Top Banner
Practical Microservice Security Laura Bell
66

Practical Microservice Security

Feb 14, 2017

Download

Documents

dinhcong
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Practical Microservice Security

Practical Microservice SecurityLaura Bell

Page 2: Practical Microservice Security

Laura BellFounder and Lead Consultant - SafeStack@lady_nerd [email protected] http://safestack.io

Practical Microservice

security

Page 3: Practical Microservice Security

caution:fastpacedfieldaheadwatchforoutofdatecontent

Page 4: Practical Microservice Security
Page 5: Practical Microservice Security

InthistalkSecurityFundamentals

Someimportantpointsthatareworthrefreshing

PreventionAvoidcommonvulnerabilities andavoidmistakes

DetectionPrepare forsurvivalandresponse

Page 6: Practical Microservice Security
Page 7: Practical Microservice Security
Page 8: Practical Microservice Security
Page 9: Practical Microservice Security

appsthatautomaticallyscaleuptohandlemillionsofusersandscaledownagain

tohavethisbedonebysmallerteams

Page 10: Practical Microservice Security

Integrity

Availability

Confidentiality

Page 11: Practical Microservice Security

SpoofingTamperingRepudiation

InformationDisclosureDenialofService

EscalationofPrivilege

Page 12: Practical Microservice Security
Page 13: Practical Microservice Security

Basiccontrols

Page 14: Practical Microservice Security

sobadthatStackOverflow hasaprocesstohandleit

Page 15: Practical Microservice Security

Forstoringpasswordsinadatabase,MD5is acceptable,supposedyou salt itproperly.Forthisusage,theknownattackisentirelyunimportant.Ifyouareinparanoiamode,youcanuseamorecomplicatedschemelikebcrypt too,butformostpeople,storingasaltedpasswordisjustgoodenough.Itpreventstheeasiest,mostobviousattack,iseasytoimplement,hardtodowrong,andhaslowoverhead.

Page 16: Practical Microservice Security

https://www.owasp.org/index.php/REST_Security_Cheat_Sheet

findgoodtrusted,peerreviewedsources

Page 17: Practical Microservice Security

orwhyacronymsmakeyoulesssecure

Page 18: Practical Microservice Security

2FA

Page 19: Practical Microservice Security

Planned

Page 20: Practical Microservice Security

I’msorryDave,Ican’tletyoudothat

Page 21: Practical Microservice Security

(fastupdating,nevercached,multi-devicedefault)

Page 22: Practical Microservice Security

thekeystotokensuccess

Page 23: Practical Microservice Security

headerfieldformatmethod

Page 24: Practical Microservice Security

Servicedecomposition

Page 25: Practical Microservice Security

therealityofimmatureapplicationsegmentation

Page 26: Practical Microservice Security
Page 27: Practical Microservice Security

shouldn’t

Page 28: Practical Microservice Security
Page 29: Practical Microservice Security

exhaustion

Page 30: Practical Microservice Security

Orchestrationlayerattacks

Page 31: Practical Microservice Security

rulethemall?

Page 32: Practical Microservice Security

<quote>protectyourAPIsfromOWASPTop10threatssuchasSQLInjection,XSSandapplicationDDoS,andadaptivethreatssuchasbadbots.</quote>

Page 33: Practical Microservice Security

simple

Page 34: Practical Microservice Security

featuresthatscaremeimpersonation

2)investigationmode3)demoaccountsonproduction4)SSLinterceptionandanalysis5)manypasswordsins

Page 35: Practical Microservice Security

ChooseRestrictMonitorConfigureChallengeTest

Page 36: Practical Microservice Security

neverassumeasecurityvendorisbetteratsecuredevelopmentthanyouare

Page 37: Practical Microservice Security
Page 38: Practical Microservice Security
Page 39: Practical Microservice Security

Identityandaccessmanagement

Page 40: Practical Microservice Security

thelowestsetofpermissionsandaccessesrequired todoyourjob

Page 41: Practical Microservice Security

requirewelldefinedroles

Page 42: Practical Microservice Security

v.s.

Page 43: Practical Microservice Security

Automateandalert

Page 44: Practical Microservice Security

maturegroupsandroleassistance

Page 45: Practical Microservice Security

Immutablearchitecturesmatterinmicroservice security

Page 46: Practical Microservice Security

butyoumightnotbetherightpersontoauditthem

Page 47: Practical Microservice Security

including thosechangesmadebyanattacker

Page 48: Practical Microservice Security

TypicalActions:

Page 49: Practical Microservice Security

becomehardtopersist

Page 50: Practical Microservice Security

Heterogeneouslanguageandtechnologyspaces

Page 51: Practical Microservice Security
Page 52: Practical Microservice Security

you

Page 53: Practical Microservice Security

technologies

Page 54: Practical Microservice Security

vulnerabilitymanagement

canbechallenging inmicroservicearchitectures

Page 55: Practical Microservice Security
Page 56: Practical Microservice Security
Page 57: Practical Microservice Security

All

Page 58: Practical Microservice Security

securelocationimmutableformatawayfromproduction

Page 59: Practical Microservice Security

denialofserviceattacks

Page 60: Practical Microservice Security

backup,healthcheck,domains

Page 61: Practical Microservice Security

likeactually,forreal,notjustwhenyou’redebugging

Page 62: Practical Microservice Security

TL;DRSecurityFundamentals

Someimportantpointsthatareworthrefreshing

PreventionAvoidcommonvulnerabilities andavoidmistakes

DetectionPrepare forsurvivalandresponse

Page 63: Practical Microservice Security
Page 64: Practical Microservice Security
Page 65: Practical Microservice Security

Laura BellFounder and Lead Consultant - SafeStack@lady_nerd [email protected] http://safestack.io

Questions?

Page 66: Practical Microservice Security