securing microservice architectures laura bell m239
TRANSCRIPT
Securing Microservice ArchitecturesLaura Bell M239
Modern Architecture Security Series
caution:fast paced field ahead watch for out of date content
In this talkMicroservice Fundamentals
Some important points that are worth refreshing
PreventionAvoid common vulnerabilities and avoid mistakes
DetectionPrepare for survival and response
Microservice fundamentals
to create and deploy new apps fast apps that automatically scale up to handle millions of users and scale down again to be able to make changesto have this be done by smaller teams
usually 5 to 30 lines of code
many are 100 or so lines some are around 1,000 lines
Integrity
Availability
Confidentiality
SpoofingTampering
RepudiationInformation Disclosure
Denial of ServiceEscalation of Privilege
Prevention
Service decomposition
size and complexity shouldn’t vary
service dependency
cascading failure and fragility
scaling and resource exhaustion
Orchestration layer attacks
attackers like simplewe are lazy
one component to rule them all?
Choose appropriate techRestrict accessMonitor aggressivelyConfigure wellChallenge assumptionsTest regularly
Identity and access management
principle of least privilege
the lowest set of permissions and accesses required to do your job
Role based controlsrequire well defined roles
AuditAuditAutomate and alertAuditAuditAudit
Cloud Platform as a Servicemay make you more securemature groups and role assistance
Immutable architectures matter in microservice security
Auditable host configurations
are a good thing(but you might not be the
right person to audit them)
Avoids configuration creep(including those changes made by an attacker)
Attacker accesses become hard to persist
Heterogeneous language and technology spaces
Choose the right tools for the job you are doing
not all technologies have mature libraries, frameworks and documentation
vulnerability management
can be challenging inmicroservicearchitectures
Testing
ContinuousAutomated
SecurityTesting
(doesn’t require a specialist third party)
OWASP Zap Proxyhttps://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_P
roject
Gauntlt http://gauntlt.org/
BDD Securityhttp://www.continuumsecurity.net/bdd-intro.html
Fuzz testing or fuzzing is a software testing technique used to discover coding errors and security loopholes in software, operating systems or networks by inputting massive amounts of random data, called fuzz, to the system in an attempt to make it crash
Detection
Logging and monitoring
Log.All.The.Things
Logs must be stored in a:secure locationimmutable formataway from production
Poorly managed logs are a simple way to create
denial of service attacks
Watch your logslike actually, for real, not just when you’re debugging
Summary
TL;DRMicroservice Fundamentals
Some important points that are worth refreshing
PreventionAvoid common vulnerabilities and avoid mistakes
DetectionPrepare for survival and response
Related Ignite NZ Sessions
Security in a Container-based WorldFriday 11:55am
Find me later at… Hub Happy Hour Wed 5:30-6:30pm Hub Happy Hour Thu 5:30-6:30pm Closing drinks Fri 3:00-4:30pm
1
2
3
4
5
6
Resources
TechNet & MSDN FlashSubscribe to our fortnightly newsletter
http://aka.ms/technetnz http://aka.ms/msdnnz
http://aka.ms/ch9nz
Microsoft Virtual AcademyFree Online Learning
http://aka.ms/mva
Sessions on Demand
Complete your session evaluation now and be in to win!
© 2015 Microsoft Corporation. All rights reserved.Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or
other countries.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.