SECURING MICROSERVICESBerlin Microservices Meetup October 2015
SECURING MICROSERVICESBerlin Microservices Meetup October 2015
@samnewman
Sam Newman
Building MicroservicesDESIGNING FINE-GRAINED SYSTEMS
@samnewmanhttps://www.flickr.com/photos/seattlemunicipalarchives/4058808950
@samnewmanhttps://www.flickr.com/photos/theseanster93/485390997/
@samnewman
http://map.norsecorp.com/
@samnewman
S/M TestsBuild Large Tests Production
Security? Security?
@samnewman
S/M TestsBuild Large Tests Production
Security? Security?
@samnewmanhttps://www.microsoft.com/en-us/sdl/
@samnewman
Prevention
@samnewman
Prevention Detection
@samnewman
Prevention Detection
Response
@samnewman
Prevention Detection
ResponseRecovery
@samnewman
Prevention Detection
ResponseRecovery
@samnewman
Prevention Detection
ResponseRecovery
@samnewmanhttps://www.flickr.com/photos/adulau/15680439035/
@samnewmanhttps://www.flickr.com/photos/duanestorey/469163789/
@samnewman
https://www.schneier.com/paper-attacktrees-ddj-ft.html
@samnewman
Open Safe
@samnewman
Open Safe
Pick Lock Learn Combo Cut Open
@samnewman
Open Safe
Pick Lock Learn Combo Cut Open
Find Written Combo
Get Combo from the target
@samnewman
Open Safe
Pick Lock Learn Combo Cut Open
Find Written Combo
Get Combo from the target
Blackmail Threaten Bribe
@samnewman
Open Safe
Pick Lock Learn Combo Cut Open
Find Written Combo
Get Combo from the target
Blackmail Threaten Bribe
Impossible
Impossible ImpossiblePossible
Possible
Possible
@samnewman
Catalog service
Music Web Shop
Recommend service
Royalty service
Mobile app
Web browsers
User service
@samnewman
Catalog service
Music Web Shop
Recommend service
Royalty service
Mobile app
Web browsers
User service
Transport Security
@samnewman
HTTPS Everywhere!
BENEFITS OF HTTPS?
18
BENEFITS OF HTTPS?
▫︎ Server guarantees!
18
BENEFITS OF HTTPS?
▫︎ Server guarantees!
▫︎ Payload not manipulated…
18
BENEFITS OF HTTPS?
▫︎ Server guarantees!
▫︎ Payload not manipulated…
▫︎…but no client guarantee and…
18
BENEFITS OF HTTPS?
▫︎ Server guarantees!
▫︎ Payload not manipulated…
▫︎…but no client guarantee and…
▫︎…certificates can be a pain
18
Catalog service
Music Web Shop
Recommend service
Royalty service
Mobile app
Web browsers
User service
@samnewman
https://letsencrypt.org/
CLIENT-SIDE CERTIFICATES?
22
CLIENT-SIDE CERTIFICATES?
▫︎Client guarantees!
22
CLIENT-SIDE CERTIFICATES?
▫︎Client guarantees!
▫︎…but a PITA to manage….
22
@samnewman
http://techblog.netflix.com/2015/09/introducing-lemur.html
@samnewman
Catalog service
Music Web Shop
Recommend service
Royalty service
Mobile app
Web browsers
User service
@samnewman
Catalog service
Music Web Shop
Recommend service
Royalty service
Mobile app
Web browsers
User service
Web browsers
Form AuthOAuth
@samnewman
Catalog service
Music Web Shop
Recommend service
Royalty service
Mobile app
Web browsers
User service
Web browsers
Form AuthOAuth
User service
@samnewman
Catalog service
Music Web Shop
Recommend service
Royalty service
Mobile app
Web browsers
User service
Web browsers
Form AuthOAuth
User service
@samnewman
Confused Deputy Problem!
@samnewman
Data At Rest?
@samnewman
Catalog service
Music Web Shop
Recommend service
Royalty service
Mobile app
Web browsers
User serviceUser
service
@samnewman
Aside: Docker
@samnewman
http://www.banyanops.com/blog/analyzing-docker-hub/
@samnewman
Patch Your Stuff
@samnewman33
Prevention Detection
ResponseRecovery
@samnewman33
Prevention Detection
ResponseRecovery
@samnewmanhttps://www.qualys.com/research/top10/
@samnewman
Polyglot = more stuff to track!
@samnewman
https://www.modsecurity.org/
@samnewman37
Catalog service
Music Web Shop
Recommend service
Royalty service
Mobile app
Web browsers
User service
@samnewman37
Catalog service
Music Web Shop
Recommend service
Royalty service
Mobile app
Web browsers
User service
PERIMITER SECURITY!
@samnewmanCC Attribution 2.0 Generic https://www.flickr.com/photos/flissphil/52158537/
@samnewman
http://www.extremetech.com/computing/190959-shellshock-a-deadly-new-vulnerability-that-could-lay-waste-to-the-internet
@samnewmanhttps://haveibeenpwned.com/
@samnewman42
Prevention Detection
ResponseRecovery
@samnewman42
Prevention Detection
ResponseRecovery
@samnewmanhttp://krebsonsecurity.com/tag/target-data-breach/
@samnewman4949
Prevention Detection
ResponseRecovery
@samnewman4949
Prevention Detection
ResponseRecovery
@samnewman
Backups
@samnewman
Burn it all down
@samnewman535353
Prevention Detection
ResponseRecovery
@samnewman [email protected]
THANKS!