Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Microservice Architectures

B114ea20c4172d8f92f3ff42a8cf8ea4?s=47 Laura Bell
September 03, 2015
Technology
2
320

Securing Microservice Architectures

Presented at Microsoft Ignite NZ 2015 by Laura Bell

B114ea20c4172d8f92f3ff42a8cf8ea4?s=128

Laura Bell

September 03, 2015
Tweet

More Decks by Laura Bell

See All by Laura Bell
B114ea20c4172d8f92f3ff42a8cf8ea4?s=48 ladynerd
0
96
B114ea20c4172d8f92f3ff42a8cf8ea4?s=48 ladynerd
0
150
B114ea20c4172d8f92f3ff42a8cf8ea4?s=48 ladynerd
0
110
B114ea20c4172d8f92f3ff42a8cf8ea4?s=48 ladynerd
0
40
B114ea20c4172d8f92f3ff42a8cf8ea4?s=48 ladynerd
3
760
B114ea20c4172d8f92f3ff42a8cf8ea4?s=48 ladynerd
3
2.3k
B114ea20c4172d8f92f3ff42a8cf8ea4?s=48 ladynerd
0
66
B114ea20c4172d8f92f3ff42a8cf8ea4?s=48 ladynerd
0
64
B114ea20c4172d8f92f3ff42a8cf8ea4?s=48 ladynerd
1
220

Other Decks in Technology

See All in Technology
012418ca05dff2e4ac6bdf3e739be4e8?s=48 minorun365
0
490
835671ae91e49b2637313b91dacda1db?s=48 tdys13
0
1.3k
5314ec2302336bf68c95bdb5b1476227?s=48 furuhashilab
0
130
012418ca05dff2e4ac6bdf3e739be4e8?s=48 minorun365
0
300
098ad475722e3697ec2fba28c8654f9f?s=48 yuhta28
1
990
7a37d60769f6f3004adee19a8ff2c219?s=48 tunepolo
8
4.6k
3fa91dc187588e13e827810d2f30d8c7?s=48 moepy_stats
2
1.9k
8d0803aa4572615f7bce5f5288e6b716?s=48 mochan_tk
0
420
1c187c3f67507a90ced63f2c006ec4ad?s=48 regonn
1
920
E83ff81bc5a881c33dcff37eb160ce12?s=48 kochizufan
0
1.6k
Ef779e9bc420affeb93b274cba74ef7c?s=48 hageyahhoo
3
1.6k
8cc27471bcdeb2858fca212586a208b4?s=48 takahia1988
0
1.9k

Featured

See All Featured
1b75d89772b7eea1f6c89fbf362607d9?s=48 moore
129
22k
719435d98d452de7ac367c828266cf01?s=48 erikaheidi
30
5.4k
3d6ace9554821d552146413bcdf874f6?s=48 trishagee
38
5.8k
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
446
29k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
73
4k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
74
1.8k
Be9caeb9d4ef9944d151af909063ed6e?s=48 samlambert
238
10k
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
396
61k
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
249
21k
C86443373fbfe92996aa882d0d7a59f8?s=48 imathis
484
150k
9375a9529679f1b42b567a640d775e7d?s=48 schacon
152
7k
5f83ef806155b403c3393160ce51f955?s=48 jlugia
218
16k

Transcript

  1. None

  2. Securing Microservice Architectures Laura Bell (@lady_nerd) M239

  3. None

  4. Modern

  5. caution: fast paced field ahead watch for out of date

    content

  6. In this talk Microservice Fundamentals Some important points that are

    worth refreshing Prevention Avoid common vulnerabilities and avoid mistakes Detection Prepare for survival and response
  7. None
  8. None
  9. None

  10. apps that automatically scale up to handle millions of users

    and scale down again to have this be done by smaller teams

  11. many are 100 or so lines some are around 1,000

    lines

  12. Integrity   Availability   Confiden3ality  

  13. Spoofing Tampering Repudia1on Informa1on  Disclosure Denial  of  Service Escala1on  of

     Privilege
  14. None

  15. Service decomposition

  16. shouldn’t

  17. None

  18. exhaustion

  19. Orchestration layer attacks

  20. simple

  21. rule them all?

  22. Choose Restrict Monitor Configure Challenge Test

  23. Identity and access management

  24. the lowest set of permissions and accesses required to do

    your job

  25. require well defined roles

  26. Automate and alert

  27. mature groups and role assistance

  28. Immutable architectures matter in microservice security

  29. (but you might not be the right person to audit

    them)

  30. (including those changes made by an attacker)

  31. become hard to persist

  32. Heterogeneous language and technology spaces

  33. None

  34. you

  35. technologies

  36. vulnerability management can be challenging in microservice architectures

  37. None

  38. Testing

  39. (doesn’t require a specialist third party)

  40. OWASP Zap Proxy https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Gauntlt http://gauntlt.org/ BDD Security http://www.continuumsecurity.net/bdd-intro.html

  41. software testing technique discover coding errors security loopholes massive amounts

    of random data attempt to make it crash
  42. None

  43. Logging and monitoring

  44. All

  45. secure location immutable format away from production

  46. denial of service attacks

  47. like actually, for real, not just when you’re debugging

  48. None

  49. TL;DR Microservice Fundamentals Some important points that are worth refreshing

    Prevention Avoid common vulnerabilities and avoid mistakes Detection Prepare for survival and response

  50. Security in a Container-based World Friday 11:55am Find me later

    at… §  Hub Happy Hour Wed 5:30-6:30pm §  Hub Happy Hour Thu 5:30-6:30pm §  Closing drinks Fri 3:00-4:30pm 1 2 3 4 5 6

  51. Subscribe to our fortnightly newsletter http://aka.ms/technetnz http://aka.ms/msdnnz http://aka.ms/ch9nz Free Online

    Learning http://aka.ms/mva Sessions on Demand
  52. None

  53. © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows and

    other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.