appsec and microservices
play

APPSEC AND MICROSERVICES Sam Newman GOTO Copenhagen 2016 @gotocph - PowerPoint PPT Presentation

Sep 01, 2022 •260 likes •1.25k views

APPSEC AND MICROSERVICES Sam Newman GOTO Copenhagen 2016 @gotocph @samnewman @gotocph @samnewman https://www. fl ickr.com/photos/seattlemunicipalarchives/4058808950 @gotocph @samnewman https://www. fl

  2. APPSEC AND MICROSERVICES Sam Newman GOTO Copenhagen 2016

  3. @gotocph @samnewman

  4. @gotocph @samnewman https://www. fl ickr.com/photos/seattlemunicipalarchives/4058808950

  5. @gotocph @samnewman https://www. fl ickr.com/photos/theseanster93/485390997/

  6. http://map.norsecorp.com/ @gotocph @samnewman

  7. @gotocph @samnewman

  8. @gotocph @samnewman

  9. Shipping Returns Customer Service Invoicing Accounts Inventory @gotocph @samnewman

  10. Shipping Returns Small Autonomous services that work together , modelled Customer Service around a business domain Invoicing Accounts Inventory @gotocph @samnewman

  11. https://www. fl ickr.com/photos/wwworks/2607036664/

  12. https://www. fl ickr.com/photos/lkowen/15803718243/

  13. @gotocph @samnewman

  14. @gotocph @samnewman

  15. @gotocph @samnewman

  16. @gotocph @samnewman

  17. @gotocph @samnewman

  18. Prevention @gotocph @samnewman

  19. Prevention Detection @gotocph @samnewman

  20. Prevention Detection Response @gotocph @samnewman

  21. Prevention Detection Recovery Response @gotocph @samnewman

  22. Prevention Detection Recovery Response @gotocph @samnewman

  23. Prevention Detection Recovery Response @gotocph @samnewman

  24. @gotocph @samnewman https://www. fl ickr.com/photos/adulau/15680439035/

  25. https://www. fl ickr.com/photos/duanestorey/469163789/ @gotocph @samnewman

  26. https://www.schneier.com/paper-attacktrees-ddj-ft.html @gotocph @samnewman

  27. Open Safe @gotocph @samnewman

  28. Open Safe Pick Lock Learn Combo Cut Open @gotocph @samnewman

  29. Open Safe Pick Lock Learn Combo Cut Open Find Written Get Combo from Combo the target @gotocph @samnewman

  30. Open Safe Pick Lock Learn Combo Cut Open Find Written Get Combo from Combo the target Blackmail Threaten Bribe @gotocph @samnewman

  31. Open Safe Pick Lock Learn Combo Cut Open Impossible Possible Find Written Get Combo from Combo the target Possible Blackmail Threaten Bribe Impossible Impossible Possible @gotocph @samnewman

  32. Mobile Web app browsers Royalty Catalog Music Payment service Web Shop Gateway Recommend User service service @gotocph @samnewman

  33. Mobile Web app browsers Royalty Catalog Music Payment service Web Shop Gateway Transport Security Recommend User service service @gotocph @samnewman

  34. HTTPS Everywhere! @gotocph @samnewman

  35. BENEFITS OF HTTPS?

  36. BENEFITS OF HTTPS? ▫︎ Server guarantees!

  37. BENEFITS OF HTTPS? ▫︎ Server guarantees! ▫︎ Payload not manipulated…

  38. BENEFITS OF HTTPS? ▫︎ Server guarantees! ▫︎ Payload not manipulated… ▫︎ …but no client guarantee and…

  39. BENEFITS OF HTTPS? ▫︎ Server guarantees! ▫︎ Payload not manipulated… ▫︎ …but no client guarantee and… ▫︎ …certi fi cates can be a pain

  40. https://letsencrypt.org/ @gotocph @samnewman

  41. @gotocph @samnewman

  42. Mobile Web app browsers Royalty Catalog Music Payment service Web Shop Gateway Recommend User service service

  43. CLIENT-SIDE CERTIFICATES?

  44. CLIENT-SIDE CERTIFICATES? ▫︎ Client guarantees!

  45. CLIENT-SIDE CERTIFICATES? ▫︎ Client guarantees! ▫︎ …but a PITA to manage….

  46. http://techblog.net fl ix.com/2015/09/introducing-lemur.html @gotocph @samnewman

