SlideShare a Scribd company logo

APIdays Paris 2019 - RASP for APIs and Microservices by Jean-Baptiste Aviat, Sqreen.io

apidays
apidays

RASP for APIs and Microservices Jean-Baptiste Aviat, Co-Founder & CTO of Sqreen.io

Technology
1 of 27
Download to read offline
APIDays Paris 2019 2019/12/10 RASP for APIS and Microservices
Who am I? Jean-Baptiste Aviat CTO & CO-FOUNDER AT SQREEN EX APPLE RED TEAM Email jb@sqreen.com Twitter @JbAviat
The world is moving towards microservices
Monoliths 4 Monolith DB1 DB2 • Huge • Complex • Highly coupled Hard to scale: • Distribute work across teams • Evolve
Microservices 5 DB DB DB Stream DB Ingestion Monitoring Auth Configuration Worker Analytics • Lightweights • Independents • Simplers • Specialized • 1 team = 1 service Many things change: • Logging • Monitoring • Debugging • …
Monoliths: how to protect? 6 Monolith DB1 DB2 W A F • 1 entry point. • Perimeter protection is possible.
Security on a microservice architecture
In-App WAF User Monitoring Content Security Policy Driver specific protections What is RASP? 8 Sits inside the application Combines several protection layers Usable at scale: • Self configures • Automatically updates • Actionable, developer friendly reports Business logic monitoring Business logic monitoring
Ingestion Monitoring Auth Configuration Worker Analytics Legacy WAF Limited to the perimeter.
• The protection is applied to each service • Each service provides insights about the whole architecture Ingestion Monitoring Auth Configuration Worker AnalyticsRASP
Ingestion Monitoring Auth Configuration Worker AnalyticsRASP • The protection is applied to each service • Each service provides insights about the whole architecture • Decisions can be made about any part of the whole
Microservices security checklist Single Microservice • Each has the same security challenges than a monolith • No input should be trusted • Check client authentication & authorisation for each action (= zero trust) • Monitor vulnerabilities and attacks 12 Microservice Infrastructure • Cryptographically secure service to service communications • Trace requests origins towards the network’s edge • Leverage your business logic when blocking attacks • Consolidate security logs & monitoring
Security: zoom on a single microservice
Risks on one microservice • TL; DR: Same than monoliths. • OWASP Top 10 (top 10 most common vulnerabilities) • Business logic issues • Remember: we broke a monolith apart. • Trust mutual communications. 14
One service security = as critical as the whole 2 key characteristics of a microservice: • Low coupling • Reusability (by other teams = services) Consequences: • Inputs shouldn’t be trusted • Security controls need to happen at each service level 15 Microservice
Async workers matter too! 16 DB DB Stream Ingestion Monitoring Auth Configuration Async worker Analytics DB DB They can be exploited in several ways. Exploited flaws can allow to query other services in the network.
Microservice observability The code • Vulnerable packages • New routes • Vulnerable functions The business logic • Who are my clients / my servers • Am I performing business sensitive operations? • Personal information flowing in my code The users • Account theft attacks • User performing attacks 17 New route detected: /user/:user_id/export users.rb:88 Committed by jon.hopkins on 01.03.2018 SQL injection blocked authorization.mycompany.com Framework: Gin 1.5.0 Databases: PostgreSQL, MongoDB New Go 1.13 service detected: “Authorization”
Security: the whole infrastructure
Monitor what’s deployed 19
Attacks: trace them back to the attacker 20 DB DB DB Stream DB Ingestion Monitoring Auth Configuration Worker Analytics• Attack blocked on a nested service • Need to be traced back to the external attacker
21 •Apply cryptography •Mutual authentication Bound to a channel: ✅ Analytics → Auth ❌ Analytics → Configuration Zero trust: Authentication & authorisation per service Service to service communications DB DB DB Stream DB Ingestion Monitoring Auth Configuration Worker Analytics
How to respond to attacks in a microservice architecture?
Block the actor at the edge 23 DB DB DB Stream DB Ingestion Monitoring Auth Configuration Worker Analytics Blocked actors are fully isolated But errors are dramatics ❌ ❌ ❌
Block only sensitive services 24 Bad actor detected:
 hacker@somedomain.com Prevent access to services: Analytics, Auth • Some sensitive services are denied • Best effort to keep providing functionality to the blocked actor DB DB DB Stream DB Monitoring Auth Configuration Worker Analytics ❌❌ ❌ ❌
Decrease rights of a given actor 25 DB DB DB Stream DB Monitoring Auth Configuration Worker Analytics Bad actor detected:
 hacker@somedomain.com —> Deny all further
 authorisations • Fine grained approach • Depends on business logic • Prevent only some business sensitive actions • Best to keep providing some level of service
Questions?
Lexicon SSRF: vulnerability that can allow to query internal micro services RCE: outcome of some vulnerabilities exploitation. Allows to query internal micro services. East/West: service to service communications North/West: external world to service communications OWASP top 10: top 10 most common vulnerabilities mTLS: two ways cryptographic authentication Micro Perimeter: perimeter of 1 micro service ALTS: Application Layer Transport Security 27

