在Netflix扩大应用安全(第二部分)
By Astha Singhal, Lakshmi Sudheer, Julia Knecht
作者:Astha Singhal,Lakshmi Sudheer,Julia Knecht
The Application Security teams at Netflix are responsible for securing the software footprint that we create to run the Netflix product, the Netflix studio, and the business. Our customers are product and engineering teams at Netflix that build these software services and platforms. The Netflix cultural values of ‘Context not Control’ and ‘Freedom and Responsibility’ strongly influence how we do Security at Netflix. Our goal is to manage security risks to Netflix via clear, opinionated security guidance, and by providing risk context to Netflix engineering teams to make pragmatic risk decisions at scale.
Netflix的应用安全团队负责确保我们为运行Netflix产品、Netflix工作室和业务而创建的软件足迹的安全。我们的客户是Netflix的产品和工程团队,他们建立这些软件服务和平台。Netflix的文化价值观是 "内涵而非控制 "和 "自由与责任",它强烈地影响着我们在Netflix的安全工作。我们的目标是通过明确的、有主见的安全指导来管理Netflix的安全风险,并为Netflix工程团队提供风险背景,以便在规模上做出务实的风险决策。
A few years ago, we published this blog post about how we had organized our team to focus our bandwidth on scalable investments as opposed to just traditional Appsec functions, which were not scaling well in our rapidly growing environment. We leaned into the idea of strategic security partnerships and automation investments to create more leverage for application security. This became the foundation for our current org structure with teams focused on Appsec Partnerships and Appsec Engineering. In this operating model, we provided critical Appsec operational services to Netflix — including bug bounty, pentesting, PSIRT (product security incident response), security reviews, and developer security education — via a shared on-call rotation.
几年前,我们发表了这篇博文,讲述了我们如何组织我们的团队,将带宽集中在可扩展的投资上,而不仅仅是传统的Appsec功能,这些功能在我们快速增长的环境中不能很好地扩展。我们倾向于战略安全伙伴关系和自动化投资的想法,以便为应用安全创造更多的杠杆。这成为我们目前组织结构的基础,其团队专注于应用安全伙伴关系和应用安全工程。在这种运营模式下,我们通过轮流值班的方式向Netflix提供关键的Appsec运营服务,包括bug赏金、pentesting、PSIRT(产品安全事件响应)、安全审查和开发人员安全教育。
Over the past few years, this model has allowed us to focus on investments like Secure by Default for baseline secur...