Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Securing Microservice Architectures
Search
Laura Bell
September 03, 2015
Technology
370
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Securing Microservice Architectures
Presented at Microsoft Ignite NZ 2015 by Laura Bell
Laura Bell
September 03, 2015
More Decks by Laura Bell
See All by Laura Bell
DIY security for the amateur superhero
ladynerd
0
300
Hackcon 11 - Protecting our people
ladynerd
0
260
Security in a container based world
ladynerd
0
170
Better Connected
ladynerd
0
84
Continuous Security
ladynerd
3
1.2k
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.8k
Blindsided by security
ladynerd
0
150
Practical tools for privacy audit
ladynerd
0
230
For the greater good? Open sourcing weaponisable code
ladynerd
1
350
Other Decks in Technology
See All in Technology
CSに"SLO"は要らない、経営層に"99.9%"は伝わらない - SREを全社に"翻訳"する3原則
cscengineer
PRO
0
740
“ID沼入口” - 基本とセキュリティから始める、考え続けるためのID管理技術勉強会 告知&イントロ
ritou
0
380
フルAIで個人開発して学んだあれこれ / yuruai vol.1
isaoshimizu
0
170
Text-to-SQLをAgentCoreで実現し、生成されるSQLの精度を定量的に評価する
yakumo
2
530
AWS Summit の片隅で、体育座りしながらコミュニティがにぎわう理由を考えた
k_adachi_01
2
350
AWS Blocks を触ってみた/first-tach-aws-blocks
fossamagna
2
140
AI時代のエンジニアキャリアについて今一度考える
sakamoto_582
1
1.2k
Baseline対応のDOMの型定義を作った
uhyo
3
680
Keeping applications secure by evolving OAuth 2.0 and OpenID Connect
ahus1
PRO
1
140
どうして今サーバーサイドKotlinを選択したのか
nealle
0
190
5分でわかるDuckDB Quack
chanyou0311
4
310
Hatena Engineer Seminar 37 jj1uzh
jj1uzh
0
420
Featured
See All Featured
Bootstrapping a Software Product
garrettdimon
PRO
307
120k
Test your architecture with Archunit
thirion
1
2.3k
Designing Powerful Visuals for Engaging Learning
tmiket
1
440
What Being in a Rock Band Can Teach Us About Real World SEO
427marketing
0
1k
From π to Pie charts
rasagy
0
230
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
techseoconnect
PRO
0
200
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
130k
Agile Leadership in an Agile Organization
kimpetersen
PRO
0
180
Redefining SEO in the New Era of Traffic Generation
szymonslowik
1
350
Building Flexible Design Systems
yeseniaperezcruz
330
40k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
23k
B2B Lead Gen: Tactics, Traps & Triumph
marketingsoph
0
170
Transcript
None
Securing Microservice Architectures Laura Bell (@lady_nerd) M239
None
Modern
caution: fast paced field ahead watch for out of date
content
In this talk Microservice Fundamentals Some important points that are
worth refreshing Prevention Avoid common vulnerabilities and avoid mistakes Detection Prepare for survival and response
None
None
None
apps that automatically scale up to handle millions of users
and scale down again to have this be done by smaller teams
many are 100 or so lines some are around 1,000
lines
Integrity Availability Confiden3ality
Spoofing Tampering Repudia1on Informa1on Disclosure Denial of Service Escala1on of
Privilege
None
Service decomposition
shouldn’t
None
exhaustion
Orchestration layer attacks
simple
rule them all?
Choose Restrict Monitor Configure Challenge Test
Identity and access management
the lowest set of permissions and accesses required to do
your job
require well defined roles
Automate and alert
mature groups and role assistance
Immutable architectures matter in microservice security
(but you might not be the right person to audit
them)
(including those changes made by an attacker)
become hard to persist
Heterogeneous language and technology spaces
None
you
technologies
vulnerability management can be challenging in microservice architectures
None
Testing
(doesn’t require a specialist third party)
OWASP Zap Proxy https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Gauntlt http://gauntlt.org/ BDD Security http://www.continuumsecurity.net/bdd-intro.html
software testing technique discover coding errors security loopholes massive amounts
of random data attempt to make it crash
None
Logging and monitoring
All
secure location immutable format away from production
denial of service attacks
like actually, for real, not just when you’re debugging
None
TL;DR Microservice Fundamentals Some important points that are worth refreshing
Prevention Avoid common vulnerabilities and avoid mistakes Detection Prepare for survival and response
Security in a Container-based World Friday 11:55am Find me later
at… § Hub Happy Hour Wed 5:30-6:30pm § Hub Happy Hour Thu 5:30-6:30pm § Closing drinks Fri 3:00-4:30pm 1 2 3 4 5 6
Subscribe to our fortnightly newsletter http://aka.ms/technetnz http://aka.ms/msdnnz http://aka.ms/ch9nz Free Online
Learning http://aka.ms/mva Sessions on Demand
None
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows and
other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.