This document appears to be a transcript from a presentation on application security and microservices. The summary includes: 1) The presentation discusses security challenges and strategies for microservices architectures, including transport security, authentication, authorization, encryption of data at rest, and perimeter security approaches. 2) Prevention, detection, response and recovery are emphasized as important aspects of a security strategy, along with practices like short-lived credentials, patching, and "repaving" or rebuilding systems on deployments. 3) Managing security risks across polyglot systems is highlighted as a challenge, as is the need to automate security practices and conduct thorough post-mortem analyses of incidents.

1. APPSEC &
MICROSERVICES
Sam Newman
Velocity 2016

2. @samnewman#velocityconf

3. @samnewman#velocityconf
Sam Newman
Building
Microservices
DESIGNING FINE-GRAINED SYSTEMS

4. @samnewman#velocityconf
Microservices Can Make
Everything Worse

5. @samnewman#velocityconf

6. @samnewman#velocityconfhttps://www.flickr.com/photos/seattlemunicipalarchives/4058808950

7. @samnewman#velocityconf https://www.flickr.com/photos/theseanster93/485390997/

8. @samnewman#velocityconf
http://map.norsecorp.com/

9. @samnewman#velocityconf

10. @samnewman#velocityconf

11. @samnewman#velocityconf
Accounts
Returns
Invoicing
Shipping
Inventory
Customer
Service

12. @samnewman#velocityconf
Accounts
Returns
Invoicing
Shipping
Inventory
Customer
Service
Small Independently Deployable
services that work together, modelled
around a business domain

13. https://www.flickr.com/photos/wwworks/2607036664/

14. https://www.flickr.com/photos/lkowen/15803718243/

15. @samnewman#velocityconf

16. @samnewman#velocityconf

17. @samnewman#velocityconf

18. @samnewman#velocityconf

19. @samnewman#velocityconf

20. @samnewman#velocityconf
Prevention

21. @samnewman#velocityconf
Prevention Detection

22. @samnewman#velocityconf
Prevention Detection
Response

23. @samnewman#velocityconf
Prevention Detection
ResponseRecovery

24. @samnewman#velocityconf
Prevention Detection
ResponseRecovery

25. @samnewman#velocityconf
Prevention Detection
ResponseRecovery

26. @samnewman#velocityconf https://www.flickr.com/photos/adulau/15680439035/

27. @samnewman#velocityconf https://www.flickr.com/photos/duanestorey/469163789/

28. @samnewman#velocityconf
https://www.schneier.com/paper-attacktrees-ddj-ft.html

29. @samnewman#velocityconf
Open Safe

30. @samnewman#velocityconf
Open Safe
Pick Lock Learn Combo Cut Open

31. @samnewman#velocityconf
Open Safe
Pick Lock Learn Combo Cut Open
Find Written
Combo
Get Combo from
the target

32. @samnewman#velocityconf
Open Safe
Pick Lock Learn Combo Cut Open
Find Written
Combo
Get Combo from
the target
Blackmail Threaten Bribe

33. @samnewman#velocityconf
Open Safe
Pick Lock Learn Combo Cut Open
Find Written
Combo
Get Combo from
the target
Blackmail Threaten Bribe
Impossible
Impossible Impossible
Possible
Possible
Possible

34. @samnewman#velocityconf
Open Safe
Pick Lock Learn Combo Cut Open
Find Written
Combo
Get Combo from
the target
Blackmail Threaten Bribe

35. @samnewman#velocityconf
Open Safe
Pick Lock Learn Combo Cut Open
Find Written
Combo
Get Combo from
the target
Blackmail Threaten Bribe
$$$$
$$$$ $$$$
$$
$$
$

36. @samnewman#velocityconf
Catalog
service
Music
Web Shop
Recommend
service
Royalty
Payment
Gateway
Mobile
app
Web
browsers
User
service

37. @samnewman#velocityconf
Catalog
service
Music
Web Shop
Recommend
service
Royalty
Payment
Gateway
Mobile
app
Web
browsers
User
service
Transport Security

38. @samnewman#velocityconf
HTTPS Everywhere!

