The document discusses containerization and isolation as security patterns for applications. It notes that consolidation is not actually a security pattern, and discusses hypervisors like Xen having vulnerabilities. Fragmentation through isolation into microservices is presented as a security pattern, while simply having more services is not. The document acknowledges that isolation patterns can require more work.

1. Secure Containerized Applications
Eric Windisch
@ewindisch
for

3. IsolationIsolation
Pattern #1Pattern #1

4. Service
{Application

7. ConsolidationConsolidation
Pattern #2Pattern #2
(not actually a security pattern)

11. Hypervisors: a case studyHypervisors: a case study
Xen project: ~38 CVEs in the past 12 months
29 CVEs with a CVSS score >4
This is a good great, functioning security team.
Fewer CVEs for other hypervisors is not indicative of
better security; it may mean worse security response.
https://www.cvedetails.com/vulnerability-list/vendor_id-6276/XEN.html

12. "x86 considered
harmful"
VMs do not contain
1. http://blog.invisiblethings.org/2015/10/27/x86_harmful.html
1

13. Consolidation may
be appropriate for
you, but it's not a
security pattern.

14. FragmentationFragmentation
(aka isolation)
Pattern #3Pattern #3

16. (micro)Services(micro)Services
= isolation
...not more services
with more seams

21. "This seems
like a lot of
work"

24. Thank you,Thank you,
Eric WindischEric Windisch
eric@windisch.us
@ewindisch