  47. Mobile Web app browsers Royalty Catalog Music Payment service Web Shop Gateway Recommend User service service @gotocph @samnewman

  48. Auth? @gotocph @samnewman

  49. Mobile Web Web app browsers browsers OAuth Form Auth Royalty Catalog Music Payment service Web Shop Gateway Recommend User service service @gotocph @samnewman

  50. Mobile Web Web app browsers browsers OAuth Form Auth Royalty Catalog Music Payment service Web Shop Gateway Recommend User User service service service @gotocph @samnewman

  51. Mobile Web Web app browsers browsers OAuth Form Auth Royalty Catalog Music Payment service Web Shop Gateway Recommend User User service service service @gotocph @samnewman

  52. Confused Deputy Problem! @gotocph @samnewman

  53. Data At Rest? @gotocph @samnewman

  54. Mobile Web app browsers Royalty Catalog Music Payment service Web Shop Gateway Recommend User User service service service @gotocph @samnewman

  55. Aside: Docker @gotocph @samnewman

  56. http://www.banyanops.com/blog/analyzing-docker-hub/ @gotocph @samnewman

  57. Security? Security? Build S/M Tests Large Tests Production @gotocph @samnewman

  58. Security? Security? Build S/M Tests Large Tests Production @gotocph @samnewman

  59. https://www.microsoft.com/en-us/sdl/ @gotocph @samnewman

  60. Patch Your Stu ff @gotocph @samnewman

  61. Prevention Detection Recovery Response @gotocph @samnewman

  62. Prevention Detection Recovery Response @gotocph @samnewman

  63. https://www.qualys.com/research/top10/ @gotocph @samnewman

  64. http://www.extremetech.com/computing/190959-shellshock-a-deadly-new-vulnerability-that-could-lay-waste-to-the-internet @gotocph @samnewman

  65. @gotocph @samnewman

  66. https://www.modsecurity.org/ @gotocph @samnewman

  67. Mobile Web app browsers Catalog Music Royalty service Web Shop service Recommend User service service @gotocph @samnewman

  68. Mobile Web app browsers PERIMETER SECURITY! Catalog Music Royalty service Web Shop service Recommend User service service @gotocph @samnewman

  69. Polyglot = more stu ff to track! @gotocph @samnewman

  70. Polyglot = more things to break? @gotocph @samnewman

  71. Prevention Detection Recovery Response @gotocph @samnewman

  72. Prevention Detection Recovery Response @gotocph @samnewman

  73. @gotocph @samnewman

  74. @gotocph @samnewman

  75. @gotocph @samnewman

  76. http://krebsonsecurity.com/tag/target-data-breach/ @gotocph @samnewman

  77. Comms @gotocph @samnewman

  78. Show teams with direct connection to users… Then show ‘backend services’ team Uni fi ed comms are needed! @gotocph @samnewman

  79. @gotocph @samnewman

  80. @gotocph @samnewman

  81. https://en.wikipedia.org/wiki/Chicago_Tylenol_murders @gotocph @samnewman

  82. http://www.smh.com.au/digital-life/mobiles/telstra-outage-manager-connected-customers-to-faulty-node-in-embarrassing- error-20160209-gmpn7f.html @gotocph @samnewman

  83. "[The employee responsible] didn't follow procedures and clearly that's not a good thing but I wouldn't want to pre-empt the proper investigation and we'll figure out what the right response is when we've had a chance to dig into the detail." - Australian Financial Review http://www.afr.com/business/telecommunications/telstra-mobile-network-down-across- australia-reports-20160209-gmpaty @gotocph @samnewman

  84. https://vimeo.com/102167635 @gotocph @samnewman

  85. “Finding the root cause of a failure is like finding a root cause of a success.” John Allspaw http://www.kitchensoap.com/2012/02/10/each-necessary-but-only-jointly-su ffi cient/ @gotocph @samnewman

