Open Source Developments at SendGrid: The Justice Engine

August 16, 2018 • 3 min read

Note: This post comes from SendGrid’s Security Team. For more technical posts like this, check out our technical blogroll.

As described within SendGrid Security teams’ last post, we are using a tool we call Krampus to help us mitigate potential risk within our cloud infrastructure. Our aim within this post is to explain and share how we leverage that tool to make our lives easier. In our initial post on our team’s approach to cloud security, we mentioned the following:

“Our ability to enable the business to quickly execute on our cloud security strategy relied on us being able to stand on the shoulders of giants. For example, we have opted to run a modified version of Netflix’s Security Monkey project in order to identify resources with security issues.”

And one might very well ask “What kind of modifications did you make?”

The answer to that…we call the Justice Engine.

What is this Justice Engine that you speak of?

The Justice Engine is a plugin that we’ve developed for Security Monkey that acts as Judge and Jury of resources. It begins by calculating the risk any given cloud resource poses to our company. This risk is calculated based on the resource’s configuration over time. Configurations such as having a resource accessible to the whole Internet are weighed heavily by the Justice Engine and are more likely to be flagged to be removed.

Once the resources’ score has been calculated, the Justice Engine continues by formatting the results into a standard that Krampus can action, and finishes by warning the various resource owners of the planned action.