@royrapoport rsr@netflix.com SSL* Certificate Reporting BayLISA March 21st, 2013 Friday, March 22, 13 This is the story of how we went from SSL certificates expiring without notice in production to deploying Security Monkey (later renamed Howler Monkey) and permanently eliminating SSL certificate expiration as a production-class issue.
54
Embed
SSL Certificate Expiration and Howler Monkey's Inception
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
This is the story of how we went from SSL certificates expiring without notice in production to deploying Security Monkey (later renamed Howler Monkey) and permanently eliminating SSL certificate expiration as a production-class issue.
This is the story of how we went from SSL certificates expiring without notice in production to deploying Security Monkey (later renamed Howler Monkey) and permanently eliminating SSL certificate expiration as a production-class issue.
We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
We hire very smart people, give them all the context and situational awareness they want, and set them free. We design our environment, our systems, and our teams to be empowered to make decisions without requiring slow approval processes, cumbersome formal communication, or any other unnecessary friction.
Some certificates weren’t even SSL certificates -- we have certificates we get from a partner that cannot be accessed via SSL, and for which the answer to the question “when does this expire?” require scraping a web page.
(obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
(obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
(obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
(obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
(obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
(obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
(obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
(obviously, the ‘standard ways to solve this’ part here is somewhat facetious, but these are, in fact, the standard ways in which most organizations try to deal with keeping up with SSL certificate expirations)
Start with a very simple model -- a Certificate entity, which is really just a combination of name, expiration date, and a series of locations where we can find this. It’d be trivial to feed this thing from my todo list, if I wanted to (but given the state of my todo list, probably a bad idea)
Then start building location-aware spiders -- e.g. this spider that knows how to probe all our ELBs to see if they listen on 443 and gets their certificate if they do.
And send out emails, too -- once we built the capability for teams to subscribe to emails for a given certificate and specify how many days before expiration they should start getting notified
We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
• No Production Emergencies due to SSL certificate expiration
Friday, March 22, 13
We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
• No Production Emergencies due to SSL certificate expiration
• Validated Design
Friday, March 22, 13
We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.
• No Production Emergencies due to SSL certificate expiration
• Validated Design
• Better Subscription Capabilities
Friday, March 22, 13
We validated the design by continuing to iterate on it -- recently, when building the DNS spider component, that work took only about 15 minutes to implement. We also expanded subscription capabilities so teams could subscribe to certificate expiration warnings based on certificate name regular expressions.