Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AppSec & Microservices - Velocity 2016

4,310 views

Published on

This is the longer, 90 min version of my Microservices talk, as presented at Velocity 2016 in Santa Clara.

Security is everyone’s job, even if you’re not a specialist. Microservices offer many options for securing your systems. Done right, microservices can increase the security of your vital data and processes. Done wrong, and they can increase the surface area of attack. Sam Newman explores the importance of defense in depth, discussing the many different ways in which you can secure your fine-grained, distributed architectures and outlining a model to show how developers can think about application security and how they can play their part. From there, Sam dives into the specific challenges in microservice architectures and explains how application security principles can be applied to these often much more complex application architectures. You’ll leave with a high-level framework for thinking about application security and tools that help with prevention, detection, response, and recovery, as well as the knowledge of what not to do when breaches happen.

Published in: Software

AppSec & Microservices - Velocity 2016

  1. 1. APPSEC & MICROSERVICES Sam Newman Velocity 2016
  2. 2. @samnewman#velocityconf
  3. 3. @samnewman#velocityconf Sam Newman Building Microservices DESIGNING FINE-GRAINED SYSTEMS
  4. 4. @samnewman#velocityconf Microservices Can Make Everything Worse
  5. 5. @samnewman#velocityconf
  6. 6. @samnewman#velocityconfhttps://www.flickr.com/photos/seattlemunicipalarchives/4058808950
  7. 7. @samnewman#velocityconf https://www.flickr.com/photos/theseanster93/485390997/
  8. 8. @samnewman#velocityconf http://map.norsecorp.com/
  9. 9. @samnewman#velocityconf
  10. 10. @samnewman#velocityconf
  11. 11. @samnewman#velocityconf Accounts Returns Invoicing Shipping Inventory Customer Service
  12. 12. @samnewman#velocityconf Accounts Returns Invoicing Shipping Inventory Customer Service Small Independently Deployable services that work together, modelled around a business domain
  13. 13. https://www.flickr.com/photos/wwworks/2607036664/
  14. 14. https://www.flickr.com/photos/lkowen/15803718243/
  15. 15. @samnewman#velocityconf
  16. 16. @samnewman#velocityconf
  17. 17. @samnewman#velocityconf
  18. 18. @samnewman#velocityconf
  19. 19. @samnewman#velocityconf
  20. 20. @samnewman#velocityconf Prevention
  21. 21. @samnewman#velocityconf Prevention Detection
  22. 22. @samnewman#velocityconf Prevention Detection Response
  23. 23. @samnewman#velocityconf Prevention Detection ResponseRecovery
  24. 24. @samnewman#velocityconf Prevention Detection ResponseRecovery
  25. 25. @samnewman#velocityconf Prevention Detection ResponseRecovery
  26. 26. @samnewman#velocityconf https://www.flickr.com/photos/adulau/15680439035/
  27. 27. @samnewman#velocityconf https://www.flickr.com/photos/duanestorey/469163789/
  28. 28. @samnewman#velocityconf https://www.schneier.com/paper-attacktrees-ddj-ft.html
  29. 29. @samnewman#velocityconf Open Safe
  30. 30. @samnewman#velocityconf Open Safe Pick Lock Learn Combo Cut Open
  31. 31. @samnewman#velocityconf Open Safe Pick Lock Learn Combo Cut Open Find Written Combo Get Combo from the target
  32. 32. @samnewman#velocityconf Open Safe Pick Lock Learn Combo Cut Open Find Written Combo Get Combo from the target Blackmail Threaten Bribe
  33. 33. @samnewman#velocityconf Open Safe Pick Lock Learn Combo Cut Open Find Written Combo Get Combo from the target Blackmail Threaten Bribe Impossible Impossible Impossible Possible Possible Possible
  34. 34. @samnewman#velocityconf Open Safe Pick Lock Learn Combo Cut Open Find Written Combo Get Combo from the target Blackmail Threaten Bribe
  35. 35. @samnewman#velocityconf Open Safe Pick Lock Learn Combo Cut Open Find Written Combo Get Combo from the target Blackmail Threaten Bribe $$$$ $$$$ $$$$ $$ $$ $
