Practical Microservice Security Laura Bell
Practical Microservice security Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd laura@safestack.io http:/ /safestack.io
caution: fast paced field ahead watch for out of date content
In this talk Security Fundamentals Some important points that are worth refreshing Prevention Avoid common vulnerabilities and avoid mistakes Detection Prepare for survival and response
apps that automatically scale up to handle millions of users and scale down again to have this be done by smaller teams
Confidentiality Integrity Availability
Spoofing Tampering Repudiation Information Disclosure Denial of Service Escalation of Privilege
Basic controls
so bad that StackOverflow has a process to handle it
For storing passwords in a database, MD5 is ac acceptab able , supposed you salt it properly. For this usage, the known attack is entirely unimportant. If you are in paranoia mode, you can use a more complicated scheme like bcrypt too, but for most people, storing a salted password is just good enough. It prevents the easiest, most obvious attack, is easy to implement, hard to do wrong, and has low overhead.
https://www.owasp.org/index.php/REST_Security_Cheat_Sheet find good trusted, peer reviewed sources
or why acronyms make you less secure
2FA
Planned
I’m sorry Dave, I can’t let you do that
(fast updating, never cached, multi-device default)
the keys to token success
header field format method
Service decomposition
the reality of immature application segmentation
shouldn’t
exhaustion
Orchestration layer attacks
rule them all?
<quote> protect your APIs from OWASP Top 10 threats such as SQL Injection, XSS and application DDoS, and adaptive threats such as bad bots. </quote>
simple
features that scare me impersonation 2) investigation mode 3) demo accounts on production 4) SSL interception and analysis 5) many password sins
Choose Restrict Monitor Configure Challenge Test
never assume a security vendor is better at secure development than you are
Identity and access management
the lowest set of permissions and accesses required to do your job
require well defined roles
v.s.
Automate and alert
mature groups and role assistance
Immutable architectures matter in microservice security
but you might not be the right person to audit them
including those changes made by an attacker
Typical Actions :
become hard to persist
Heterogeneous language and technology spaces
you
technologies
vulnerability management can be challenging in microservice architectures
All
secure location immutable format away from production
denial of service attacks
backup, health check, domains
like actually, for real, not just when you’re debugging
TL;DR Security Fundamentals Some important points that are worth refreshing Prevention Avoid common vulnerabilities and avoid mistakes Detection Prepare for survival and response
Questions? Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd laura@safestack.io http:/ /safestack.io
Recommend
More recommend
