Netflix open sources ChatOps tool for GitHub management and user focused security web application

Netflix has announced two large projects that have been open sourced in 2017 so far.

New ChatOps tool

Writing in the streaming service’s tech blog, senior engineers Michael Grima, Andrew Spyker and Jason Chan, introduced HubCommander, a ChatOps tool for GitHub management.

Netflix uses GitHub extensively for both open source and internal projects. The engineering team at Netflix highlighted some key challenges, particularly related to user management.

“Management of many users on GitHub can be a challenge without tooling. We needed to provide enhanced security capabilities while maintaining developer agility.”

“To reduce complexity, we enforce a consistent permissions model across all of our organizations. This allows us to develop tools to simplify and streamline our GitHub organization administration.”

Why ChatOps?

The Netflix approach leverages ChatOps, which utilises chat applications for performing operational tasks.

Increasingly popular amongst developers, ChatOps leverages chat tools that are ubiquitous, provide a single context for what actions occurred when and by whom, and also provide an effective means to provide self-serviceability to developers.

Security in GitHub organisations

Security is paramount for Netflix, and the company follows a permissions model that applies the principle of least privilege, but is still open enough so that developers can obtain the access they need and move fast.

“While we permit our developers to have write access to all of our repositories, we do not directly permit them to create, delete, or change repository visibility.”

Additionally, all developers are required to have multi-factor authentication enabled. All of our developers on GitHub have their IDs linked in our internal employee tracking system, and GitHub membership to our organizations is removed when employees leave the company automatically (we have scripts to automate this).”

Netflix also enables third-party application restrictions on its organisations to only allow specific third party GitHub applications access to its repositories.

Contributions from the developer community

“If you’d like to extend these features, we’d love contributions to our repository on GitHub,” the Netlix engineers said.

Stethoscope, Netflix’s first project following a user focused security approach

In another blog post, Jason Chan, Director of Engineering – Cloud Security at Netflix, discusses the open sourcing of Stethoscope, a web application that collects information for a given user’s devices and gives them clear and specific recommendations for securing their systems.

“The notion of ‘User Focused Security’ acknowledges that attacks against corporate users (e.g., phishing, malware) are the primary mechanism leading to security incidents and data breaches, and it’s one of the core principles driving our approach to corporate information security. It’s also reflective of our philosophy that tools are only effective when they consider the true context of people’s work,” Chan said.

Education, not automatic enforcement

The reasoning behind Stethoscope is primarily education and helping employees stay safe from phishing, malware, and other exploits on personal devices – outside of Netflix’s direct control.

“If they fall for a phishing attack on their personal laptop, that may be the first step in an attack on our systems here at Netflix,” Chan said.


Edited from sources by Cecilia Rehn.