billing -- partially encrypted for CS verification -- partially encrypted for DSE → cannot use external provider that would work for us in the cloud environment across all regions. We built Skeeball. distributed responsibilities for payments, skeeball and cryptex mutual authentication and least privilege system.
- Types of attackers & their motivations Free Trial Abuse (usually LATAM) Stolen Card Validation Account Takeover Payment method validations in new territories (usually LATAM) Location of Attackers dictates specific rules to cater to the attack signature
- Fraud Detection tools are good at identifying global fraud patterns across industries and help block these requests in real-time Fraud scenarios that are unique to a business necessitate the need for custom detection & cleanup tools Account Creation Patterns & Attributes Multiple accounts from same IP and/or same Name Locale not matching Signup Country Multiple profiles, streaming activity, devices associated, requests from different countries Account Access Patterns Signup Country & Streaming country being different Zero/Lots Streaming activity Identify fraudulent accounts & cleanup with minimal impact to legitimate users
- Speedbump: Edge traffic management product that processes incoming requests > 60000rps and makes a decision on whether to block/redirect/allow a request and have the entire fleet of our edge services know when there is an offender. (Open Source) Scumblr: Scours the web for mentions of Netflix, Account Generators, Credential dumps and helps us take them down and sanitize our accounts. (Open Source) Sketchy: Take screenshots of such nefarious sites so that our machines do not get infected. DirtyLaundry continuously scans Netflix edge end points for vulnerabilities and indicates any abnormalities.