Securing Microservice Architectures

Transcript

1. None

2. Securing Microservice Architectures Laura Bell (@lady_nerd) M239

3. None

4. Modern

5. caution: fast paced field ahead watch for out of date

   content

6. In this talk Microservice Fundamentals Some important points that are

   worth refreshing Prevention Avoid common vulnerabilities and avoid mistakes Detection Prepare for survival and response
7. None
8. None
9. None

10. apps that automatically scale up to handle millions of users

    and scale down again to have this be done by smaller teams

11. many are 100 or so lines some are around 1,000

    lines

12. Integrity   Availability   Confiden3ality  

13. Spoofing Tampering Repudia1on Informa1on  Disclosure Denial  of  Service Escala1on  of

     Privilege
14. None

15. Service decomposition

16. shouldn’t

17. None

18. exhaustion

19. Orchestration layer attacks

20. simple

21. rule them all?

22. Choose Restrict Monitor Configure Challenge Test

23. Identity and access management

24. the lowest set of permissions and accesses required to do

    your job

25. require well defined roles

26. Automate and alert

27. mature groups and role assistance

28. Immutable architectures matter in microservice security

29. (but you might not be the right person to audit

    them)

30. (including those changes made by an attacker)

31. become hard to persist

32. Heterogeneous language and technology spaces

33. None

34. you

35. technologies

36. vulnerability management can be challenging in microservice architectures

37. None

38. Testing

39. (doesn’t require a specialist third party)

40. OWASP Zap Proxy https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Gauntlt http://gauntlt.org/ BDD Security http://www.continuumsecurity.net/bdd-intro.html

41. software testing technique discover coding errors security loopholes massive amounts

    of random data attempt to make it crash
42. None

43. Logging and monitoring

44. All

45. secure location immutable format away from production

46. denial of service attacks

47. like actually, for real, not just when you’re debugging

48. None

49. TL;DR Microservice Fundamentals Some important points that are worth refreshing

    Prevention Avoid common vulnerabilities and avoid mistakes Detection Prepare for survival and response

50. Security in a Container-based World Friday 11:55am Find me later

    at… §  Hub Happy Hour Wed 5:30-6:30pm §  Hub Happy Hour Thu 5:30-6:30pm §  Closing drinks Fri 3:00-4:30pm 1 2 3 4 5 6

51. Subscribe to our fortnightly newsletter http://aka.ms/technetnz http://aka.ms/msdnnz http://aka.ms/ch9nz Free Online

    Learning http://aka.ms/mva Sessions on Demand
52. None

53. © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows and

    other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.