Securing Microservice ArchitecturesLaura Bell M239

Modern Architecture Security Series

caution:fast paced field ahead watch for out of date content

In this talkMicroservice Fundamentals

Some important points that are worth refreshing

PreventionAvoid common vulnerabilities and avoid mistakes

DetectionPrepare for survival and response

Microservice fundamentals

to create and deploy new apps fast apps that automatically scale up to handle millions of users and scale down again to be able to make changesto have this be done by smaller teams

usually 5 to 30 lines of code

many are 100 or so lines some are around 1,000 lines

Integrity

Availability

Confidentiality

SpoofingTampering

RepudiationInformation Disclosure

Denial of ServiceEscalation of Privilege

Prevention

Service decomposition

size and complexity shouldn’t vary

service dependency

cascading failure and fragility

scaling and resource exhaustion

Orchestration layer attacks

attackers like simplewe are lazy

one component to rule them all?

Choose appropriate techRestrict accessMonitor aggressivelyConfigure wellChallenge assumptionsTest regularly

Identity and access management

principle of least privilege

the lowest set of permissions and accesses required to do your job

Role based controlsrequire well defined roles

AuditAuditAutomate and alertAuditAuditAudit

Cloud Platform as a Servicemay make you more securemature groups and role assistance

Immutable architectures matter in microservice security

Auditable host configurations

are a good thing(but you might not be the

right person to audit them)

Avoids configuration creep(including those changes made by an attacker)

Attacker accesses become hard to persist

Heterogeneous language and technology spaces

Choose the right tools for the job you are doing

not all technologies have mature libraries, frameworks and documentation

vulnerability management

can be challenging inmicroservicearchitectures

Testing

ContinuousAutomated

SecurityTesting

(doesn’t require a specialist third party)

OWASP Zap Proxyhttps://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_P

roject

Gauntlt http://gauntlt.org/

BDD Securityhttp://www.continuumsecurity.net/bdd-intro.html

Fuzz testing or fuzzing is a software testing technique used to discover coding errors and security loopholes in software, operating systems or networks by inputting massive amounts of random data, called fuzz, to the system in an attempt to make it crash

Detection

Logging and monitoring

Log.All.The.Things

Logs must be stored in a:secure locationimmutable formataway from production

Poorly managed logs are a simple way to create

denial of service attacks

Watch your logslike actually, for real, not just when you’re debugging

Summary

TL;DRMicroservice Fundamentals

Some important points that are worth refreshing

PreventionAvoid common vulnerabilities and avoid mistakes

DetectionPrepare for survival and response

Related Ignite NZ Sessions

Security in a Container-based WorldFriday 11:55am

Find me later at… Hub Happy Hour Wed 5:30-6:30pm Hub Happy Hour Thu 5:30-6:30pm Closing drinks Fri 3:00-4:30pm

1

2

3

4

5

6

Resources

TechNet & MSDN FlashSubscribe to our fortnightly newsletter

http://aka.ms/technetnz http://aka.ms/msdnnz

http://aka.ms/ch9nz

Microsoft Virtual AcademyFree Online Learning

http://aka.ms/mva

Sessions on Demand

Complete your session evaluation now and be in to win!

© 2015 Microsoft Corporation. All rights reserved.Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or

other countries.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.