The document discusses securing microservices. It covers topics like transport security using HTTPS, managing client-side certificates, authentication using OAuth or forms, securing data at rest, perimeter security, patching vulnerabilities, detection and response to security incidents, backups, and communication about security issues. The overall message is that securing microservices requires preventing incidents, detecting problems when they occur, responding appropriately, and enabling recovery through methods like backups.

1. SECURING
MICROSERVICES
Berlin Microservices Meetup
October 2015

2. SECURING
MICROSERVICES
Berlin Microservices Meetup
October 2015

3. @samnewman

4. @samnewman
Sam Newman
Building
Microservices
DESIGNING FINE-GRAINED SYSTEMS

5. @samnewman

6. @samnewmanhttps://www.flickr.com/photos/seattlemunicipalarchives/4058808950

7. @samnewmanhttps://www.flickr.com/photos/theseanster93/485390997/

8. @samnewman
http://map.norsecorp.com/

9. @samnewman

10. @samnewman

11. @samnewman
S/M TestsBuild Large Tests Production
Security? Security?

12. @samnewman
S/M TestsBuild Large Tests Production
Security? Security?

13. @samnewmanhttps://www.microsoft.com/en-us/sdl/

14. @samnewman

15. @samnewman
Prevention

16. @samnewman
Prevention Detection

17. @samnewman
Prevention Detection
Response

18. @samnewman
Prevention Detection
ResponseRecovery

19. @samnewman
Prevention Detection
ResponseRecovery

20. @samnewman
Prevention Detection
ResponseRecovery

21. @samnewmanhttps://www.flickr.com/photos/adulau/15680439035/

22. @samnewmanhttps://www.flickr.com/photos/duanestorey/469163789/

23. @samnewman
https://www.schneier.com/paper-attacktrees-ddj-ft.html

24. @samnewman
Open Safe

25. @samnewman
Open Safe
Pick Lock Learn Combo Cut Open

26. @samnewman
Open Safe
Pick Lock Learn Combo Cut Open
Find Written
Combo
Get Combo from
the target

27. @samnewman
Open Safe
Pick Lock Learn Combo Cut Open
Find Written
Combo
Get Combo from
the target
Blackmail Threaten Bribe

28. @samnewman
Open Safe
Pick Lock Learn Combo Cut Open
Find Written
Combo
Get Combo from
the target
Blackmail Threaten Bribe
Impossible
Impossible Impossible
Possible
Possible
Possible

29. @samnewman
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service

30. @samnewman
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service
Transport Security

31. @samnewman
HTTPS Everywhere!

32. BENEFITS OF HTTPS?
18

33. BENEFITS OF HTTPS?
▫︎Server guarantees!
18

34. BENEFITS OF HTTPS?
▫︎Server guarantees!
▫︎Payload not manipulated…
18

35. BENEFITS OF HTTPS?
▫︎Server guarantees!
▫︎Payload not manipulated…
▫︎…but no client guarantee and…
18

36. BENEFITS OF HTTPS?
▫︎Server guarantees!
▫︎Payload not manipulated…
▫︎…but no client guarantee and…
▫︎…certificates can be a pain
18

37. Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service

38. @samnewman
https://letsencrypt.org/

39. @samnewman

40. CLIENT-SIDE CERTIFICATES?
22

41. CLIENT-SIDE CERTIFICATES?
▫︎Client guarantees!
22

42. CLIENT-SIDE CERTIFICATES?
▫︎Client guarantees!
▫︎…but a PITA to manage….
22

43. @samnewman
http://techblog.netflix.com/2015/09/introducing-lemur.html

44. @samnewman
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service

45. @samnewman
Auth?

46. @samnewman
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service
Web
browsers
Form AuthOAuth

47. @samnewman
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service
Web
browsers
Form AuthOAuth
User
service

48. @samnewman
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service
Web
browsers
Form AuthOAuth
User
service

49. @samnewman
Confused Deputy Problem!

50. @samnewman
Data At Rest?

51. @samnewman
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service
User
service

52. @samnewman
Aside: Docker

53. @samnewman
http://www.banyanops.com/blog/analyzing-docker-hub/

54. @samnewman
Patch Your Stuff

55. @samnewman33
Prevention Detection
ResponseRecovery

56. @samnewman33
Prevention Detection
ResponseRecovery

57. @samnewman
https://www.qualys.com/research/top10/

58. @samnewman
Polyglot = more stuff to track!

59. @samnewman
https://www.modsecurity.org/

60. @samnewman37
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service

61. @samnewman37
Catalog
service
Music
Web Shop
Recommend
service
Royalty
service
Mobile
app
Web
browsers
User
service
PERIMITER SECURITY!

62. @samnewman
CC Attribution 2.0 Generic https://www.flickr.com/photos/flissphil/52158537/

63. @samnewman
http://www.extremetech.com/computing/190959-shellshock-a-deadly-new-vulnerability-that-could-lay-waste-to-the-internet

64. @samnewman

65. @samnewman
https://haveibeenpwned.com/

66. @samnewman42
Prevention Detection
ResponseRecovery

67. @samnewman42
Prevention Detection
ResponseRecovery

68. @samnewman

69. @samnewman

70. @samnewman

71. @samnewmanhttp://krebsonsecurity.com/tag/target-data-breach/

72. @samnewman
Comms

73. @samnewman

74. @samnewman4949
Prevention Detection
ResponseRecovery

75. @samnewman4949
Prevention Detection
ResponseRecovery

76. @samnewman
Backups

77. @samnewman
Burn it all down

78. @samnewman
Comms

79. @samnewman535353
Prevention Detection
ResponseRecovery

80. @samnewman
snewman@thoughtworks.com
THANKS!