Recommended

Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas Destor
 
GDPR v pojetí F5
GDPR v pojetí F5GDPR v pojetí F5
GDPR v pojetí F5MarketingArrowECS_CZ
 
Microservices security CSA meetup ppt 10_21_2015_v2-2
Microservices security CSA meetup ppt 10_21_2015_v2-2Microservices security CSA meetup ppt 10_21_2015_v2-2
Microservices security CSA meetup ppt 10_21_2015_v2-2Vishwas Manral
 
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017Micro Focus
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterVishwas Manral
 
Webinar Express: What is a CASB?
Webinar Express: What is a CASB?Webinar Express: What is a CASB?
Webinar Express: What is a CASB?Bitglass
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017Micro Focus
 
Interoute Intelligent Monitoring
Interoute Intelligent MonitoringInteroute Intelligent Monitoring
Interoute Intelligent MonitoringOnomi
 

Recommended

Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas Destor
 
GDPR v pojetí F5
GDPR v pojetí F5GDPR v pojetí F5
GDPR v pojetí F5MarketingArrowECS_CZ
 
Microservices security CSA meetup ppt 10_21_2015_v2-2
Microservices security CSA meetup ppt 10_21_2015_v2-2Microservices security CSA meetup ppt 10_21_2015_v2-2
Microservices security CSA meetup ppt 10_21_2015_v2-2Vishwas Manral
 
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017Micro Focus
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterVishwas Manral
 
Webinar Express: What is a CASB?
Webinar Express: What is a CASB?Webinar Express: What is a CASB?
Webinar Express: What is a CASB?Bitglass
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017Micro Focus
 
Interoute Intelligent Monitoring
Interoute Intelligent MonitoringInteroute Intelligent Monitoring
Interoute Intelligent MonitoringOnomi
 
Cloud Access Security Broker (CASB)
Cloud Access Security Broker (CASB) Cloud Access Security Broker (CASB)
Cloud Access Security Broker (CASB) rkulandaivel
 
Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017Micro Focus
 
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTUNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTMicro Focus
 
Training Webinar: Cover your bases - a security webinar
Training Webinar: Cover your bases - a security webinarTraining Webinar: Cover your bases - a security webinar
Training Webinar: Cover your bases - a security webinarOutSystems
 
FILES IN TODAY’S WORLD - #MFSummit2017
FILES IN TODAY’S WORLD - #MFSummit2017FILES IN TODAY’S WORLD - #MFSummit2017
FILES IN TODAY’S WORLD - #MFSummit2017Micro Focus
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudCryptzone
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'tsMinded Security
 
Basic security and Barracuda VRS
Basic security and Barracuda VRSBasic security and Barracuda VRS
Basic security and Barracuda VRSAravindan A
 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World42Crunch
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and predictionVishwas Manral
 
OpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentOpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentForgeRock
 
IDP Proxy Concept: Accessing Identity Data Sources Everywhere!
IDP Proxy Concept: Accessing Identity Data Sources Everywhere!IDP Proxy Concept: Accessing Identity Data Sources Everywhere!
IDP Proxy Concept: Accessing Identity Data Sources Everywhere!ForgeRock
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Zoho Corporation
 
What's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management SoftwareWhat's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management SoftwareManageEngine EventLog Analyzer
 
