$30 off During Our Annual Pro Sale. View Details »

Securing Microservice Architectures

Laura Bell
September 03, 2015

Securing Microservice Architectures

Presented at Microsoft Ignite NZ 2015 by Laura Bell

Laura Bell

September 03, 2015
Tweet

More Decks by Laura Bell

Other Decks in Technology

Transcript

  1. View Slide

  2. Securing Microservice
    Architectures
    Laura Bell (@lady_nerd) M239

    View Slide

  3. View Slide

  4. Modern

    View Slide

  5. caution:
    fast paced field ahead
    watch for out of date content

    View Slide

  6. In this talk
    Microservice Fundamentals
    Some important points that are worth refreshing
    Prevention
    Avoid common vulnerabilities and avoid mistakes
    Detection
    Prepare for survival and response

    View Slide

  7. View Slide

  8. View Slide

  9. View Slide

  10. apps that automatically scale up to handle
    millions of users and scale down again
    to have this be done by smaller teams

    View Slide

  11. many are 100 or so lines
    some are around 1,000 lines

    View Slide

  12. Integrity  
    Availability  
    Confiden3ality  

    View Slide

  13. Spoofing
    Tampering
    Repudia1on
    Informa1on  Disclosure
    Denial  of  Service
    Escala1on  of  Privilege

    View Slide

  14. View Slide

  15. Service decomposition

    View Slide

  16. shouldn’t

    View Slide

  17. View Slide

  18. exhaustion

    View Slide

  19. Orchestration layer attacks

    View Slide

  20. simple

    View Slide

  21. rule them all?

    View Slide

  22. Choose
    Restrict
    Monitor
    Configure
    Challenge
    Test

    View Slide

  23. Identity and access
    management

    View Slide

  24. the lowest set of permissions and accesses
    required to do your job

    View Slide

  25. require well defined roles

    View Slide

  26. Automate and alert

    View Slide

  27. mature groups and role assistance

    View Slide

  28. Immutable architectures
    matter in microservice security

    View Slide

  29. (but you might not be the
    right person to audit them)

    View Slide

  30. (including those changes made by an
    attacker)

    View Slide

  31. become hard to persist

    View Slide

  32. Heterogeneous language
    and technology spaces

    View Slide

  33. View Slide

  34. you

    View Slide

  35. technologies

    View Slide

  36. vulnerability
    management
    can be
    challenging in
    microservice
    architectures

    View Slide

  37. View Slide

  38. Testing

    View Slide

  39. (doesn’t require a specialist third party)

    View Slide

  40. OWASP Zap Proxy
    https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
    Gauntlt
    http://gauntlt.org/
    BDD Security
    http://www.continuumsecurity.net/bdd-intro.html

    View Slide

  41. software testing technique
    discover coding errors security loopholes
    massive amounts of random data
    attempt to make it crash

    View Slide

  42. View Slide

  43. Logging and monitoring

    View Slide

  44. All

    View Slide

  45. secure location
    immutable format
    away from production

    View Slide

  46. denial of service attacks

    View Slide

  47. like actually,
    for real,
    not just when you’re debugging

    View Slide

  48. View Slide

  49. TL;DR
    Microservice Fundamentals
    Some important points that are worth refreshing
    Prevention
    Avoid common vulnerabilities and avoid mistakes
    Detection
    Prepare for survival and response

    View Slide

  50. Security in a Container-based
    World
    Friday 11:55am
    Find me later at…
    §  Hub Happy Hour Wed 5:30-6:30pm
    §  Hub Happy Hour Thu 5:30-6:30pm
    §  Closing drinks Fri 3:00-4:30pm
    1
    2
    3
    4
    5
    6

    View Slide

  51. Subscribe to our fortnightly newsletter
    http://aka.ms/technetnz http://aka.ms/msdnnz
    http://aka.ms/ch9nz
    Free Online
    Learning
    http://aka.ms/mva
    Sessions on Demand

    View Slide

  52. View Slide

  53. © 2015 Microsoft Corporation. All rights reserved.
    Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
    MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

    View Slide