  86. http://www.smh.com.au/technology/technology-news/telstra-free-data-guy-clocks-up-almost- a-terabyte-of-downloads-20160404-gnxu14.html @gotocph @samnewman

  87. Prevention Detection Recovery Response @gotocph @samnewman

  88. Prevention Detection Recovery Response @gotocph @samnewman

  89. Backups @gotocph @samnewman

  90. Backups Burn it all down @gotocph @samnewman

  91. Backups Burn it all down Harder with microservices? @gotocph @samnewman

  92. Review your old post-mortems @gotocph @samnewman

  93. Review your old post-mortems …and the resulting action plans! @gotocph @samnewman

  94. Prevention Detection Recovery Response @gotocph @samnewman

  95. Building Microservices DESIGNING FINE - GRAINED SYSTEMS Sam Newman http://buildingmicroservices.com/ @gotocph @samnewman

  96. Building Microservices DESIGNING FINE - GRAINED SYSTEMS Sam Newman http://buildingmicroservices.com/ http://samnewman.io/ @gotocph @samnewman

  97. Building Microservices DESIGNING FINE - GRAINED SYSTEMS Sam Newman http://buildingmicroservices.com/ http://samnewman.io/ http://magpietalkshow.com/ @gotocph @samnewman

Recommend

WHAT COMES AFTER MICROSERVICES? MATT RANNEY WHAT COMES AFTER MICROSERVICES? MATT RANNEY We

WHAT COMES AFTER MICROSERVICES? MATT RANNEY WHAT COMES AFTER MICROSERVICES? MATT RANNEY We

WHAT COMES AFTER MICROSERVICES? MATT RANNEY WHAT COMES AFTER MICROSERVICES? MATT RANNEY We hired lots of engineers. They wrote lots of software. This causes lots of problems. Why use microservices at all? Easier releases? Ef fj ciency

709 views • 55 slides
Microservices Security Fundamentals MICROSERVICES SECURITY CHALLENGES Wojciech Lesniak PRINCIPAL

Microservices Security Fundamentals MICROSERVICES SECURITY CHALLENGES Wojciech Lesniak PRINCIPAL

Microservices Security Fundamentals MICROSERVICES SECURITY CHALLENGES Wojciech Lesniak PRINCIPAL DEVELOPER / TECH LEAD @voit3k Microservices International Data Corporation (IDC) predicts that by: 2019 Q1 Microservices International Data

641 views • 39 slides
From Dev to Security Rey Bango (@reybango) AppSec is hard Credit:

From Dev to Security Rey Bango (@reybango) AppSec is hard Credit:

From Dev to Security Rey Bango (@reybango) AppSec is hard Credit: https://imgur.com/user/PipePistoleer Implicit trust On average, each Web application that Positive Technologies inspected contained 33 vulnerabilities . Of those, six were high-

763 views • 47 slides
KrakenD API Gateway Product overview @devopsfaith Microservices are challenging The need for

KrakenD API Gateway Product overview @devopsfaith Microservices are challenging The need for

KrakenD API Gateway Product overview @devopsfaith Microservices are challenging The need for agility and scalability has driven Microservices adoption, but: 91% of Internet businesses are using or have plans to use microservices 86% expect

696 views • 53 slides
Reactive Microsystems The Evolution of Microservices at Scale Jonas Bonr @jboner

Reactive Microsystems The Evolution of Microservices at Scale Jonas Bonr @jboner

Reactive Microsystems The Evolution of Microservices at Scale Jonas Bonr @jboner Microservices Are Hyped So You Want To strangle The Almighty Monolith And Move Towards Microservices? Do Not Settle For Microliths Microlith Single

1.66k views • 127 slides
FROM HTTP TO KAFKA-BASED FROM HTTP TO KAFKA-BASED MICROSERVICES MICROSERVICES Wojciech Rzsa,

FROM HTTP TO KAFKA-BASED FROM HTTP TO KAFKA-BASED MICROSERVICES MICROSERVICES Wojciech Rzsa,

7/17/2019 From HTTP to Kafka-based microservices FROM HTTP TO KAFKA-BASED FROM HTTP TO KAFKA-BASED MICROSERVICES MICROSERVICES Wojciech Rzsa, FLYR Poland @wrzasa localhost:4567/index.html?print-pdf#/ 1/83 From HTTP to Kafka-based

