To some observers, security just doesn’t go well with the developer mindset. Things developers like, such as microservices, NoSQL, cloud computing, agile development, DevOps—you know, the “fun stuff”—is seen as antithetical to keeping the security and compliance auditors happy.

But Jason Chan, an engineering director at Netflix who is responsible for security there, showed FutureStack15 attendees that it doesn’t have to be that way. In his presentation on “Splitting the Check on Compliance and Security,” he shared how Netflix moved its PCI and SOX environments to the cloud to satisfy both auditors and developers “without ripping each others’ hair out.”

jason chan of netflix

For developers, Jason said, 2015 was “like a kid in a candy store.” But for auditors, every step in 2015 was “fraught with peril.” The groups have different incentives and perspectives, he explained, and they want and need different things.

netflix presentation chart

DevOps, he said, can help resolve this disconnect by changing the mindset of developers to take responsibility for running the code they write. Once that happens, developers who find they need to “support” the system are more in alignment with auditors who need to “verify” the system.

The key to devs and auditors becoming “best friends,” Jason said, is to replace the check-box approach to compliance with a pillar-based approach where “regardless of any particular regulatory requirements, I’m just going to design things around these core operational principles … and as a result of that I’m going to be able to meet compliance requirements.”

Jason took attendees on a deep dive into each of the three pillars of this approach:

  1. Traceability in development
  2. Continuous security visibility
  3. Compartmentalization

He also explained how Spinnaker, a newly open sourced system Netflix built to support continuous deployment in the company’s AWS cloud environment, helps the team deal with each one.

To put it all together, Jason advised attendees to limit investments in approaches that meet narrow regulatory needs, and instead embrace core security and design principles and focus on tools and techniques that serve multiple audiences—developers and auditors, for example.

You can see all available FutureStack15 presentation videos, including the keynotes, at our FutureStack15 YouTube playlist. We’ll be adding even more in the coming days and weeks, so subscribe now!


Film reel image courtesy of Jason Chan photo © Andrew Weeks Photography.

Disclaimer: The views expressed in these presentations are those of the respective speakers and do not necessarily reflect the views of New Relic. By providing access to these presentations, New Relic does not adopt, guarantee, approve or endorse the information, views or products discussed therein. The respective presentation speakers have given permission to New Relic to post the content they presented onstage.'

Fredric Paul (aka The Freditor) is Editor in Chief for New Relic. He's an award-winning writer, editor, and content strategist who has held senior editorial positions at ReadWrite,, InformationWeek, CNET, Electronic Entertainment, PC World, and PC|Computing. His writing has appeared in MIT Technology Review, Omni, Conde Nast Traveler, and Newsweek, among other places. View posts by .

Interested in writing for New Relic Blog? Send us a pitch!