How to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityHow to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityCryptzone
 
CSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghCSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghNCCOMMS
 
OpenAM Best Practices - Corelio Media Case Study
OpenAM Best Practices - Corelio Media Case Study OpenAM Best Practices - Corelio Media Case Study
OpenAM Best Practices - Corelio Media Case Study ForgeRock
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone
 
Design - Start Your API Journey Today
Design - Start Your API Journey TodayDesign - Start Your API Journey Today
Design - Start Your API Journey TodayLaurenWendler
 
Do You Need A Service Mesh?
Do You Need A Service Mesh?Do You Need A Service Mesh?
Do You Need A Service Mesh?NGINX, Inc.
 

More Related Content

What's hot

Cloud Access Security Broker (CASB)
Cloud Access Security Broker (CASB) Cloud Access Security Broker (CASB)
Cloud Access Security Broker (CASB) rkulandaivel
 
Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017Micro Focus
 
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTUNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTMicro Focus
 
Training Webinar: Cover your bases - a security webinar
Training Webinar: Cover your bases - a security webinarTraining Webinar: Cover your bases - a security webinar
Training Webinar: Cover your bases - a security webinarOutSystems
 
FILES IN TODAY’S WORLD - #MFSummit2017
FILES IN TODAY’S WORLD - #MFSummit2017FILES IN TODAY’S WORLD - #MFSummit2017
FILES IN TODAY’S WORLD - #MFSummit2017Micro Focus
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudCryptzone
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'tsMinded Security
 
Basic security and Barracuda VRS
Basic security and Barracuda VRSBasic security and Barracuda VRS
Basic security and Barracuda VRSAravindan A
 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World42Crunch
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and predictionVishwas Manral
 
OpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentOpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentForgeRock
 
IDP Proxy Concept: Accessing Identity Data Sources Everywhere!
IDP Proxy Concept: Accessing Identity Data Sources Everywhere!IDP Proxy Concept: Accessing Identity Data Sources Everywhere!
IDP Proxy Concept: Accessing Identity Data Sources Everywhere!ForgeRock
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Zoho Corporation
 
What's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management SoftwareWhat's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management SoftwareManageEngine EventLog Analyzer
 
How to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityHow to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityCryptzone
 
CSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghCSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghNCCOMMS
 
OpenAM Best Practices - Corelio Media Case Study
OpenAM Best Practices - Corelio Media Case Study OpenAM Best Practices - Corelio Media Case Study
OpenAM Best Practices - Corelio Media Case Study ForgeRock
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone
 

What's hot (20)

Cloud Access Security Broker (CASB)
Cloud Access Security Broker (CASB) Cloud Access Security Broker (CASB)
Cloud Access Security Broker (CASB)
 
Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017
 
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTUNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
 
Training Webinar: Cover your bases - a security webinar
Training Webinar: Cover your bases - a security webinarTraining Webinar: Cover your bases - a security webinar
Training Webinar: Cover your bases - a security webinar
 
FILES IN TODAY’S WORLD - #MFSummit2017
FILES IN TODAY’S WORLD - #MFSummit2017FILES IN TODAY’S WORLD - #MFSummit2017
FILES IN TODAY’S WORLD - #MFSummit2017
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the Cloud
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
 
Basic security and Barracuda VRS
Basic security and Barracuda VRSBasic security and Barracuda VRS
Basic security and Barracuda VRS
 
API Security in a Microservices World
API Security in a Microservices WorldAPI Security in a Microservices World
API Security in a Microservices World
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and prediction
 
OpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentOpenAM as Flexible Integration Component
OpenAM as Flexible Integration Component
 
IDP Proxy Concept: Accessing Identity Data Sources Everywhere!
IDP Proxy Concept: Accessing Identity Data Sources Everywhere!IDP Proxy Concept: Accessing Identity Data Sources Everywhere!
IDP Proxy Concept: Accessing Identity Data Sources Everywhere!
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
 
Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​
 
What's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management SoftwareWhat's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management Software
 
How to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityHow to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network Security
 
CSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghCSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert Hoitingh
 
OpenAM Best Practices - Corelio Media Case Study
OpenAM Best Practices - Corelio Media Case Study OpenAM Best Practices - Corelio Media Case Study
OpenAM Best Practices - Corelio Media Case Study
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?
 

