We Come Bearing Gifts - Enabling Product Security with Culture and Cloud

Explore a revolutionary approach to product security in this APPSEC Cali 2018 conference talk. Discover how Netflix's Application Security team balances security impact with engineering enablement by embracing cloud-centric automation and discarding traditional security behaviors. Learn about innovative techniques such as provable application identity, immutable and continuous deployment, and secret bootstrapping. Gain insights into replacing heavy-handed gating with an automation-first approach, building powerful security capabilities on cloud deployment primitives, and fostering a culture of enablement. Delve into topics including threat modeling, automating vulnerability detection, static analysis scans, and the challenges of implementing this security philosophy. Understand how this approach supports high-velocity engineering teams and addresses the question: "What if security never had to say 'no'?"

Introduction
Why is security hard
Netflix culture
Reducing risk
Is this gonna work
Challenges
Are you strikes light
Paved Path
CICD Pipeline
Security Tools
Assess
CI CD
Spinnaker
Security Nihilism
How do we have enough people
Quarterly planning
What are we doing
Its a technical journey
Homestretch takeaways
Questions
Threat Modeling
Automating finding vulnerabilities
Static analysis scans
Tools
Code Hygiene vs Legit Vulnerability
How do you respond to questions
Why do you have reservations with thirdparty pentesting
How do you compensate for reservations
Are you also running analytics