1.15k views • 83 slides
Microservices: Service Oriented Development Rafael Schloming How do I break up my monolith? How

Microservices: Service Oriented Development Rafael Schloming How do I break up my monolith? How

Microservices: Service Oriented Development Rafael Schloming How do I break up my monolith? How do I architect my app with microservices? What infrastructure do I need in place before I can benefit from microservices? datawire.io 2

770 views • 50 slides
Microservices Smaller is Better? Eberhard Wolff Freelance consultant & trainer

Microservices Smaller is Better? Eberhard Wolff Freelance consultant & trainer

Microservices Smaller is Better? Eberhard Wolff Freelance consultant & trainer http://ewolff.com Why Microservices? Eberhard Wolff - @ewolff Why Microservices? Strong modularization Sustainable Replaceability Development speed

1.25k views • 48 slides
DDD & Microservices At last, some boundaries! Eric Evans @ericevans0 domainlanguage.com

DDD & Microservices At last, some boundaries! Eric Evans @ericevans0 domainlanguage.com

DDD & Microservices At last, some boundaries! Eric Evans @ericevans0 domainlanguage.com Why do I like microservices? Autonomous teams with isolated implementation. Acknowledge the rough and tumble of enterprises. Cattle not

557 views • 37 slides
Beyond Microservices: Streams, State and Scalability Gwen Shapira, Engineering Manager @gwenshap

Beyond Microservices: Streams, State and Scalability Gwen Shapira, Engineering Manager @gwenshap

1 Beyond Microservices: Streams, State and Scalability Gwen Shapira, Engineering Manager @gwenshap 2 In the beginning 3 We Have Microservices 3 4 We Microservices 4 5 They need to communicate 5 I know! Ill use REST APIs 6

751 views • 64 slides
Microservices and OSGi running with Apache Karaf Agenda No free Lunch - microservices

Microservices and OSGi running with Apache Karaf Agenda No free Lunch - microservices

Microservices and OSGi running with Apache Karaf Agenda No free Lunch - microservices microservices or Service? Free Lunch? - OSGi Services Services in the Apache Karaf ecosystem Showcase: https:/

690 views • 44 slides
Testing Java Microservices with Consumer-driven contracts Andrew Morgan @mogronalol

Testing Java Microservices with Consumer-driven contracts Andrew Morgan @mogronalol

Testing Java Microservices with Consumer-driven contracts Andrew Morgan @mogronalol Microservices testing is hard Consumer driven contract testing About Me Independent Consultant specialising in microservices & continuous delivery

1.54k views • 75 slides
Securing the Perimeter around Your Microservices Wojciech Lesniak AUTHOR @voit3k Module

Securing the Perimeter around Your Microservices Wojciech Lesniak AUTHOR @voit3k Module

Securing the Perimeter around Your Microservices Wojciech Lesniak AUTHOR @voit3k Module Overview Basic Certificates Tokens, JWT Oauth2, OpenID authentication Connect Identity provider Microservices API Gateway Challenges with Edge

1.02k views • 87 slides
Managing Managing Microservices Microservices E ff ectively E ff ectively Daniel Hall

Managing Managing Microservices Microservices E ff ectively E ff ectively Daniel Hall

Managing Managing Microservices Microservices E ff ectively E ff ectively Daniel Hall (@smarthall) Daniel Hall (@smarthall) About Me About Me Systems Engineer at LIFX Making the 'Internet' in the Internet of Things About This Talk About

556 views • 18 slides
Test Driven Microservices System Confidence through Journeys, Traces & Contracts

Test Driven Microservices System Confidence through Journeys, Traces & Contracts

Test Driven Microservices System Confidence through Journeys, Traces & Contracts @russmiles Biker me TBD Say Microservices one more time Reactive TBD A Definition The kingdom of heaven is like a mustard seed, which

1.04k views • 77 slides
Events First Microservices Jonas Bonr @jboner So, you want to do microservices? Make sure