Similar to APIdays Paris 2019 - RASP for APIs and Microservices by Jean-Baptiste Aviat, Sqreen.io

Design - Start Your API Journey Today
Design - Start Your API Journey TodayDesign - Start Your API Journey Today
Design - Start Your API Journey TodayLaurenWendler
 
Do You Need A Service Mesh?
Do You Need A Service Mesh?Do You Need A Service Mesh?
Do You Need A Service Mesh?NGINX, Inc.
 
Transforming to Microservices
Transforming to MicroservicesTransforming to Microservices
Transforming to MicroservicesKyle Brown
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedNGINX, Inc.
 
DevoxxBelgium_StatefulCloud.pptx
DevoxxBelgium_StatefulCloud.pptxDevoxxBelgium_StatefulCloud.pptx
DevoxxBelgium_StatefulCloud.pptxGrace Jansen
 
UtrechtJUG_Exploring statefulmicroservices in a cloud-native world.pptx
UtrechtJUG_Exploring statefulmicroservices in a cloud-native world.pptxUtrechtJUG_Exploring statefulmicroservices in a cloud-native world.pptx
UtrechtJUG_Exploring statefulmicroservices in a cloud-native world.pptxGrace Jansen
 
IBM Bluemix Presentation.pptx
IBM Bluemix Presentation.pptxIBM Bluemix Presentation.pptx
IBM Bluemix Presentation.pptxvishal choudhary
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
[WSO2Con EU 2017] Microservices for Enterprises
[WSO2Con EU 2017] Microservices for Enterprises[WSO2Con EU 2017] Microservices for Enterprises
[WSO2Con EU 2017] Microservices for EnterprisesWSO2
 
Ransomware-Recovery-as-a-Service
Ransomware-Recovery-as-a-ServiceRansomware-Recovery-as-a-Service
Ransomware-Recovery-as-a-ServiceSagi Brody
 
Skip the anxiety attack when building secure containerized apps
Skip the anxiety attack when building secure containerized appsSkip the anxiety attack when building secure containerized apps
Skip the anxiety attack when building secure containerized appsHaidee McMahon
 
Migrating to Microservices Patterns and Technologies (edition 2023)
Migrating to Microservices Patterns and Technologies (edition 2023) Migrating to Microservices Patterns and Technologies (edition 2023)
Migrating to Microservices Patterns and Technologies (edition 2023)Ahmed Misbah
 
The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018PureSec
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Keynote: Software Kept Eating the World (Pivotal Cloud Platform Roadshow)
Keynote: Software Kept Eating the World (Pivotal Cloud Platform Roadshow)Keynote: Software Kept Eating the World (Pivotal Cloud Platform Roadshow)
Keynote: Software Kept Eating the World (Pivotal Cloud Platform Roadshow)VMware Tanzu
 
APIs from the Edge to the Mesh
APIs from the Edge to the MeshAPIs from the Edge to the Mesh
APIs from the Edge to the MeshNordic APIs
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays
 
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB
 
Microservices and IBM Bluemix meetup presentation
Microservices and IBM Bluemix meetup presentationMicroservices and IBM Bluemix meetup presentation
Microservices and IBM Bluemix meetup presentationCarlos Ferreira
 

Similar to APIdays Paris 2019 - RASP for APIs and Microservices by Jean-Baptiste Aviat, Sqreen.io (20)

Design - Start Your API Journey Today
Design - Start Your API Journey TodayDesign - Start Your API Journey Today
Design - Start Your API Journey Today
 
Do You Need A Service Mesh?
Do You Need A Service Mesh?Do You Need A Service Mesh?
Do You Need A Service Mesh?
 
