appsec and microservices

APPSEC AND MICROSERVICESSam Newman O’Reilly Software Architecture Conference, NYC 2016

@samnewman

@samnewmanhttps://www.flickr.com/photos/seattlemunicipalarchives/4058808950

@samnewmanhttps://www.flickr.com/photos/theseanster93/485390997/

@samnewman

http://map.norsecorp.com/

@samnewman

@samnewman

Accounts

Returns

Invoicing

Shipping

Inventory

Customer Service

@samnewman

Accounts

Returns

Invoicing

Shipping

Inventory

Customer Service

Small Autonomous services that work together, modelled around

a business domain

https://www.flickr.com/photos/wwworks/2607036664/

https://www.flickr.com/photos/lkowen/15803718243/

@samnewman

@samnewman

Prevention

@samnewman

Prevention Detection

@samnewman


Response

@samnewman


ResponseRecovery

@samnewmanhttps://www.flickr.com/photos/adulau/15680439035/

@samnewmanhttps://www.flickr.com/photos/duanestorey/469163789/

@samnewman

https://www.schneier.com/paper-attacktrees-ddj-ft.html

@samnewman

Open Safe

@samnewman

Open Safe

Pick Lock Learn Combo Cut Open

@samnewman

Open Safe


Find Written Combo

Get Combo from the target

@samnewman

Open Safe


Find Written Combo


Blackmail Threaten Bribe

@samnewman

Open Safe


Find Written Combo


Blackmail Threaten Bribe

Impossible

Impossible ImpossiblePossible

Possible

Possible

@samnewman

Catalog service

Music Web Shop

Recommend service

Royalty Payment Gateway

Mobile app

Web browsers

User service

@samnewman

Catalog service

Music Web Shop

Recommend service


Mobile app

Web browsers

User service

Transport Security

@samnewman

HTTPS Everywhere!

BENEFITS OF HTTPS?

BENEFITS OF HTTPS?

▫︎ Server guarantees!

BENEFITS OF HTTPS?


▫︎ Payload not manipulated…

BENEFITS OF HTTPS?



▫︎…but no client guarantee and…

BENEFITS OF HTTPS?



▫︎…but no client guarantee and…

▫︎…certificates can be a pain

@samnewman

https://letsencrypt.org/

@samnewman

Catalog service

Music Web Shop

Recommend service


Mobile app

Web browsers

User service

CLIENT-SIDE CERTIFICATES?


▫︎Client guarantees!


▫︎Client guarantees!

▫︎…but a PITA to manage….

@samnewman

http://techblog.netflix.com/2015/09/introducing-lemur.html

@samnewman

Catalog service

Music Web Shop

Recommend service


Mobile app

Web browsers

User service

@samnewman

Auth?

@samnewman

Catalog service

Music Web Shop

Recommend service


Mobile app

Web browsers

User service

Web browsers

Form AuthOAuth

@samnewman

Catalog service

Music Web Shop

Recommend service


Mobile app

Web browsers

User service

Web browsers

Form AuthOAuth

User service

@samnewman

Confused Deputy Problem!

@samnewman

Data At Rest?

@samnewman

Catalog service

Music Web Shop

Recommend service


Mobile app

Web browsers

User serviceUser

service

@samnewman

Patch Your Stuff

@samnewman


ResponseRecovery

@samnewmanhttps://www.qualys.com/research/top10/

@samnewman

@samnewman

https://www.modsecurity.org/

@samnewman

Catalog service

Music Web Shop

Recommend service

Royalty service

Mobile app

Web browsers

User service

@samnewman

Catalog service

Music Web Shop

Recommend service

Royalty service

Mobile app

Web browsers

User service

PERIMITER SECURITY!

@samnewman

Polyglot = more stuff to track!

@samnewman

Polyglot = more things to break?

@samnewman


ResponseRecovery

@samnewman

@samnewmanhttp://krebsonsecurity.com/tag/target-data-breach/

@samnewman

Comms

@samnewman

@samnewmanhttps://en.wikipedia.org/wiki/Chicago_Tylenol_murders

@samnewman


ResponseRecovery

@samnewman

Backups

@samnewman

Backups

Burn it all down

@samnewman

Backups

Burn it all down

Harder with microservices?

@samnewman


ResponseRecovery

@samnewman

Sam Newman

Building MicroservicesDESIGNING FINE-GRAINED SYSTEMS

http://buildingmicroservices.com/

@samnewman

Sam Newman



http://samnewman.io/

@samnewman

Sam Newman



http://magpietalkshow.com/

http://samnewman.io/

@samnewman [email protected]

THANKS!

mailto:[email protected]

appsec and microservices

Technology