$30 off During Our Annual Pro Sale. View Details »

Securing Microservice Architectures

Laura Bell
September 03, 2015
Technology
2
330

Securing Microservice Architectures

Presented at Microsoft Ignite NZ 2015 by Laura Bell

Laura Bell

September 03, 2015
Tweet

More Decks by Laura Bell

See All by Laura Bell
DIY security for the amateur superhero
ladynerd
0
160
Hackcon 11 - Protecting our people
ladynerd
0
170
Security in a container based world
ladynerd
0
120
Better Connected
ladynerd
0
45
Continuous Security
ladynerd
3
910
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.5k
Blindsided by security
ladynerd
0
75
Practical tools for privacy audit
ladynerd
0
98
For the greater good? Open sourcing weaponisable code
ladynerd
1
240

Other Decks in Technology

See All in Technology
噂の Amazon Bedrock を Java から使ってみる #javado
tacck
1
120
Podman with WebAssembly
utam0k
2
230
2023/11/15 コンテナでDb2やMQを動かす
hfukunak
0
110
Exceptionハンドリングの基本と新しい手法について【JJUG CCC 2023 fall】
toranoana
2
130
Railsアプリと型検査 / Rails app and type checking
sinsoku
5
730
【Python東海#44】Pydroid3で画像処理
kazuhitotakahashi
0
150
About HealthKit nutrition
coe
0
150
走馬灯のIaCは考えておいて
nwiizo
6
2.7k
[2023년 11월 세미나] 마케팅 성과 분석의 모든 것 (feat. GA4)
datarian
0
310
スクラムマスターやマネージャーのための信頼構築につながる傾聴の技術
kawagoi
6
2.8k
実践 脱Modifier.composed / Let's Modifier.Node
gya
2
220
これからの EnterPrise GenAI / EnterPrise GenAI
cyberagentdevelopers
PRO
0
270

Featured

See All Featured
Rebuilding a faster, lazier Slack
samanthasiow
71
7.9k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
15
1.6k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
215
12k
GraphQLとの向き合い方2022年版
quramy
26
12k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.3k
Thoughts on Productivity
jonyablonski
55
3.5k
Into the Great Unknown - MozCon
thekraken
7
650
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
Adopting Sorbet at Scale
ufuk
66
8.2k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
130
9.8k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
Making the Leap to Tech Lead
cromwellryan
120
8.2k

Transcript

  1. View Slide

  2. Securing Microservice
    Architectures
    Laura Bell (@lady_nerd) M239

    View Slide

  3. View Slide

  4. Modern

    View Slide

  5. caution:
    fast paced field ahead
    watch for out of date content

    View Slide

  6. In this talk
    Microservice Fundamentals
    Some important points that are worth refreshing
    Prevention
    Avoid common vulnerabilities and avoid mistakes
    Detection
    Prepare for survival and response

    View Slide

  7. View Slide

  8. View Slide

  9. View Slide

  10. apps that automatically scale up to handle
    millions of users and scale down again
    to have this be done by smaller teams

    View Slide

  11. many are 100 or so lines
    some are around 1,000 lines

    View Slide

  12. Integrity  
    Availability  
    Confiden3ality  

    View Slide

  13. Spoofing
    Tampering
    Repudia1on
    Informa1on  Disclosure
    Denial  of  Service
    Escala1on  of  Privilege

    View Slide

  14. View Slide

  15. Service decomposition

    View Slide

  16. shouldn’t

    View Slide

  17. View Slide

  18. exhaustion

    View Slide

  19. Orchestration layer attacks

    View Slide

  20. simple

    View Slide

  21. rule them all?

    View Slide

  22. Choose
    Restrict
    Monitor
    Configure
    Challenge
    Test

    View Slide

  23. Identity and access
    management

    View Slide

  24. the lowest set of permissions and accesses
    required to do your job

    View Slide

  25. require well defined roles

    View Slide

  26. Automate and alert

    View Slide

  27. mature groups and role assistance

    View Slide

  28. Immutable architectures
    matter in microservice security

    View Slide

  29. (but you might not be the
    right person to audit them)

    View Slide

  30. (including those changes made by an
    attacker)

    View Slide

  31. become hard to persist

    View Slide

  32. Heterogeneous language
    and technology spaces

    View Slide

  33. View Slide

  34. you

    View Slide

  35. technologies

    View Slide

  36. vulnerability
    management
    can be
    challenging in
    microservice
    architectures

    View Slide

  37. View Slide

  38. Testing

    View Slide

  39. (doesn’t require a specialist third party)

    View Slide

  40. OWASP Zap Proxy
    https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
    Gauntlt
    http://gauntlt.org/
    BDD Security
    http://www.continuumsecurity.net/bdd-intro.html

    View Slide

  41. software testing technique
    discover coding errors security loopholes
    massive amounts of random data
    attempt to make it crash

    View Slide

  42. View Slide

  43. Logging and monitoring

    View Slide

  44. All

    View Slide

  45. secure location
    immutable format
    away from production

    View Slide

  46. denial of service attacks

    View Slide

  47. like actually,
    for real,
    not just when you’re debugging

    View Slide

  48. View Slide

  49. TL;DR
    Microservice Fundamentals
    Some important points that are worth refreshing
    Prevention
    Avoid common vulnerabilities and avoid mistakes
    Detection
    Prepare for survival and response

    View Slide

  50. Security in a Container-based
    World
    Friday 11:55am
    Find me later at…
    §  Hub Happy Hour Wed 5:30-6:30pm
    §  Hub Happy Hour Thu 5:30-6:30pm
    §  Closing drinks Fri 3:00-4:30pm
    1
    2
    3
    4
    5
    6

    View Slide

  51. Subscribe to our fortnightly newsletter
    http://aka.ms/technetnz http://aka.ms/msdnnz
    http://aka.ms/ch9nz
    Free Online
    Learning
    http://aka.ms/mva
    Sessions on Demand

    View Slide

  52. View Slide

  53. © 2015 Microsoft Corporation. All rights reserved.
    Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
    MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

    View Slide