  36. 36. @samnewman#velocityconf Catalog service Music Web Shop Recommend service Royalty Payment Gateway Mobile app Web browsers User service
  37. 37. @samnewman#velocityconf Catalog service Music Web Shop Recommend service Royalty Payment Gateway Mobile app Web browsers User service Transport Security
  38. 38. @samnewman#velocityconf HTTPS Everywhere!
  39. 39. BENEFITS OF HTTPS?
  40. 40. BENEFITS OF HTTPS? ▫︎Server guarantees!
  41. 41. BENEFITS OF HTTPS? ▫︎Server guarantees! ▫︎Payload not manipulated…
  42. 42. BENEFITS OF HTTPS? ▫︎Server guarantees! ▫︎Payload not manipulated… ▫︎…but no client guarantee and…
  43. 43. BENEFITS OF HTTPS? ▫︎Server guarantees! ▫︎Payload not manipulated… ▫︎…but no client guarantee and… ▫︎…certificates can be a pain
  44. 44. @samnewman#velocityconf https://letsencrypt.org/
  45. 45. @samnewman#velocityconf
  46. 46. Catalog service Music Web Shop Recommend service Royalty Payment Gateway Mobile app Web browsers User service
  47. 47. CLIENT-SIDE CERTIFICATES?
  48. 48. CLIENT-SIDE CERTIFICATES? ▫︎Client guarantees!
  49. 49. CLIENT-SIDE CERTIFICATES? ▫︎Client guarantees! ▫︎…but a PITA to manage….
  50. 50. @samnewman#velocityconf http://techblog.netflix.com/2015/09/introducing-lemur.html
  51. 51. @samnewman#velocityconf Catalog service Music Web Shop Recommend service Royalty Payment Gateway Mobile app Web browsers User service
  52. 52. @samnewman#velocityconf Auth?
  53. 53. @samnewman#velocityconf Auth? Authentication
  54. 54. @samnewman#velocityconf Auth? Authentication Authorisation
  55. 55. @samnewman#velocityconf Catalog service Music Web Shop Recommend service Royalty Payment Gateway Mobile app Web browsers User service Web browsers
  56. 56. @samnewman#velocityconf Catalog service Music Web Shop Recommend service Royalty Payment Gateway Mobile app Web browsers User service Web browsers Form AuthOAuth
  57. 57. @samnewman#velocityconf Catalog service Music Web Shop Recommend service Royalty Payment Gateway Mobile app Web browsers User service Web browsers Form AuthOAuth PERIMETER SECURITY!
  58. 58. @samnewman#velocityconf Catalog service Music Web Shop Recommend service Royalty Payment Gateway Mobile app Web browsers User service Web browsers Form AuthOAuth PERIMETER SECURITY! User service
  59. 59. @samnewman#velocityconf Music Web Shop User service User service Implicit Trust?
  60. 60. @samnewman#velocityconf Catalog service Music Web Shop Recommend service Mobile app Web browsers User service Web browsers User service
  61. 61. @samnewman#velocityconf Catalog service Music Web Shop Recommend service Mobile app Web browsers User service Web browsers User service Asking As Bob
  62. 62. @samnewman#velocityconf Catalog service Music Web Shop Recommend service Mobile app Web browsers User service Web browsers User service Asking As Bob Can I see Alice’s Data?
  63. 63. @samnewman#velocityconf https://www.flickr.com/photos/lundyd/14481829564/ Confused Deputy Problem!
  64. 64. @samnewman#velocityconf Music Web Shop Web browsers User service
  65. 65. @samnewman#velocityconf Music Web Shop Web browsers User service
  66. 66. @samnewman#velocityconf Music Web Shop Web browsers User service
  67. 67. @samnewman#velocityconf Music Web Shop Web browsers User service { "id": "402ndj39", "name": “Alice Alison" }
  68. 68. @samnewman#velocityconf Music Web Shop Web browsers User service { "id": "402ndj39", "name": “Alice Alison" }
  69. 69. @samnewman#velocityconf Music Web Shop Web browsers User service { "id": "402ndj39", "name": “Alice Alison" }
  70. 70. @samnewman#velocityconf Data At Rest?
  71. 71. @samnewman#velocityconf Catalog service Music Web Shop Recommend service Royalty Payment Gateway Mobile app Web browsers User service User service
  72. 72. @samnewman#velocityconf Encryption!
  73. 73. @samnewman#velocityconf https://www.flickr.com/photos/aigle_dore/2781302649
