Modern AppSec for the Entertainment and DevOps Leader

Data Theorem helped Netflix identify and close 62 security issues and address 24 regulatory compliance issues all before releasing them to the public app stores.

100%

Percentage of Apps Scanned including Pre-Production

62

Overall Closed Security Issues

24

Regulatory Compliance Issues Identified and Closed

Netflix applications are ranked #1 in the Americas with nearly 20% of all traffic and #1 globally with approximately 15% of all Internet traffic. The scale and rate-of-change that the Netflix DevOps teams operate at are considered world-class. Netflix technical teams consistently give back and showcase the problems they solve through their open source projects. They are no strangers to automation and look to automate whenever they can in their approach to modern application security (AppSec).

The Challenge

The Netflix flagship application is updated frequently and therefore needs a security solution that can match the pace of each release. Ideally, they want an AppSec solution that not only finds traditional security defects but also identifies mobile-specific privacy and security issues that developers may not be aware they need to address. AppSec processes and features that hinder development and create friction for Netflix customers struggle to gain traction. The need for a modern AppSec platform that keeps pace with Netflix's culture, scale, and overall speed has been a big challenge.

Past Alternatives

Before Data Theorem, Netflix relied on their internal security team for mobile application security testing. They tested numerous legacy tools and found that none of them were optimized for a large-scale DevOps environment where automation and ease-of-use are necessary. Instead of hiring security specialists for each mobile platform, the company connected with Data Theorem. Data Theorem’s approach focuses on helping developers quickly by giving them secure code samples and automating the myriad of tests that application security researchers often apply to an audit and assessment program.

The Solution

Netflix evaluated several different solutions and as part of that process, engaged with Data Theorem to perform an evaluation scan on their Android, iOS, and Microsoft mobile apps. The results were concise, relevant, and actionable. The company decided they wanted Data Theorem’s App Secure solution in place for every future release of their apps.

The Data Theorem App Secure product performs static and dynamic analysis on any iOS or Android application in search of security vulnerabilities and privacy gaps. It helps detect injection issues, session management issues, dynamic run-time flaws, vulnerable third-party SDKs, insecure Open Source Libraries, and compliance gaps for PCI, GDPR, HIPAA, FTC, etc. Most importantly, it provides Objective-C, Swift, and/or Java code to solve each identified issue.

Data Theorem's solution continuously monitors and scans every Netflix mobile application available in the Apple App and Google Play stores, alerting Netflix's security team when it discovers a security or privacy issue.

The Results

Data Theorem's App Secure has identified and fixed (with Objective-C, Swift, Java, and Kotlin secure code) a variety of vulnerability issues in Netflix's apps before releasing them to the public app stores including:

App/Play Store Blockers

Apple and Google review each app submission and reject releases if they don’t meet their platform requirements. Data Theorem has helped Netflix identify blockers before they submit for release, making the approval process faster, and allowing Netflix to release new versions with bug fixes and features, without unnecessary delay.

Vulnerabilities in Open Source Libraries

Most software engineers don’t write all code from scratch; they include open source libraries and build upon them. Tracking vulnerabilities in these external libraries can be tedious. Data Theorem identifies third-party libraries and notifies the Netflix security team when they discover a vulnerability in one of them.

Remote Code Execution Flaws

Data Theorem has helped the Netflix security team identify vectors that would allow an attacker to attempt remote code execution. This resulted in Netflix fixing the security flaw and releasing a more secure version that mitigated the risk.

Proactive Security Features

Data Theorem’s Application Protection service goes beyond just finding security bugs and gives developers code snippets that help prevent common bugs from ever being introduced. Netflix has been advised of many of these defensive features to make their apps more resilient to common coding issues.

Data Theorem provides security coverage for Netflix's mobile apps. Through the hosted portal, Netflix's developers and security team can log in at any time for status updates, review flaws and alerts, and make secure code recommendations, thus saving time, ensuring data is secure and reducing the burden on internal application security staff.

“Our approach to security is that we keep pace with the speed and scale of our products and business teams. With Data Theorem, we have a partner who understands that and works to deliver us automated security tools and insightful data to support our efforts.”

Jason Chan
Vice President, Head of Security

About Netflix
Industry
Entertainment
Location
Los Gatos, CA

Netflix is the world's leading Internet entertainment service with 130 million paid memberships in over 190 countries enjoying TV series, documentaries and feature films across a wide variety of genres and languages. Members can watch as much as they want, anytime, anywhere, on any Internet-connected screen. Members can play, pause and resume watching, all without commercials or commitments.