Transforming to Microservices
Transforming to MicroservicesTransforming to Microservices
Transforming to Microservices
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting Started
 
DevoxxBelgium_StatefulCloud.pptx
DevoxxBelgium_StatefulCloud.pptxDevoxxBelgium_StatefulCloud.pptx
DevoxxBelgium_StatefulCloud.pptx
 
UtrechtJUG_Exploring statefulmicroservices in a cloud-native world.pptx
UtrechtJUG_Exploring statefulmicroservices in a cloud-native world.pptxUtrechtJUG_Exploring statefulmicroservices in a cloud-native world.pptx
UtrechtJUG_Exploring statefulmicroservices in a cloud-native world.pptx
 
IBM Bluemix Presentation.pptx
IBM Bluemix Presentation.pptxIBM Bluemix Presentation.pptx
IBM Bluemix Presentation.pptx
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
[WSO2Con EU 2017] Microservices for Enterprises
[WSO2Con EU 2017] Microservices for Enterprises[WSO2Con EU 2017] Microservices for Enterprises
[WSO2Con EU 2017] Microservices for Enterprises
 
Ransomware-Recovery-as-a-Service
Ransomware-Recovery-as-a-ServiceRansomware-Recovery-as-a-Service
Ransomware-Recovery-as-a-Service
 
Skip the anxiety attack when building secure containerized apps
Skip the anxiety attack when building secure containerized appsSkip the anxiety attack when building secure containerized apps
Skip the anxiety attack when building secure containerized apps
 
Migrating to Microservices Patterns and Technologies (edition 2023)
Migrating to Microservices Patterns and Technologies (edition 2023) Migrating to Microservices Patterns and Technologies (edition 2023)
Migrating to Microservices Patterns and Technologies (edition 2023)
 
Microservices-101
Microservices-101Microservices-101
Microservices-101
 
The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018The Top 10 Most Common Weaknesses in Serverless Applications 2018
The Top 10 Most Common Weaknesses in Serverless Applications 2018
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Keynote: Software Kept Eating the World (Pivotal Cloud Platform Roadshow)
Keynote: Software Kept Eating the World (Pivotal Cloud Platform Roadshow)Keynote: Software Kept Eating the World (Pivotal Cloud Platform Roadshow)
Keynote: Software Kept Eating the World (Pivotal Cloud Platform Roadshow)
 
APIs from the Edge to the Mesh
APIs from the Edge to the MeshAPIs from the Edge to the Mesh
APIs from the Edge to the Mesh
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
 
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
 
Microservices and IBM Bluemix meetup presentation
Microservices and IBM Bluemix meetup presentationMicroservices and IBM Bluemix meetup presentation
Microservices and IBM Bluemix meetup presentation
 

More from apidays

apidays Australia 2023 - A programmatic approach to API success including Ope...
apidays Australia 2023 - A programmatic approach to API success including Ope...apidays Australia 2023 - A programmatic approach to API success including Ope...
apidays Australia 2023 - A programmatic approach to API success including Ope...apidays
 
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays
 
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays
 
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays
 
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays
 
apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays
 
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays
 
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays
 
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays
 
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...apidays
 
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays
 
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays
 
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...apidays
 
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOApidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOapidays
 
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...apidays
 
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...apidays
 
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...apidays
 
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...apidays
 
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...apidays
 
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...apidays
 

More from apidays (20)

apidays Australia 2023 - A programmatic approach to API success including Ope...
apidays Australia 2023 - A programmatic approach to API success including Ope...apidays Australia 2023 - A programmatic approach to API success including Ope...
apidays Australia 2023 - A programmatic approach to API success including Ope...
 
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
 
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
 
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
 
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
 
apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...
 
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
 
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
 
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
 
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
 
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
 
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
 
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
 
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOApidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
 
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
 
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
 
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
 
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
 
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
 
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 

APIdays Paris 2019 - RASP for APIs and Microservices by Jean-Baptiste Aviat, Sqreen.io