  74. 74. @samnewman#velocityconf Plain Text?
  75. 75. @samnewman#velocityconf
  76. 76. @samnewman#velocityconf “In the API server secret data is stored as plaintext in etcd" http://kubernetes.io/docs/user-guide/secrets/#security-properties
  77. 77. @samnewman#velocityconf Secure Vaults
  78. 78. @samnewman#velocityconf
  79. 79. @samnewman#velocityconf
  80. 80. @samnewman#velocityconf Aside: Docker
  81. 81. @samnewman#velocityconf http://www.banyanops.com/blog/analyzing-docker-hub/
  82. 82. @samnewman#velocityconf
  83. 83. @samnewman#velocityconf
  84. 84. @samnewman#velocityconf S/M TestsBuild Large Tests Production
  85. 85. @samnewman#velocityconf S/M TestsBuild Large Tests Production Security?
  86. 86. @samnewman#velocityconf S/M TestsBuild Large Tests Production Security? OWASP ZAP Attack Proxy Static Analysers
  87. 87. @samnewman#velocityconf https://www.microsoft.com/en-us/sdl/
  88. 88. @samnewman#velocityconf https://medium.com/built-to-adapt/the-three-r-s-of-enterprise-security- rotate-repave-and-repair-f64f6d6ba29d
  89. 89. @samnewman#velocityconf “At or near the top of security concerns in the datacenter is something called an Advanced Persistent Threat (APT). An APT gains unauthorized access to a network and can stay hidden for a long period of time. Its goal is usually to steal, corrupt, or ransom data.” - Justin Smith, Pivotal
  90. 90. @samnewman#velocityconf Rotate: Short-lived Credentials
  91. 91. @samnewman#velocityconf Rotate: Short-lived Credentials Repair: Patch Your Stuff
  92. 92. @samnewman#velocityconf Rotate: Short-lived Credentials Repave: Burn It Down! Repair: Patch Your Stuff
  93. 93. @samnewman#velocityconf http://www.theregister.co.uk/2014/06/18/code_spaces_destroyed/
  94. 94. @samnewman#velocityconf https://github.com/michenriksen/gitrob
  95. 95. @samnewman#velocityconf (don’t forget to limit credential scope too)
  96. 96. @samnewman#velocityconf Prevention Detection ResponseRecovery
  97. 97. @samnewman#velocityconf Prevention Detection ResponseRecovery
  98. 98. @samnewman#velocityconf https://www.qualys.com/research/top10/
  99. 99. @samnewman#velocityconf http://www.extremetech.com/computing/190959-shellshock-a-deadly-new-vulnerability-that-could-lay-waste-to-the-internet
  100. 100. @samnewman#velocityconf
  101. 101. @samnewman#velocityconf Repair: Patch Your Stuff
  102. 102. @samnewman#velocityconf https://www.modsecurity.org/
  103. 103. @samnewman#velocityconf Catalog service Music Web Shop Recommend service Royalty service Mobile app Web browsers User service
  104. 104. @samnewman#velocityconf Catalog service Music Web Shop Recommend service Royalty service Mobile app Web browsers User service PERIMETER SECURITY!
  105. 105. @samnewman#velocityconf Catalog service Music Web Shop Recommend service Royalty service Mobile app Web browsers User service PERIMETER SECURITY! PERIMETER SECURITY!
  106. 106. @samnewman#velocityconf Catalog service Music Web Shop Recommend service Royalty service Mobile app Web browsers User service PERIMETER SECURITY! PERIMETER SECURITY! PERIMETERSECURITY!
  107. 107. @samnewman#velocityconf Polyglot = more stuff to track!
  108. 108. @samnewman#velocityconf https://www.npmjs.com/package/npm-check
  109. 109. @samnewman#velocityconf
  110. 110. @samnewman#velocityconf b4a2f5ga2 4335egad3 ab2d56be3 847ea3dbe
  111. 111. @samnewman#velocityconf b4a2f5ga2 4335egad3 ab2d56be3 847ea3dbe !!! !!!
  112. 112. @samnewman#velocityconf b4a2f5ga2 4335egad3 ab2d56be3 847ea3dbe 847ea3dbe 847ea3dbe 847ea3dbe 4335egad3 4335egad3 4335egad3 4335egad3 4335egad3 4335egad3 4335egad3 4335egad3 4335egad3 4335egad3 4335egad3 847ea3dbe !!! !!!
  113. 113. @samnewman#velocityconf https://github.com/coreos/clair
  114. 114. @samnewman#velocityconf Repair: Patch Your Stuff
  115. 115. @samnewman#velocityconf Repair: Patch Your Stuff Automate it
  116. 116. @samnewman#velocityconf Repair: Patch Your Stuff Automate it Do It A Lot
