Securing Microservices Threat Modelling and Session Security Presented by David Hoelzer (SANS) and Matt Silverlock (CloudFlare)
Apr 15, 2017
Securing MicroservicesThreat Modelling and Session Security
Presented by David Hoelzer (SANS) and Matt Silverlock (CloudFlare)
What is a "microservice"?
(and what security challenges do they bring?)
What is a microservice?
● Modular approach to building services.● Reinvention of the Service Orientated Architecture (SOA)
model.● Micro-services often declare API contracts, but
development & deployment are self-contained.
What is a microservice?
Benefits
● Less coupling: easier to reason about changes.● Apply the most appropriate technology to the problem at
hand● Better suits larger organizations with multiple teams.● Easier to test when self-contained: less infrastructure to
spin up when iterating.
What is a microservice?Challenges
● Multiple moving parts: more surface area to secure as services communicate to each other.
● Can add complexity into smaller organizations: more tech stacks to maintain, update and patch.
● The need to define formal API contracts so that services can reliably communicate to each other with different development cycles.
Threat Modelling
Understand what you're defending against.
Threat Modelling
● Stop thinking about what it’s supposed to do○ Stand back and try to think about how someone could abuse it○ Start where you have security mitigations○ Next, think about where you don’t and the assumptions made
Threat Modelling
Threat Modelling
Threat Modelling
What’s the Point?
● Organizations have many mitigations○ Firewalls, AV, IDS, etc.
● The threat is not clearly identified by any single activity○ It’s the behavior rather than a signature
What’s the Point for Microservices?
● Monolithic Web Applications○ Session issues are a very well known problem
● Microservices○ We still have sessions, but they are often far more stateless!○ How do we define an authenticated “session”?○ Are there behaviors that we can defend against?
Microservices Session Threat
Microservices Session Impersonation
Threat Modelling
● Everyone watches for repeated authentication failures○ Do you currently include anything in the session verification
process?
Threat Modelling
● API keys are a possible approach○ Issue public/private keypair○ All requests must be signed with public key
■ more computation, but not awful● How critical is it that the API keys are protected by end
users or apps?
Threat Modelling
● Session issues are not new○ Microservices changes the game since these are inherently
non-monolithic applications○ It is critical that the, “We do one thing well” philosophy include a
thoughtful analysis of potential threats and exposures● Requires threat-focused defensive coding
Layered Defenses
There are no silver bullets.
Layered Defenses
● Offload work to the network edge: validate traffic (firewall, reputation, rate limiting) before it reaches your services.
Layered Defenses
● Protect your resources: prevent outside attackers from consuming resources (spawning more containers may not be the solution)
Layered Defenses
● Protect your data: multiple discrete services now accessing shared datastores. Each service should only access what it needs, and no more.
Layered Defenses
● Secure containers: authenticate endpoints, support revocation, and keep images updated.
Layered Defenses
● Know what you're running: always pulling down the latest image from an image repository or from GitHub may not be a great idea.
Layered Defenses
● Manage secrets: do your microservices have access to the secrets they need, and only the secrets they need?
Questions & Answers