Practical Microservice SecurityLaura Bell

Laura BellFounder and Lead Consultant - SafeStack@lady_nerd laura@safestack.io http://safestack.io

Practical Microservice

security

caution:fastpacedfieldaheadwatchforoutofdatecontent

InthistalkSecurityFundamentals

Someimportantpointsthatareworthrefreshing

PreventionAvoidcommonvulnerabilities andavoidmistakes

DetectionPrepare forsurvivalandresponse

appsthatautomaticallyscaleuptohandlemillionsofusersandscaledownagain

tohavethisbedonebysmallerteams

Integrity

Availability

Confidentiality

SpoofingTamperingRepudiation

InformationDisclosureDenialofService

EscalationofPrivilege

Basiccontrols

sobadthatStackOverflow hasaprocesstohandleit

Forstoringpasswordsinadatabase,MD5is acceptable,supposedyou salt itproperly.Forthisusage,theknownattackisentirelyunimportant.Ifyouareinparanoiamode,youcanuseamorecomplicatedschemelikebcrypt too,butformostpeople,storingasaltedpasswordisjustgoodenough.Itpreventstheeasiest,mostobviousattack,iseasytoimplement,hardtodowrong,andhaslowoverhead.

https://www.owasp.org/index.php/REST_Security_Cheat_Sheet

findgoodtrusted,peerreviewedsources

orwhyacronymsmakeyoulesssecure

2FA

Planned

I’msorryDave,Ican’tletyoudothat

(fastupdating,nevercached,multi-devicedefault)

thekeystotokensuccess

headerfieldformatmethod

Servicedecomposition

therealityofimmatureapplicationsegmentation

shouldn’t

exhaustion

Orchestrationlayerattacks

rulethemall?

<quote>protectyourAPIsfromOWASPTop10threatssuchasSQLInjection,XSSandapplicationDDoS,andadaptivethreatssuchasbadbots.</quote>

simple

featuresthatscaremeimpersonation

2)investigationmode3)demoaccountsonproduction4)SSLinterceptionandanalysis5)manypasswordsins

ChooseRestrictMonitorConfigureChallengeTest

neverassumeasecurityvendorisbetteratsecuredevelopmentthanyouare

Identityandaccessmanagement

thelowestsetofpermissionsandaccessesrequired todoyourjob

requirewelldefinedroles

v.s.

Automateandalert

maturegroupsandroleassistance

Immutablearchitecturesmatterinmicroservice security

butyoumightnotbetherightpersontoauditthem

including thosechangesmadebyanattacker

TypicalActions:

becomehardtopersist

Heterogeneouslanguageandtechnologyspaces

you

technologies

vulnerabilitymanagement

canbechallenging inmicroservicearchitectures

All

securelocationimmutableformatawayfromproduction

denialofserviceattacks

backup,healthcheck,domains

likeactually,forreal,notjustwhenyou’redebugging

TL;DRSecurityFundamentals

Someimportantpointsthatareworthrefreshing

PreventionAvoidcommonvulnerabilities andavoidmistakes

DetectionPrepare forsurvivalandresponse

Laura BellFounder and Lead Consultant - SafeStack@lady_nerd laura@safestack.io http://safestack.io

Questions?