  117. 117. @samnewman#velocityconf Repair: Patch Your Stuff Automate it Do It A Lot And Check Your Work
  118. 118. @samnewman#velocityconf
  119. 119. @samnewman#velocityconf Polyglot = more things to break?
  120. 120. @samnewman#velocityconf Prevention Detection ResponseRecovery
  121. 121. @samnewman#velocityconf Prevention Detection ResponseRecovery
  122. 122. @samnewman#velocityconf
  123. 123. @samnewman#velocityconf
  124. 124. @samnewman#velocityconf
  125. 125. @samnewman#velocityconf http://krebsonsecurity.com/tag/target-data-breach/
  126. 126. @samnewman#velocityconf Comms
  127. 127. @samnewman#velocityconf
  128. 128. @samnewman#velocityconf
  129. 129. @samnewman#velocityconf https://en.wikipedia.org/wiki/Chicago_Tylenol_murders
  130. 130. @samnewman#velocityconf
  131. 131. @samnewman#velocityconf
  132. 132. @samnewman#velocityconf Customer
  133. 133. @samnewman#velocityconf Customer
  134. 134. @samnewman#velocityconf Prevention Detection ResponseRecovery
  135. 135. @samnewman#velocityconf Prevention Detection ResponseRecovery
  136. 136. @samnewman#velocityconf Backups
  137. 137. @samnewman#velocityconf
  138. 138. @samnewman#velocityconf Repave: Burn It Down!
  139. 139. @samnewman#velocityconf Phoenix Servers
  140. 140. @samnewman#velocityconf Phoenix Servers Immutable Servers
  141. 141. @samnewman#velocityconf Phoenix Servers Immutable Servers = repave on every release
  142. 142. @samnewman#velocityconf Why not repave automatically when you apply a patch?
  143. 143. @samnewman#velocityconf RepaveBackups
  144. 144. @samnewman#velocityconf Harder with microservices? RepaveBackups
  145. 145. @samnewman#velocityconf Harder with microservices? RepaveBackups AUTOMATE ALL THE THINGS
  146. 146. @samnewman#velocityconf Post Mortems
  147. 147. @samnewman#velocityconf http://www.smh.com.au/digital-life/mobiles/telstra-outage-manager-connected-customers-to-faulty-node-in-embarrassing- error-20160209-gmpn7f.html
  148. 148. @samnewman#velocityconf "[The employee responsible] didn't follow procedures and clearly that's not a good thing but I wouldn't want to pre-empt the proper investigation and we'll figure out what the right response is when we've had a chance to dig into the detail." - Australian Financial Review http://www.afr.com/business/telecommunications/telstra-mobile-network-down-across- australia-reports-20160209-gmpaty
  149. 149. @samnewman#velocityconf http://samnewman.io/blog/2016/02/10/telstra_outage/
  150. 150. @samnewman#velocityconf https://vimeo.com/102167635
  151. 151. @samnewman#velocityconf “Finding the root cause of a failure is like finding a root cause of a success.” http://www.kitchensoap.com/2012/02/10/each-necessary-but-only-jointly-sufficient/ John Allspaw
  152. 152. @samnewman#velocityconf http://www.smh.com.au/technology/technology-news/telstra-free-data-guy-clocks-up-almost- a-terabyte-of-downloads-20160404-gnxu14.html
  153. 153. @samnewman#velocityconf Don’t forget to review your old post-mortems too…
  154. 154. @samnewman#velocityconf Don’t forget to review your old post-mortems too… …and the resulting action plans!
  155. 155. @samnewman#velocityconf Prevention Detection ResponseRecovery
  156. 156. @samnewman#velocityconf Sam Newman Building Microservices DESIGNING FINE-GRAINED SYSTEMS http://buildingmicroservices.com/
  157. 157. @samnewman#velocityconf Sam Newman Building Microservices DESIGNING FINE-GRAINED SYSTEMS http://buildingmicroservices.com/ http://samnewman.io/
  158. 158. @samnewman#velocityconf Sam Newman Building Microservices DESIGNING FINE-GRAINED SYSTEMS http://buildingmicroservices.com/ http://magpietalkshow.com/ http://samnewman.io/
  159. 159. @samnewman#velocityconf Wednesday 22nd Sam Newman Building Microservices DESIGNING FINE-GRAINED SYSTEMS Signing 5.45pm @ Oreilly Booth
  160. 160. @samnewman snewman@thoughtworks.com THANKS!

×