Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Microservice Architectures

B114ea20c4172d8f92f3ff42a8cf8ea4?s=47 Laura Bell
September 03, 2015

Securing Microservice Architectures

Presented at Microsoft Ignite NZ 2015 by Laura Bell

B114ea20c4172d8f92f3ff42a8cf8ea4?s=128

Laura Bell

September 03, 2015
Tweet

Transcript

  1. None
  2. Securing Microservice Architectures Laura Bell (@lady_nerd) M239

  3. None
  4. Modern

  5. caution: fast paced field ahead watch for out of date

    content
  6. In this talk Microservice Fundamentals Some important points that are

    worth refreshing Prevention Avoid common vulnerabilities and avoid mistakes Detection Prepare for survival and response
  7. None
  8. None
  9. None
  10. apps that automatically scale up to handle millions of users

    and scale down again to have this be done by smaller teams
  11. many are 100 or so lines some are around 1,000

    lines
  12. Integrity   Availability   Confiden3ality  

  13. Spoofing Tampering Repudia1on Informa1on  Disclosure Denial  of  Service Escala1on  of

     Privilege
  14. None
  15. Service decomposition

  16. shouldn’t

  17. None
  18. exhaustion

  19. Orchestration layer attacks

  20. simple

  21. rule them all?

  22. Choose Restrict Monitor Configure Challenge Test

  23. Identity and access management

  24. the lowest set of permissions and accesses required to do

    your job
  25. require well defined roles

  26. Automate and alert

  27. mature groups and role assistance

  28. Immutable architectures matter in microservice security

  29. (but you might not be the right person to audit

    them)
  30. (including those changes made by an attacker)

  31. become hard to persist

  32. Heterogeneous language and technology spaces

  33. None
  34. you

  35. technologies

  36. vulnerability management can be challenging in microservice architectures

  37. None
  38. Testing

  39. (doesn’t require a specialist third party)

  40. OWASP Zap Proxy https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Gauntlt http://gauntlt.org/ BDD Security http://www.continuumsecurity.net/bdd-intro.html

  41. software testing technique discover coding errors security loopholes massive amounts

    of random data attempt to make it crash
  42. None
  43. Logging and monitoring

  44. All

  45. secure location immutable format away from production

  46. denial of service attacks

  47. like actually, for real, not just when you’re debugging

  48. None
  49. TL;DR Microservice Fundamentals Some important points that are worth refreshing

    Prevention Avoid common vulnerabilities and avoid mistakes Detection Prepare for survival and response
  50. Security in a Container-based World Friday 11:55am Find me later

    at… §  Hub Happy Hour Wed 5:30-6:30pm §  Hub Happy Hour Thu 5:30-6:30pm §  Closing drinks Fri 3:00-4:30pm 1 2 3 4 5 6
  51. Subscribe to our fortnightly newsletter http://aka.ms/technetnz http://aka.ms/msdnnz http://aka.ms/ch9nz Free Online

    Learning http://aka.ms/mva Sessions on Demand
  52. None
  53. © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows and

    other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.