October 30–31, 2016: Training
October 31–November 2, 2016: Tutorials & Conference
New York, NY

Cleaning your application's dirty laundry with Scumblr

Andy Hoernecke (Netflix), Scott Behrens (Netflix)
4:45pm–5:25pm Wednesday, 11/02/2016
Tools and processes
Location: Grand Ballroom West Level: Intermediate

Prerequisite knowledge

  • Proficiency in application security, security dev operations, or incident response
  • Basic knowledge of cloud security challenges
  • General experience with writing code and application development

What you'll learn

  • Learn an approach to tackling appsec challenges with Scumblr, a framework for rapidly adding new checks and controls
  • Explore examples of how to use Scumblr to solve challenging and ongoing security problems like tracking data about applications/endpoints and collecting dynamic/static analysis results
  • Discover the major enhancements and plugins that are being open sourced to the Scumblr framework


As in many cutting-edge companies, the environment at Netflix is constantly changing. New applications are deployed everyday, code is pushed every hour, and systems are spun up and down at will to support changing demand patterns of online video streaming. This, combined with Netflix’s 100 percent cloud model, provides significant challenges in understanding its assets, the risk they pose, and the vulnerabilities they expose.

In order to help address these issues, Netflix developed and released an open source tool call Scumblr in 2014. Andy Hoernecke and Scott Behrens introduce Scumblr, which has been successful in tackling a broad range of security challenges.

Scumblr was initially focused on the outside—finding interesting intelligence from the Internet and bringing it to Netflix’s attention. Internally, however, Andy and Scott’s team found new and innovative ways to use the Scumblr platform to make an appsec engineer’s life a little bit easier. Through a series of small tweaks—and larger architectural changes—Scumblr has become a versatile tool that allows Netflix to track a wide range of information, including changes to endpoints on Netflix.com, risk profiles for each application in its environment, and the status of vulnerabilities across a thousands of applications. The team has made changes to Scumblr to make it faster, more flexible, and more powerful, and they are ready to share these changes with the open source community.

You’ll gain an understanding of how the Netflix team designed a tool that has been successful in tackling a broad range of security challenges. Andy and Scott share the latest uses for the tools, including details on how Netflix is using Scumblr for vulnerability management, application risk tracking, and other uses. Andy and Scott conclude with a discussion of how you can replicate Netflix’s success with Scumblr using plugins that integrate with Arachni, AppSpider, and GitHub and explain just how easy it is to create new integrations that open up new opportunities for automation, data collection, and analysis.

Photo of Andy  Hoernecke

Andy Hoernecke


Andy Hoernecke is a senior application security engineer on the Product and Application Security team at Netflix, where he spends his time on security automation, identifying and driving systemic security improvements to the Netflix architecture, and developing open source security tools. Andy’s approach to security centers around finding practical solutions to long-standing, difficult problems. He couples his experience in security with his interest in data visualization to provide unique insight into today’s biggest security challenges. Previously, Andy built and ran the Application Security program for the Sears online business unit. He was also an adjunct professor at DePaul University, where he taught master’s-level courses in information security. Andy holds a master’s degree in computer engineering and information assurance at Iowa State University and is actively involved with information security efforts through multiple organizations.

Photo of Scott Behrens

Scott Behrens


Scott Behrens is a senior application security engineer for Netflix. Previously, Scott worked as a senior security consultant at Neohapsis and an adjunct professor at DePaul University. Scott’s expertise lies in security automation for application security, penetration testing, and security research. An avid coder and breaker, he has authored and contributed to a number of open source tools for both attack and defense. Scott has presented security research at ShmooCon, DEF CON, DerbyCon, Shakacon, Security Forum Hagenberg, Security BSides Chicago, and others.