Practical Microservice Security

Laura Bell
 Practical
Microservice
security
Laura Bell
Founder and Lead Consultant - SafeStack
@lady_nerd laura@safestack.io
http://safestack.io
caution:
fast paced field ahead
watch for out of date content
In this talk
Security Fundamentals
Some important points that are worth refreshing

Prevention
Avoid common vulnerabilities and avoid mistakes

Detection
Prepare for survival and response
apps that automatically scale up to handle
millions of users and scale down again

to have this be done by smaller teams

Confidentiality Integrity

Availability
 Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Escalation of Privilege
Basic controls
so bad that StackOverflow has a process to handle it
For storing passwords in a database, MD5 is acceptable, supposed
you salt it properly. For this usage, the known attack is entirely
unimportant.
If you are in paranoia mode, you can use a more complicated
scheme like bcrypt too, but for most people, storing a salted
password is just good enough. It prevents the easiest, most
obvious attack, is easy to implement, hard to do wrong, and has
low overhead.
 https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
find good trusted, peer reviewed sources
or why acronyms make you less secure
2FA
Planned
I’m sorry Dave, I can’t let you do that
(fast updating, never cached, multi-device default)
the keys to token success
header
field
format
method
Service decomposition
the reality of immature application segmentation
shouldn’t
exhaustion
Orchestration layer attacks
rule them all?
<quote>
protect your APIs from OWASP
Top 10 threats such as SQL
Injection, XSS and application
DDoS, and adaptive threats such
as bad bots.
</quote>
simple
features that scare me
impersonation
2) investigation mode
3) demo accounts on production
4) SSL interception and analysis
5) many password sins
Choose
Restrict
Monitor
Configure
Challenge
Test
 never assume a security vendor
is better at secure development than you are
Identity and access
management
the lowest set of permissions and accesses
required to do your job
require well defined roles
v.s.
Automate and alert
mature groups and role assistance
Immutable architectures
matter in microservice security
 but you might not be the
right person to audit them
including those changes made by an attacker
Typical Actions :
become hard to persist
Heterogeneous language and
technology spaces
you
technologies
 vulnerability
management
can be
challenging in
microservice
architectures
All
secure location
immutable format
away from production
denial of service attacks
backup, health check, domains
like actually,
for real,
not just when you’re debugging
TL;DR
Security Fundamentals
Some important points that are worth refreshing

Prevention
Avoid common vulnerabilities and avoid mistakes

Detection
Prepare for survival and response
 Questions?
Laura Bell
Founder and Lead Consultant - SafeStack
@lady_nerd laura@safestack.io
http://safestack.io