39. BENEFITS OF HTTPS?

40. BENEFITS OF HTTPS?
▫︎Server guarantees!

41. BENEFITS OF HTTPS?
▫︎Server guarantees!
▫︎Payload not manipulated…

42. BENEFITS OF HTTPS?
▫︎Server guarantees!
▫︎Payload not manipulated…
▫︎…but no client guarantee and…

43. BENEFITS OF HTTPS?
▫︎Server guarantees!
▫︎Payload not manipulated…
▫︎…but no client guarantee and…
▫︎…certificates can be a pain

44. @samnewman#velocityconf
https://letsencrypt.org/

45. @samnewman#velocityconf

46. Catalog
service
Music
Web Shop
Recommend
service
Royalty
Payment
Gateway
Mobile
app
Web
browsers
User
service

47. CLIENT-SIDE CERTIFICATES?

48. CLIENT-SIDE CERTIFICATES?
▫︎Client guarantees!

49. CLIENT-SIDE CERTIFICATES?
▫︎Client guarantees!
▫︎…but a PITA to manage….

50. @samnewman#velocityconf
http://techblog.netflix.com/2015/09/introducing-lemur.html

51. @samnewman#velocityconf
Catalog
service
Music
Web Shop
Recommend
service
Royalty
Payment
Gateway
Mobile
app
Web
browsers
User
service

52. @samnewman#velocityconf
Auth?

53. @samnewman#velocityconf
Auth?
Authentication

54. @samnewman#velocityconf
Auth?
Authentication Authorisation

55. @samnewman#velocityconf
Catalog
service
Music
Web Shop
Recommend
service
Royalty
Payment
Gateway
Mobile
app
Web
browsers
User
service
Web
browsers

56. @samnewman#velocityconf
Catalog
service
Music
Web Shop
Recommend
service
Royalty
Payment
Gateway
Mobile
app
Web
browsers
User
service
Web
browsers
Form AuthOAuth

57. @samnewman#velocityconf
Catalog
service
Music
Web Shop
Recommend
service
Royalty
Payment
Gateway
Mobile
app
Web
browsers
User
service
Web
browsers
Form AuthOAuth
PERIMETER SECURITY!

58. @samnewman#velocityconf
Catalog
service
Music
Web Shop
Recommend
service
Royalty
Payment
Gateway
Mobile
app
Web
browsers
User
service
Web
browsers
Form AuthOAuth
PERIMETER SECURITY!
User
service

59. @samnewman#velocityconf
Music
Web Shop
User
service
User
service
Implicit Trust?

60. @samnewman#velocityconf
Catalog
service
Music
Web Shop
Recommend
service
Mobile
app
Web
browsers
User
service
Web
browsers
User
service

61. @samnewman#velocityconf
Catalog
service
Music
Web Shop
Recommend
service
Mobile
app
Web
browsers
User
service
Web
browsers
User
service
Asking As Bob

62. @samnewman#velocityconf
Catalog
service
Music
Web Shop
Recommend
service
Mobile
app
Web
browsers
User
service
Web
browsers
User
service
Asking As Bob
Can I see
Alice’s Data?

63. @samnewman#velocityconf https://www.flickr.com/photos/lundyd/14481829564/
Confused
Deputy
Problem!

64. @samnewman#velocityconf
Music
Web Shop
Web
browsers
User
service

65. @samnewman#velocityconf
Music
Web Shop
Web
browsers
User
service

66. @samnewman#velocityconf
Music
Web Shop
Web
browsers
User
service

67. @samnewman#velocityconf
Music
Web Shop
Web
browsers
User
service
{
"id": "402ndj39",
"name": “Alice Alison"
}

68. @samnewman#velocityconf
Music
Web Shop
Web
browsers
User
service
{
"id": "402ndj39",
"name": “Alice Alison"
}

69. @samnewman#velocityconf
Music
Web Shop
Web
browsers
User
service
{
"id": "402ndj39",
"name": “Alice Alison"
}

70. @samnewman#velocityconf
Data At Rest?

71. @samnewman#velocityconf
Catalog
service
Music
Web Shop
Recommend
service
Royalty
Payment
Gateway
Mobile
app
Web
browsers
User
service
User
service

72. @samnewman#velocityconf
Encryption!

