The presentation covers an analysis of microservices architecture and design patterns (such as API gateway, Log aggregation and more) in order to analyze how certain aspects of security is achievable at scale through these patterns.
2. Disclaimer
This disclaimer informs readers that the views, thoughts, and opinions expressed
in the presentation belong solely to the author, and not necessarily to the
author’s employer, organization, committee or other group or individual.
3. About Me
• Mobile game developer turned security professional
- MS In Security Engineering, Johns Hopkins University
- Appsec Lead at Illumio
- Previously worked at Amazon, Q2Ebanking, HP & ATSEC
• When I am not doing security
- Travel
- Paint
- Read
• Yoga Alliance Certified Instructor
- Breathing exercises
- MeditationPrincipal Application Security
Engineer, Illumio
4. Agenda
Part 1: Understanding microservices
Part 2: Microservices security design patterns
Part 3: Serverless application security
Part 4: Application security best practices
9. Security pain points
● Increased complexity
● Implicit trust is replaced by zero
trust among microservices
● Traditional application security
assessment cannot match the
speed of development &
deployment
● Inadequate security tooling can’t
detect vulnerabilities in
microservices
● Varying technology stack across
microservices
11. Cambridge Analytica Scandal
50 million
user’s
psychological
profile
Sold to
Cambridge
Analytica
Facebook
Login API
provides token
This is your
Digital Life
Third Party FB
app
270,000 people
opted for FB
login
1. Privacy consent of
only direct users
2. Data Collection
allowed for
research use only
User data
harvested by FB
campaignFB’s over permissive API resulted in data abuse
13. Anatomy of security vulnerabilities
• Absence of security
features
• Security
misconfigurations
• Security defects in
implementation
• Insecure operational
environments
14. Microservice
Design Patterns
● What are microservice design patterns?
- Microservices design patterns are
software design patterns that
generates reusable autonomous
services.
● Why do we need it?
- The goal for developers using
microservices is to accelerate
application releases.
● Can we leverage them to achieve
security goals?
- Securing pattern/ templates is easy
- Templates are reusable
- Automation helps scale security
15. Design Patterns for Microservices
Decomposition
patterns
Integration
patterns
Database
patterns
Observability
patterns
Cross-Cutting
Concern
patterns
Decompose by
Business
Capability
Decompose by
Subdomain
Decompose by
Transactions
Strangler Pattern
Bulkhead Pattern
Sidecar Pattern
API Gateway
Pattern
Aggregator
Pattern
Proxy Pattern
Gateway Routing
Pattern
Chained
Microservice
Pattern
Branch Pattern
Client-Side UI
Composition
Pattern
Database per
Service
Shared Database
per Service
CQRS
Event Sourcing
Saga Pattern
Log Aggregation
Performance
Metrics
Distributed
Tracing
Health Check
External
Configuration
Service Discovery
Pattern
Circuit Breaker
Pattern
Blue-Green
Deployment
Pattern
17. Circuit Breaker Design Pattern
Circuit Breaker Pattern
• Handles failure gracefully
• Prevents catastrophic cascading
failure across multiple systems
• Good for monitoring, logging and
overall recovery
• Fault tolerant
• Resilient
• Example: Netflix's Hystrix library
Attacks
• Breaker to broker- DDOS
• API Gateway can be single point of
failure
18. API Gateway
API Gateway
• Login (IAM)
• DOS protection
• API Authorization
• Routing of Request
• Throttling, API rate limit & load
balancing
• HTTPS endpoints
• Security and resiliency monitoring
• Logging and auditing
• Caching for better latency
Attacks
• Layer 7 DDOS with counterfeit requests
• DDOS with cascading requests
• Layer 3 DDOS with syn flood
• Login/Identity attacks
• Static API key abuse
• Common web application attacks like
XSS, SQLi
19. JSON Web Token
• Authentication of APIs
• Authorization with each request
• Service to service authentication
• Service to service communication
• Attacks
- JWT reply attack
- JWT cipher misconfiguration (none)
- JWT information leakage
20. Service Mesh Design Pattern
Service Mesh
• Inter-service communication
infrastructure
• Authentication and authorization
of services
• mTLS for inter-service
communication
• Enforcing security policies
Attacks
• Security misconfigurations
• Increased complexity
21. Log Aggregator Design Pattern
Log Aggregator
• Collection of all logs
• Real time
monitoring of
anomaly patterns
(deviation from
regular pattern)
• Automated
notification
Attacks
• Logging sensitive
information
• Unauthorized
access to logs
22. Secure Communication
TLS Attacks:
• ROBOT (1998-2017)
• EC DRBG Backdoor (2007-2013)
• Lucky 13 (2013)
• BEAST (2013)
• POODLE (2014)
• Heartbleed (2014)
• Logjam (2015)
• FREAK (2015)
• DROWN (2016)
Security Best Practices
• Do not use insecure SSL protocols (SSLv3,
TLS 1.0, TLS 1.1)
• Use cipher with 120+ bit of cryptographic
strength (AES-256, RSA 2048, SHA-256 +)
• Crypto agility
• Mutual TLS
26. Attack - Capital One Breach
26
1. Insecure AWS
metadata Service
2. Obtained credentials
of the ****_WAF-Role
3. List S3 Buckets
4. Sync bucketsThird-Party Mod
Security Firewall
Over permissive AWS Metadata Service
27. Role of microsegmentation in microservices
● Container Security Challenges
● Insufficient protection by traditional Network Zoning
● Host based microsegmentation
● Microsegmentation of microservices
a. Cluster level
b. Pod level
c. Container level
28. Serverless
Security
Serverless applications or Function as a
service (FaaS) are event-driven cloud-based
systems where application development rely
solely on a combination of third-party
services, client-side logic and cloud-hosted
remote procedure calls.
32. Security Testing of Microservices
● Security unit test cases
● Abuse test cases
● Build scanners for detecting common application security vulnerabilities
33. Best Practices ● Appsec best practices
● Appsec assessment tooling
● Container security
34. Application security best practices
● Zerotrust code, applications,
interprocess communications,
configurations, networks
● Secure coding convention must be
followed
● Data in transit must be secure using
mTLS
● Secrets must be stored and manage
using secret store
● Generate logs, perform auditing and
monitoring, use SIEM
● Stay on top of 3rd party known CVEs
associated with open source libraries
● Containers and Orchestration security
- CIS benchmark
- Clair
- Dagda
- Anchore
- KubeSec
- Kubehunter
● Adapt APPSEC modern tooling
- Interactive Application Security
Testing (IAST)
- Real Time Application Security
Protection RASP)
- Application Whitelisting
- Microsegmentation
35. Conclusion
● Begin with Zerotrust by default
● Earn trust as you validate the authenticity of microservices
● Vetted microservice design patterns foster security
● Automating appsec tools promote shift left security transformation
● Threat Modeling is priceless
● Classic appsec attacks are still applicable
● Be open minded about modern security tooling
● Micro-segmentation increases resiliency
● Secure the complete stack and not just microservices