  • 1. APIDays Paris 2019 2019/12/10 RASP for APIS and Microservices
  • 2. Who am I? Jean-Baptiste Aviat CTO & CO-FOUNDER AT SQREEN EX APPLE RED TEAM Email jb@sqreen.com Twitter @JbAviat
  • 3. The world is moving towards microservices
  • 4. Monoliths 4 Monolith DB1 DB2 • Huge • Complex • Highly coupled Hard to scale: • Distribute work across teams • Evolve
  • 5. Microservices 5 DB DB DB Stream DB Ingestion Monitoring Auth Configuration Worker Analytics • Lightweights • Independents • Simplers • Specialized • 1 team = 1 service Many things change: • Logging • Monitoring • Debugging • …
  • 6. Monoliths: how to protect? 6 Monolith DB1 DB2 W A F • 1 entry point. • Perimeter protection is possible.
  • 7. Security on a microservice architecture
  • 8. In-App WAF User Monitoring Content Security Policy Driver specific protections What is RASP? 8 Sits inside the application Combines several protection layers Usable at scale: • Self configures • Automatically updates • Actionable, developer friendly reports Business logic monitoring Business logic monitoring
  • 10. • The protection is applied to each service • Each service provides insights about the whole architecture Ingestion Monitoring Auth Configuration Worker AnalyticsRASP
  • 11. Ingestion Monitoring Auth Configuration Worker AnalyticsRASP • The protection is applied to each service • Each service provides insights about the whole architecture • Decisions can be made about any part of the whole
  • 12. Microservices security checklist Single Microservice • Each has the same security challenges than a monolith • No input should be trusted • Check client authentication & authorisation for each action (= zero trust) • Monitor vulnerabilities and attacks 12 Microservice Infrastructure • Cryptographically secure service to service communications • Trace requests origins towards the network’s edge • Leverage your business logic when blocking attacks • Consolidate security logs & monitoring
  • 13. Security: zoom on a single microservice
  • 14. Risks on one microservice • TL; DR: Same than monoliths. • OWASP Top 10 (top 10 most common vulnerabilities) • Business logic issues • Remember: we broke a monolith apart. • Trust mutual communications. 14
  • 15. One service security = as critical as the whole 2 key characteristics of a microservice: • Low coupling • Reusability (by other teams = services) Consequences: • Inputs shouldn’t be trusted • Security controls need to happen at each service level 15 Microservice
  • 16. Async workers matter too! 16 DB DB Stream Ingestion Monitoring Auth Configuration Async worker Analytics DB DB They can be exploited in several ways. Exploited flaws can allow to query other services in the network.
  • 17. Microservice observability The code • Vulnerable packages • New routes • Vulnerable functions The business logic • Who are my clients / my servers • Am I performing business sensitive operations? • Personal information flowing in my code The users • Account theft attacks • User performing attacks 17 New route detected: /user/:user_id/export users.rb:88 Committed by jon.hopkins on 01.03.2018 SQL injection blocked authorization.mycompany.com Framework: Gin 1.5.0 Databases: PostgreSQL, MongoDB New Go 1.13 service detected: “Authorization”
  • 20. Attacks: trace them back to the attacker 20 DB DB DB Stream DB Ingestion Monitoring Auth Configuration Worker Analytics• Attack blocked on a nested service • Need to be traced back to the external attacker
  • 21. 21 •Apply cryptography •Mutual authentication Bound to a channel: ✅ Analytics → Auth ❌ Analytics → Configuration Zero trust: Authentication & authorisation per service Service to service communications DB DB DB Stream DB Ingestion Monitoring Auth Configuration Worker Analytics
  • 22. How to respond to attacks in a microservice architecture?
  • 23. Block the actor at the edge 23 DB DB DB Stream DB Ingestion Monitoring Auth Configuration Worker Analytics Blocked actors are fully isolated But errors are dramatics ❌ ❌ ❌
  • 24. Block only sensitive services 24 Bad actor detected:
 hacker@somedomain.com Prevent access to services: Analytics, Auth • Some sensitive services are denied • Best effort to keep providing functionality to the blocked actor DB DB DB Stream DB Monitoring Auth Configuration Worker Analytics ❌❌ ❌ ❌
  • 25. Decrease rights of a given actor 25 DB DB DB Stream DB Monitoring Auth Configuration Worker Analytics Bad actor detected:
 hacker@somedomain.com —> Deny all further
 authorisations • Fine grained approach • Depends on business logic • Prevent only some business sensitive actions • Best to keep providing some level of service
  • 27. Lexicon SSRF: vulnerability that can allow to query internal micro services RCE: outcome of some vulnerabilities exploitation. Allows to query internal micro services. East/West: service to service communications North/West: external world to service communications OWASP top 10: top 10 most common vulnerabilities mTLS: two ways cryptographic authentication Micro Perimeter: perimeter of 1 micro service ALTS: Application Layer Transport Security 27