确保Netflix工作室的规模 Netflix TechBlog

Written by Jose Fernandez, Arthur Gonigberg, Julia Knecht, and Patrick Thomas

撰稿人 Jose Fernandez, 阿瑟-戈尼格伯格, Julia Knecht, 和 帕特里克-托马斯

In 2017, Netflix Studios was hitting an inflection point from a period of merely rapid growth to the sort of explosive growth that throws “how do we scale?” into every conversation. The vision was to create a “Studio in the Cloud”, with applications supporting every part of the business from pitch to play. The security team was working diligently to support this effort, faced with two apparently contradictory priorities:

2017年，Netflix工作室正处于一个拐点，从一个仅仅是快速增长的时期到那种爆炸性的增长，把 "我们如何扩展？"抛到每一次谈话中。我们的愿景是创建一个 "云端工作室"，用应用程序支持业务的每一个部分，从投稿到播放。安全团队正在努力工作以支持这一努力，面临着两个明显相互矛盾的优先事项。

• 1. streamline any security processes so that we could get applications built and deployed to the public internet faster
  2. 简化任何安全流程，以便我们能够更快地建立和部署应用程序到公共互联网上。
• 2. raise the overall security bar so that the accumulated risk of this giant and growing portfolio of newly internet-facing, high-sensitivity assets didn’t exceed its value
  3. 提高整体安全标准，使这个巨大的、不断增长的、新近面向互联网的、高敏感的资产组合的累积风险不超过其价值。

The journey to resolve that contradiction has been a collaboration that we’re proud of, and that we think exemplifies how Netflix approaches infrastructure product development and product security partnerships. You’ll hear from two teams here: first Application Security, and then Cloud Gateway.

解决这一矛盾的历程是我们引以为豪的合作，我们认为它体现了Netflix如何对待基础设施产品开发和产品安全合作。在这里你会听到两个团队的发言：首先是应用安全，然后是云网关。

Julia & Patrick (Netflix Application Security): In deciding how to address this, we focused on two observations. The first was that there were too many security things that each software team needed to think about — things like TLS certificates, authentication, security headers, request logging, rate limiting, among many others. There were security checklists for developers, but they were lengthy and mostly manual, neither of which contributed to the goal of accelerating development. Adding to the complexity, many of the checklist items themselves had a variety of diff...