Events First Microservices Jonas Bonr @jboner So, you want to do microservices? Make sure

Designing Events First Microservices Jonas Bonr @jboner So, you want to do microservices? Make sure you dont end up with Microliths Make sure you dont end up with Microliths We can do better than this Events First Domain Driven

1.68k views • 150 slides
Microservices and Monorepos Match made in heaven? Sven Erik Knop, Perforce Software Overview

Microservices and Monorepos Match made in heaven? Sven Erik Knop, Perforce Software Overview

Microservices and Monorepos Match made in heaven? Sven Erik Knop, Perforce Software Overview Microservices refresher Microservices and versioning What are Monorepos and why use them? These two concepts seem to contradict why

1.08k views • 23 slides
Chapter Meeting OWASP_Geneva 2015/10/19 About Me Thomas Hofer Java DEV / AppSec

Chapter Meeting OWASP_Geneva 2015/10/19 About Me Thomas Hofer Java DEV / AppSec

OWASP Dependency-Check Chapter Meeting OWASP_Geneva 2015/10/19 About Me Thomas Hofer Java DEV / AppSec OWASP Geneva Board State of Geneva @thhofer thomas.hofer@owasp.org Outline Context How it works / Integration

335 views • 9 slides
OWASP BELGIUM APPSEC 2008 CONFERENCE pdp information security researcher, hacker, founder of

OWASP BELGIUM APPSEC 2008 CONFERENCE pdp information security researcher, hacker, founder of

OWASP BELGIUM APPSEC 2008 CONFERENCE pdp information security researcher, hacker, founder of GNUCITIZEN SALES PITCH Cutting-edge Think Tank THERE ISN'T ANY! CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and

766 views • 64 slides
hybris-as-a-service A Microservices Architecture in Action Andrea Stubbe Product Manager at

hybris-as-a-service A Microservices Architecture in Action Andrea Stubbe Product Manager at

hybris-as-a-service A Microservices Architecture in Action Andrea Stubbe Product Manager at hybris The Vision Why Microservices? CLOUD FIRST AUTONOMY RETAIN SPEED COMMUNITY Scale different parts Independent teams, Ship new features as

883 views • 32 slides
Microservices at Netflix Scale First Principles, Tradeoffs, Lessons Learned Ruslan Meshenberg

Microservices at Netflix Scale First Principles, Tradeoffs, Lessons Learned Ruslan Meshenberg

Microservices at Netflix Scale First Principles, Tradeoffs, Lessons Learned Ruslan Meshenberg @rusmeshenberg Microservices: all benefits, no costs? Netflix is the worlds leading Internet television network with over 81 million members in

1.01k views • 62 slides
PRINCIPLES OF MICROSERVICES Sam Newman YOW Nights, Perth 2015 1 #yownight @samnewman

PRINCIPLES OF MICROSERVICES Sam Newman YOW Nights, Perth 2015 1 #yownight @samnewman

PRINCIPLES OF MICROSERVICES Sam Newman YOW Nights, Perth 2015 1 #yownight @samnewman Building Microservices DESIGNING FINE - GRAINED SYSTEMS Sam Newman #yownight @samnewman Shipping Returns Customer Service Invoicing Accounts

1.18k views • 116 slides
Preparing For a Future Microservices Journey Using Wardley Maps DDD & Susanne Kaiser

Preparing For a Future Microservices Journey Using Wardley Maps DDD & Susanne Kaiser

Preparing For a Future Microservices Journey Using Wardley Maps DDD & Susanne Kaiser Independent Tech Consultant @suksr Microservices Architecture Market Key Trends USD ~33 Billion Loose Coupling Market Size (USD Billion) CAGR ~17%

1.26k views • 114 slides
Building a Microservices Platform with Kubernetes Matthew Mark Miller @DataMiller Cloud Native:

Building a Microservices Platform with Kubernetes Matthew Mark Miller @DataMiller Cloud Native:

Building a Microservices Platform with Kubernetes Matthew Mark Miller @DataMiller Cloud Native: Microservices running inside Containers on top of Platforms on any infrastructure Microservice A software component of a system that is

1.05k views • 60 slides

More recommend