Netflix security engineer discusses what goes on behind the scenes at one of the world's biggest tech companies

At the foot of the Santa Cruz mountains in Los Gatos, California, just 20 miles from the hustle and bustle of Palo Alto, Netflix is trying a modern approach towards keeping its networks secure.

“Everyone here is considered a senior engineer and mature enough to make those decisions, so you’re free to run an experiment, free to make a change, free to push a change on Friday at 5pm after everyone has left, risking that you might take the service down,” said William Bengtson, senior security engineer at Netflix.

“But ultimately with the freedom comes great responsibility. So you can do whatever you’d like, but you have to know that that decision you’ve made, you will be responsible for or your team will be responsible for.”

Bengtson, an engineer in cloud security tools and operations, was speaking at the online All Day DevOps conference, streamed worldwide this week across a two-day period.

He told of the US company’s ‘security by enablement’ culture, which puts the onus on helping developers work quickly and safely, rather than creating barriers for them.

Netflix currently boasts around 137 million subscribers across three regions – a figure that continues to grow.

Just this week, Q3 figures showed that Netflix welcomed seven million more subscribers than in Q2, boosting shares in the company up by 12%.

The ratio of security workers to subscribers is still relatively low compared to some major companies, Bengtson admits, driving Netflix towards automating many of its security tools.

Security workers are also encouraged to advise, rather than dictate to, their developer colleagues – a stark contrast to the sometimes strained working relationships between the two job roles.

“We like to be an enabler and never say the dreaded word ‘no’,” Bengtson said.

“We like to approach things from a solution-based [perspective] and continue to enable the people who operate. We’re not a gatekeeper.”

He added: “We definitely operate on the guard rail rather than gate mentality.

“So if you think about bowling and having the bumper guards, that’s definitely our security approach when possible.

“We’d rather give you the freedom to deploy and come back and put those guard rails in place, so that if you did make a mistake, we’d catch that rather quick and pull it back for you.”

The working culture is a topic the video-streaming giant is keen to shout about, both within a dedicated section on its website and in the media.

Netflix is also as transparent about its firing as it is hiring – workers who don’t bring their A-game are quickly dismissed (albeit with a four-month, fully paid lay-off deal).

“Succeeding on a dream team is about being effective, not about working hard,” Netflix states on its website.

“Sustained ‘B’ performance, despite an ‘A’ for effort, gets a respectful severance package. Sustained ‘A’ performance, even with modest level of effort, gets rewarded.”

Security focus

The company has proved it has made efforts to protect users’ security, both in launching its public bug bounty program and by posting public advice for users on how to secure their own networks.

In the same breath, however, it has been criticized for holes in its security features, even after a 2017 hack saw 1.4 billion users’ account and password details posted online.

It still doesn’t offer two-factor authentication, for example, which isn’t a huge issue in itself – after all, watching videos on someone else’s account is more of an annoyance than a threat.

But malicious actors could use the leaked details to log in and view the account holder’s full name, for example, or change the email address associated with the account.

All in all, a company with a security-focused attitude proves refreshing, especially in times of near-constant data breaches and privacy scandals that we have all become accustomed to.

The Daily Swig has reached out to Netflix for comment and will update this article accordingly.