73. @samnewman#velocityconf https://www.flickr.com/photos/aigle_dore/2781302649

74. @samnewman#velocityconf
Plain Text?

75. @samnewman#velocityconf

76. @samnewman#velocityconf
“In the API server secret data is stored as plaintext in etcd"
http://kubernetes.io/docs/user-guide/secrets/#security-properties

77. @samnewman#velocityconf
Secure Vaults

78. @samnewman#velocityconf

79. @samnewman#velocityconf

80. @samnewman#velocityconf
Aside: Docker

81. @samnewman#velocityconf
http://www.banyanops.com/blog/analyzing-docker-hub/

82. @samnewman#velocityconf

83. @samnewman#velocityconf

84. @samnewman#velocityconf
S/M TestsBuild Large Tests Production

85. @samnewman#velocityconf
S/M TestsBuild Large Tests Production
Security?

86. @samnewman#velocityconf
S/M TestsBuild Large Tests Production
Security?
OWASP ZAP Attack Proxy
Static Analysers

87. @samnewman#velocityconf https://www.microsoft.com/en-us/sdl/

88. @samnewman#velocityconf
https://medium.com/built-to-adapt/the-three-r-s-of-enterprise-security-
rotate-repave-and-repair-f64f6d6ba29d

89. @samnewman#velocityconf
“At or near the top of security concerns in the
datacenter is something called an Advanced
Persistent Threat (APT). An APT gains
unauthorized access to a network and can stay
hidden for a long period of time. Its goal is
usually to steal, corrupt, or ransom data.”
- Justin Smith, Pivotal

90. @samnewman#velocityconf
Rotate: Short-lived Credentials

91. @samnewman#velocityconf
Rotate: Short-lived Credentials
Repair: Patch Your Stuff

92. @samnewman#velocityconf
Rotate: Short-lived Credentials
Repave: Burn It Down!
Repair: Patch Your Stuff

93. @samnewman#velocityconf
http://www.theregister.co.uk/2014/06/18/code_spaces_destroyed/

94. @samnewman#velocityconf
https://github.com/michenriksen/gitrob

95. @samnewman#velocityconf
(don’t forget to limit
credential scope too)

96. @samnewman#velocityconf
Prevention Detection
ResponseRecovery

97. @samnewman#velocityconf
Prevention Detection
ResponseRecovery

98. @samnewman#velocityconf
https://www.qualys.com/research/top10/

99. @samnewman#velocityconf
http://www.extremetech.com/computing/190959-shellshock-a-deadly-new-vulnerability-that-could-lay-waste-to-the-internet

100. @samnewman#velocityconf

101. @samnewman#velocityconf
Repair: Patch Your Stuff

102. @samnewman#velocityconf
https://www.modsecurity.org/

103. @samnewman#velocityconf
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service

104. @samnewman#velocityconf
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service
PERIMETER SECURITY!

105. @samnewman#velocityconf
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service
PERIMETER SECURITY!
PERIMETER SECURITY!

106. @samnewman#velocityconf
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service
PERIMETER SECURITY!
PERIMETER SECURITY!
PERIMETERSECURITY!

107. @samnewman#velocityconf
Polyglot = more stuff to track!

108. @samnewman#velocityconf
https://www.npmjs.com/package/npm-check

109. @samnewman#velocityconf

110. @samnewman#velocityconf
b4a2f5ga2
4335egad3
ab2d56be3
847ea3dbe

111. @samnewman#velocityconf
b4a2f5ga2
4335egad3
ab2d56be3
847ea3dbe !!!
!!!

112. @samnewman#velocityconf
b4a2f5ga2
4335egad3
ab2d56be3
847ea3dbe
847ea3dbe
847ea3dbe
847ea3dbe
4335egad3
4335egad3
4335egad3
4335egad3
4335egad3
4335egad3
4335egad3
4335egad3
4335egad3
4335egad3
4335egad3
847ea3dbe
!!!
!!!

113. @samnewman#velocityconf
https://github.com/coreos/clair

114. @samnewman#velocityconf
Repair: Patch Your Stuff

115. @samnewman#velocityconf
Repair: Patch Your Stuff
Automate it

116. @samnewman#velocityconf
Repair: Patch Your Stuff
Automate it
Do It A Lot

117. @samnewman#velocityconf
Repair: Patch Your Stuff
Automate it
Do It A Lot
And Check Your Work

118. @samnewman#velocityconf

119. @samnewman#velocityconf
Polyglot = more things to break?

