Page 1
Practical Microservice SecurityLaura Bell
Page 2
Laura BellFounder and Lead Consultant - SafeStack@lady_nerd [email protected] http://safestack.io
Practical Microservice
security
Page 3
caution:fastpacedfieldaheadwatchforoutofdatecontent
Page 5
InthistalkSecurityFundamentals
Someimportantpointsthatareworthrefreshing
PreventionAvoidcommonvulnerabilities andavoidmistakes
DetectionPrepare forsurvivalandresponse
Page 9
appsthatautomaticallyscaleuptohandlemillionsofusersandscaledownagain
tohavethisbedonebysmallerteams
Page 10
Integrity
Availability
Confidentiality
Page 11
SpoofingTamperingRepudiation
InformationDisclosureDenialofService
EscalationofPrivilege
Page 14
sobadthatStackOverflow hasaprocesstohandleit
Page 15
Forstoringpasswordsinadatabase,MD5is acceptable,supposedyou salt itproperly.Forthisusage,theknownattackisentirelyunimportant.Ifyouareinparanoiamode,youcanuseamorecomplicatedschemelikebcrypt too,butformostpeople,storingasaltedpasswordisjustgoodenough.Itpreventstheeasiest,mostobviousattack,iseasytoimplement,hardtodowrong,andhaslowoverhead.
Page 16
https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
findgoodtrusted,peerreviewedsources
Page 17
orwhyacronymsmakeyoulesssecure
Page 20
I’msorryDave,Ican’tletyoudothat
Page 21
(fastupdating,nevercached,multi-devicedefault)
Page 22
thekeystotokensuccess
Page 23
headerfieldformatmethod
Page 24
Servicedecomposition
Page 25
therealityofimmatureapplicationsegmentation
Page 30
Orchestrationlayerattacks
Page 32
<quote>protectyourAPIsfromOWASPTop10threatssuchasSQLInjection,XSSandapplicationDDoS,andadaptivethreatssuchasbadbots.</quote>
Page 34
featuresthatscaremeimpersonation
2)investigationmode3)demoaccountsonproduction4)SSLinterceptionandanalysis5)manypasswordsins
Page 35
ChooseRestrictMonitorConfigureChallengeTest
Page 36
neverassumeasecurityvendorisbetteratsecuredevelopmentthanyouare
Page 39
Identityandaccessmanagement
Page 40
thelowestsetofpermissionsandaccessesrequired todoyourjob
Page 41
requirewelldefinedroles
Page 44
maturegroupsandroleassistance
Page 45
Immutablearchitecturesmatterinmicroservice security
Page 46
butyoumightnotbetherightpersontoauditthem
Page 47
including thosechangesmadebyanattacker
Page 49
becomehardtopersist
Page 50
Heterogeneouslanguageandtechnologyspaces
Page 54
vulnerabilitymanagement
canbechallenging inmicroservicearchitectures
Page 58
securelocationimmutableformatawayfromproduction
Page 59
denialofserviceattacks
Page 60
backup,healthcheck,domains
Page 61
likeactually,forreal,notjustwhenyou’redebugging
Page 62
TL;DRSecurityFundamentals
Someimportantpointsthatareworthrefreshing
PreventionAvoidcommonvulnerabilities andavoidmistakes
DetectionPrepare forsurvivalandresponse
Page 65
Laura BellFounder and Lead Consultant - SafeStack@lady_nerd [email protected] http://safestack.io
Questions?