SECURING
MICROSERVICES
Berlin Microservices Meetup
October 2015
SECURING
MICROSERVICES
Berlin Microservices Meetup
October 2015
@samnewman
@samnewman
Sam Newman
Building
Microservices
DESIGNING FINE-GRAINED SYSTEMS
@samnewman
@samnewmanhttps://www.flickr.com/photos/seattlemunicipalarchives/4058808950
@samnewmanhttps://www.flickr.com/photos/theseanster93/485390997/
@samnewman
http://map.norsecorp.com/
@samnewman
@samnewman
@samnewman
S/M TestsBuild Large Tests Production
Security? Security?
@samnewman
S/M TestsBuild Large Tests Production
Security? Security?
@samnewmanhttps://www.microsoft.com/en-us/sdl/
@samnewman
@samnewman
Prevention
@samnewman
Prevention Detection
@samnewman
Prevention Detection
Response
@samnewman
Prevention Detection
ResponseRecovery
@samnewman
Prevention Detection
ResponseRecovery
@samnewman
Prevention Detection
ResponseRecovery
@samnewmanhttps://www.flickr.com/photos/adulau/15680439035/
@samnewmanhttps://www.flickr.com/photos/duanestorey/469163789/
@samnewman
https://www.schneier.com/paper-attacktrees-ddj-ft.html
@samnewman
Open Safe
@samnewman
Open Safe
Pick Lock Learn Combo Cut Open
@samnewman
Open Safe
Pick Lock Learn Combo Cut Open
Find Written
Combo
Get Combo from
the target
@samnewman
Open Safe
Pick Lock Learn Combo Cut Open
Find Written
Combo
Get Combo from
the target
Blackmail Threaten Bribe
@samnewman
Open Safe
Pick Lock Learn Combo Cut Open
Find Written
Combo
Get Combo from
the target
Blackmail Threaten Bribe
Impossible
Impossible Impossible
Possible
Possible
Possible
@samnewman
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service
@samnewman
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service
Transport Security
@samnewman
HTTPS Everywhere!
BENEFITS OF HTTPS?
18
BENEFITS OF HTTPS?
▫︎Server guarantees!
18
BENEFITS OF HTTPS?
▫︎Server guarantees!
▫︎Payload not manipulated…
18
BENEFITS OF HTTPS?
▫︎Server guarantees!
▫︎Payload not manipulated…
▫︎…but no client guarantee and…
18
BENEFITS OF HTTPS?
▫︎Server guarantees!
▫︎Payload not manipulated…
▫︎…but no client guarantee and…
▫︎…certificates can be a pain
18
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service
@samnewman
https://letsencrypt.org/
@samnewman
CLIENT-SIDE CERTIFICATES?
22
CLIENT-SIDE CERTIFICATES?
▫︎Client guarantees!
22
CLIENT-SIDE CERTIFICATES?
▫︎Client guarantees!
▫︎…but a PITA to manage….
22
@samnewman
http://techblog.netflix.com/2015/09/introducing-lemur.html
@samnewman
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service
@samnewman
Auth?
@samnewman
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service
Web
browsers
Form AuthOAuth
@samnewman
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service
Web
browsers
Form AuthOAuth
User
service
@samnewman
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service
Web
browsers
Form AuthOAuth
User
service
@samnewman
Confused Deputy Problem!
@samnewman
Data At Rest?
@samnewman
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service
User
service
@samnewman
Aside: Docker
@samnewman
http://www.banyanops.com/blog/analyzing-docker-hub/
@samnewman
Patch Your Stuff
@samnewman33
Prevention Detection
ResponseRecovery
@samnewman33
Prevention Detection
ResponseRecovery
@samnewman
https://www.qualys.com/research/top10/
@samnewman
Polyglot = more stuff to track!
@samnewman
https://www.modsecurity.org/
@samnewman37
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service
@samnewman37
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service
PERIMITER SECURITY!
@samnewman
CC Attribution 2.0 Generic https://www.flickr.com/photos/flissphil/52158537/
@samnewman
http://www.extremetech.com/computing/190959-shellshock-a-deadly-new-vulnerability-that-could-lay-waste-to-the-internet
@samnewman
@samnewman
https://haveibeenpwned.com/
@samnewman42
Prevention Detection
ResponseRecovery
@samnewman42
Prevention Detection
ResponseRecovery
@samnewman
@samnewman
@samnewman
@samnewmanhttp://krebsonsecurity.com/tag/target-data-breach/
@samnewman
Comms
@samnewman
@samnewman4949
Prevention Detection
ResponseRecovery
@samnewman4949
Prevention Detection
ResponseRecovery
@samnewman
Backups
@samnewman
Burn it all down
@samnewman
Comms
@samnewman535353
Prevention Detection
ResponseRecovery
@samnewman
snewman@thoughtworks.com
THANKS!

BETA - Securing microservices