120. @samnewman#velocityconf
Prevention Detection
ResponseRecovery

121. @samnewman#velocityconf
Prevention Detection
ResponseRecovery

122. @samnewman#velocityconf

123. @samnewman#velocityconf

124. @samnewman#velocityconf

125. @samnewman#velocityconf http://krebsonsecurity.com/tag/target-data-breach/

126. @samnewman#velocityconf
Comms

127. @samnewman#velocityconf

128. @samnewman#velocityconf

129. @samnewman#velocityconf
https://en.wikipedia.org/wiki/Chicago_Tylenol_murders

130. @samnewman#velocityconf

131. @samnewman#velocityconf

132. @samnewman#velocityconf
Customer

133. @samnewman#velocityconf
Customer

134. @samnewman#velocityconf
Prevention Detection
ResponseRecovery

135. @samnewman#velocityconf
Prevention Detection
ResponseRecovery

136. @samnewman#velocityconf
Backups

137. @samnewman#velocityconf

138. @samnewman#velocityconf
Repave: Burn It Down!

139. @samnewman#velocityconf
Phoenix Servers

140. @samnewman#velocityconf
Phoenix Servers
Immutable Servers

141. @samnewman#velocityconf
Phoenix Servers
Immutable Servers
= repave on every release

142. @samnewman#velocityconf
Why not repave automatically when
you apply a patch?

143. @samnewman#velocityconf
RepaveBackups

144. @samnewman#velocityconf
Harder with microservices?
RepaveBackups

145. @samnewman#velocityconf
Harder with microservices?
RepaveBackups
AUTOMATE ALL THE THINGS

146. @samnewman#velocityconf
Post Mortems

147. @samnewman#velocityconf
http://www.smh.com.au/digital-life/mobiles/telstra-outage-manager-connected-customers-to-faulty-node-in-embarrassing-
error-20160209-gmpn7f.html

148. @samnewman#velocityconf
"[The employee responsible] didn't follow
procedures and clearly that's not a good thing
but I wouldn't want to pre-empt the proper
investigation and we'll figure out what the right
response is when we've had a chance to dig into
the detail."
- Australian Financial Review
http://www.afr.com/business/telecommunications/telstra-mobile-network-down-across-
australia-reports-20160209-gmpaty

149. @samnewman#velocityconf
http://samnewman.io/blog/2016/02/10/telstra_outage/

150. @samnewman#velocityconf
https://vimeo.com/102167635

151. @samnewman#velocityconf
“Finding the root cause of a
failure is like finding a root
cause of a success.”
http://www.kitchensoap.com/2012/02/10/each-necessary-but-only-jointly-sufficient/
John Allspaw

152. @samnewman#velocityconf
http://www.smh.com.au/technology/technology-news/telstra-free-data-guy-clocks-up-almost-
a-terabyte-of-downloads-20160404-gnxu14.html

153. @samnewman#velocityconf
Don’t forget to review your old
post-mortems too…

154. @samnewman#velocityconf
Don’t forget to review your old
post-mortems too…
…and the resulting action plans!

155. @samnewman#velocityconf
Prevention Detection
ResponseRecovery

156. @samnewman#velocityconf
Sam Newman
Building
Microservices
DESIGNING FINE-GRAINED SYSTEMS
http://buildingmicroservices.com/

157. @samnewman#velocityconf
Sam Newman
Building
Microservices
DESIGNING FINE-GRAINED SYSTEMS
http://buildingmicroservices.com/
http://samnewman.io/

158. @samnewman#velocityconf
Sam Newman
Building
Microservices
DESIGNING FINE-GRAINED SYSTEMS
http://buildingmicroservices.com/
http://magpietalkshow.com/
http://samnewman.io/

159. @samnewman#velocityconf
Wednesday 22nd
Sam Newman
Building
Microservices
DESIGNING FINE-GRAINED SYSTEMS
Signing
5.45pm
@ Oreilly Booth

160. @samnewman
snewman@thoughtworks.com
THANKS!