Medical professionals use stethoscopes to help diagnose problems inside the body. With Netflix's newly open-sourced Stethoscope web application, users receive a security checkup for their mobile and computing devices without having to call IT.
Although device management platforms like MobileIron or VMware AirWatch for mobile devices, JAMF for Macs, and LANdesk for Windows let IT teams apply security controls to employee devices, there are few tools available for users interested in securing their personal devices, and most are focused on viruses or are platform-specific.
Netflix is an extreme-BYOD company, with employees free to use almost anything. That's why it developed Stethoscope help employees self-diagnose their devices. Stethoscope doesn't apply any policies to user devices; it tells employees in fairly clear English what security deficiencies it found and how they might address them.
But Stethoscope is not a product you can use. Instead, it's a web-based tool that any organization can compile itself from the code that Netflix has provided on GitHub via an open source Apache 2.0 license. IT will need to compile the code and host the app for its users to access. That do-it-yourself approach does have the advantage of preventing user or company information being gathered by third-party scanners.
Once compiled and hosted, the Stethoscope application can collect information from desktop and laptop computers, as well as smartphones and tablets. At the moment, the application tracks and makes recommendations for disk encryption, firewall configuration, status of automatic updates, software and operating system updates, screen locks, and presence of a security software stack (such as Carbon Black). The application can also check whether a mobile device has been jailbroken or rooted. (This is similar to what mobile management tools can inspect.)
Each recommendation is assigned a rating to show how important it is, with more important actions sorted to the top. Critical recommendations are highlighted in red and collected in a banner to make it easier for users to see what they should be focusing on.
As a self-service application, Stethoscope also displays additional information about each security recommendation and a link to detailed instruction. This way, the user can understand the reasoning behind the recommendations being made. The app also can present notifications and let users respond, such as device access warnings alerting users to logins from unexpected IP addresses.
Stethoscope's back end is Python using Twisted + Klein, and the front end is React. Nginx serves up static files and proxies requests to the API server. Stethoscope doesn't have its own data store, but it merges user information obtained from external data sources, such as authentication providers and device management platforms. The plugin architecture lets IT add other services and data stores to integrate with Stethoscope, such as Elasticsearch imports and Google accounts. The Netflix team is currently working on adding OSquery support.