Netflix unveils open source user device security tool

News by Rene Millman

Actionable information and low-friction tools for users can get devices into a more secure state without heavy-handed policy enforcement.

Video streaming company Netflix has launched a new open source tool to help users make better choices around device security.

Dubbed Stethoscope, the tool collects information about user devices to give users clear and concise recommendations on how to secure them.

In a blog post, Netflix engineers Jesse Kriss and Andrew White said that if employees are provided with focused, actionable information and low-friction tools, “we believe they can get their devices into a more secure state without heavy-handed policy enforcement”.

“If we provide employees with focused, actionable information and low-friction tools, we believe they can get their devices into a more secure state without heavy-handed policy enforcement,” they said.

“It's important to us that people understand what simple steps they can take to improve the security state of their devices, because personal devices–which we don't control–may very well be the first target of attack for phishing, malware, and other exploits. If they fall for a phishing attack on their personal laptop, that may be the first step in an attack on our systems here at Netflix.”

The tool collects information from both desktop and mobile devices and from enterprise management systems such as LANDESK (for Windows), JAMF (for Macs), and Google MDM (for mobile devices).

It also evaluates device configurations such as disk encryption, firewall status, screen saver lock and password, operating system patching and auto-updating as well as device rooting and jailbreaks. It also checks to see whether monitoring software tools are installed.

Stethoscope requires Python for the back end. The Nginx web server and reverse proxy and can be run as a Docker container. It is available on the Github open source code repository under an Apache 2.0 licence.

Javvad Malik, security advocate at AlienVault, told SC Magazine that the product seems to have features that are common to NAC or similar endpoint security assessment techniques.

“The primary difference here is that rather than using the information to inform an allow/deny decision – it is being used as a user-awareness tool. A health check if you like, educating users on what weaknesses exist on their systems and how they can be improved,” he said.

“The challenge with any user awareness and education is tailoring the alerts to not overload a user so that they become immune to it, and to provide meaningful information that can be acted upon. It looks as if Netflix is trying to address both these issues in its design, but a lot of effectiveness will boil down to implementations.”

Mark James, IT security specialist at ESET, told SC Media UK that rules and policies are great but when brutally enforced and blindly followed people often don't understand why it's important or how they can help.

“Quite often the end user does not understand why something is important to do and therefore it's not natural to do,” he said. “Engaging and involving your users to form an integral and trusted barrier for cyber-security can work a lot better than education rammed down people's throats.”

Tony Rowan, chief security consultant at SentinelOne told SC Media UK that Netflix has an excellent reputation for sharing useful and effective security tools that they have developed and it will be interesting to examine how Stethoscope can be used.

“The overall concept of enabling users to be involved in their own security is a promising concept and encouraging in commercial sites,” he added.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews