SlideShare a Scribd company logo

Protecting microservices using secure design patterns 1.0

Trupti Shiralkar, CISSP
Trupti Shiralkar, CISSP

The presentation covers an analysis of microservices architecture and design patterns (such as API gateway, Log aggregation and more) in order to analyze how certain aspects of security is achievable at scale through these patterns.

Software
1 of 37
Download to read offline
Protecting Microservices using Secure Design Patterns Trupti Shiralkar Principal Application Security Engineer, Illumio
Disclaimer This disclaimer informs readers that the views, thoughts, and opinions expressed in the presentation belong solely to the author, and not necessarily to the author’s employer, organization, committee or other group or individual.
About Me • Mobile game developer turned security professional - MS In Security Engineering, Johns Hopkins University - Appsec Lead at Illumio - Previously worked at Amazon, Q2Ebanking, HP & ATSEC • When I am not doing security - Travel - Paint - Read • Yoga Alliance Certified Instructor - Breathing exercises - MeditationPrincipal Application Security Engineer, Illumio
Agenda Part 1: Understanding microservices Part 2: Microservices security design patterns Part 3: Serverless application security Part 4: Application security best practices
Understanding Microservices ● Evolution ● Monolith vs Microservices ● Security pain points ● Overall changing role of security ● Attack example
Evolution of Software Architecture
Monolith vs Microservices
Microservices are not silver bullet!
Security pain points ● Increased complexity ● Implicit trust is replaced by zero trust among microservices ● Traditional application security assessment cannot match the speed of development & deployment ● Inadequate security tooling can’t detect vulnerabilities in microservices ● Varying technology stack across microservices
Microservices and Changing Role of Security
Cambridge Analytica Scandal 50 million user’s psychological profile Sold to Cambridge Analytica Facebook Login API provides token This is your Digital Life Third Party FB app 270,000 people opted for FB login 1. Privacy consent of only direct users 2. Data Collection allowed for research use only User data harvested by FB campaignFB’s over permissive API resulted in data abuse
Security Principles Authentication Authorization Confidentiality Privacy Resiliency Auditing Secure communication Accounting Non-repudiation Integrity Security Principles
Anatomy of security vulnerabilities • Absence of security features • Security misconfigurations • Security defects in implementation • Insecure operational environments
Microservice Design Patterns ● What are microservice design patterns? - Microservices design patterns are software design patterns that generates reusable autonomous services. ● Why do we need it? - The goal for developers using microservices is to accelerate application releases. ● Can we leverage them to achieve security goals? - Securing pattern/ templates is easy - Templates are reusable - Automation helps scale security
Design Patterns for Microservices Decomposition patterns Integration patterns Database patterns Observability patterns Cross-Cutting Concern patterns Decompose by Business Capability Decompose by Subdomain Decompose by Transactions Strangler Pattern Bulkhead Pattern Sidecar Pattern API Gateway Pattern Aggregator Pattern Proxy Pattern Gateway Routing Pattern Chained Microservice Pattern Branch Pattern Client-Side UI Composition Pattern Database per Service Shared Database per Service CQRS Event Sourcing Saga Pattern Log Aggregation Performance Metrics Distributed Tracing Health Check External Configuration Service Discovery Pattern Circuit Breaker Pattern Blue-Green Deployment Pattern
Domain Driven Design
Circuit Breaker Design Pattern Circuit Breaker Pattern • Handles failure gracefully • Prevents catastrophic cascading failure across multiple systems • Good for monitoring, logging and overall recovery • Fault tolerant • Resilient • Example: Netflix's Hystrix library Attacks • Breaker to broker- DDOS • API Gateway can be single point of failure
API Gateway API Gateway • Login (IAM) • DOS protection • API Authorization • Routing of Request • Throttling, API rate limit & load balancing • HTTPS endpoints • Security and resiliency monitoring • Logging and auditing • Caching for better latency Attacks • Layer 7 DDOS with counterfeit requests • DDOS with cascading requests • Layer 3 DDOS with syn flood • Login/Identity attacks • Static API key abuse • Common web application attacks like XSS, SQLi
JSON Web Token • Authentication of APIs • Authorization with each request • Service to service authentication • Service to service communication • Attacks - JWT reply attack - JWT cipher misconfiguration (none) - JWT information leakage
Service Mesh Design Pattern Service Mesh • Inter-service communication infrastructure • Authentication and authorization of services • mTLS for inter-service communication • Enforcing security policies Attacks • Security misconfigurations • Increased complexity
Log Aggregator Design Pattern Log Aggregator • Collection of all logs • Real time monitoring of anomaly patterns (deviation from regular pattern) • Automated notification Attacks • Logging sensitive information • Unauthorized access to logs
Secure Communication TLS Attacks: • ROBOT (1998-2017) • EC DRBG Backdoor (2007-2013) • Lucky 13 (2013) • BEAST (2013) • POODLE (2014) • Heartbleed (2014) • Logjam (2015) • FREAK (2015) • DROWN (2016) Security Best Practices • Do not use insecure SSL protocols (SSLv3, TLS 1.0, TLS 1.1) • Use cipher with 120+ bit of cryptographic strength (AES-256, RSA 2048, SHA-256 +) • Crypto agility • Mutual TLS
Input and Output Validation
Secure handling and storage of Secrets
Advantages of using design patterns ● Inbuilt security functionalities ● Reduce Attack Surface ● Smaller functionality ● Layered Security/Defense in depth ● Simpler code structure ● Faster remediation ● Containerized deployments
Attack - Capital One Breach 26 1. Insecure AWS metadata Service 2. Obtained credentials of the ****_WAF-Role 3. List S3 Buckets 4. Sync bucketsThird-Party Mod Security Firewall Over permissive AWS Metadata Service
Role of microsegmentation in microservices ● Container Security Challenges ● Insufficient protection by traditional Network Zoning ● Host based microsegmentation ● Microsegmentation of microservices a. Cluster level b. Pod level c. Container level
Serverless Security Serverless applications or Function as a service (FaaS) are event-driven cloud-based systems where application development rely solely on a combination of third-party services, client-side logic and cloud-hosted remote procedure calls.
Reality of Serverless Security
OWASP Vulnerabilities are still applicable A1: Injection A2: Broken Authentication A3: Sensitive Data Exposure A4: XML External Entities A5: Broken Access Control A6: Security Misconfiguration A7: Cross-Site Scripting (XSS) A8: Insecure Deserialization A9: Using components with known Vulnerabilities A10: Insufficient Logging & Monitoring
Security Scanning within CI/CD
Security Testing of Microservices ● Security unit test cases ● Abuse test cases ● Build scanners for detecting common application security vulnerabilities
Best Practices ● Appsec best practices ● Appsec assessment tooling ● Container security
Application security best practices ● Zerotrust code, applications, interprocess communications, configurations, networks ● Secure coding convention must be followed ● Data in transit must be secure using mTLS ● Secrets must be stored and manage using secret store ● Generate logs, perform auditing and monitoring, use SIEM ● Stay on top of 3rd party known CVEs associated with open source libraries ● Containers and Orchestration security - CIS benchmark - Clair - Dagda - Anchore - KubeSec - Kubehunter ● Adapt APPSEC modern tooling - Interactive Application Security Testing (IAST) - Real Time Application Security Protection RASP) - Application Whitelisting - Microsegmentation
Conclusion ● Begin with Zerotrust by default ● Earn trust as you validate the authenticity of microservices ● Vetted microservice design patterns foster security ● Automating appsec tools promote shift left security transformation ● Threat Modeling is priceless ● Classic appsec attacks are still applicable ● Be open minded about modern security tooling ● Micro-segmentation increases resiliency ● Secure the complete stack and not just microservices
References Chris Richardson Sam Newman Prabhat Siriwardena Newan Dias Jim Manico & Many contributors
Questions? Contact: s.trupts@gmail.com

Recommended

Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...DevOps.com
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web AttacksAlert Logic
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)Arvind Bhardwaj [AB]
 
Application security
Application securityApplication security
Application securityHagar Alaa el-din
 
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_alCss sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_alAlert Logic
 
Sumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkSumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkAnna Royzman
 

Recommended

Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...DevOps.com
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web AttacksAlert Logic
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)Arvind Bhardwaj [AB]
 
Application security
Application securityApplication security
Application securityHagar Alaa el-din
 
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_alCss sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_alAlert Logic
 
Sumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkSumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkAnna Royzman
 
#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack DemonstrationAlert Logic
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software developmentBill Ross
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Stories from the Security Operations Center
Stories from the Security Operations CenterStories from the Security Operations Center
Stories from the Security Operations CenterAlert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the BreachAlert Logic
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Andris Soroka
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application SecurityJim Kaplan CIA CFE
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...Microsoft Österreich
 
#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS EnvironmentAlert Logic
 
Nicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security CenterNicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security CenterMicrosoft Österreich
 
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-MelhaouiCSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-MelhaouiNCCOMMS
 
Security Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas AzureSecurity Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas AzureAlert Logic
 
Application layer security protocol
Application layer security protocolApplication layer security protocol
Application layer security protocolKirti Ahirrao
 
The Security Policy Management Maturity Model: How to Move Up the Curve
The Security Policy Management Maturity Model: How to Move Up the CurveThe Security Policy Management Maturity Model: How to Move Up the Curve
The Security Policy Management Maturity Model: How to Move Up the CurveAlgoSec
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure SentinelBGA Cyber Security
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Trupti Shiralkar, CISSP
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 

More Related Content

What's hot

#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack DemonstrationAlert Logic
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software developmentBill Ross
 
Stories from the Security Operations Center
Stories from the Security Operations CenterStories from the Security Operations Center
Stories from the Security Operations CenterAlert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the BreachAlert Logic
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Andris Soroka
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application SecurityJim Kaplan CIA CFE
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...Microsoft Österreich
 
#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS EnvironmentAlert Logic
 
Nicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security CenterNicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security CenterMicrosoft Österreich
 
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-MelhaouiCSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-MelhaouiNCCOMMS
 
Security Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas AzureSecurity Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas AzureAlert Logic
 
Application layer security protocol
Application layer security protocolApplication layer security protocol
Application layer security protocolKirti Ahirrao
 
The Security Policy Management Maturity Model: How to Move Up the Curve
The Security Policy Management Maturity Model: How to Move Up the CurveThe Security Policy Management Maturity Model: How to Move Up the Curve
The Security Policy Management Maturity Model: How to Move Up the CurveAlgoSec
 

What's hot (20)

#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Stories from the Security Operations Center
Stories from the Security Operations CenterStories from the Security Operations Center
Stories from the Security Operations Center
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach
 
Application Security
Application SecurityApplication Security
Application Security
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...
 
#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment
 
Nicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security CenterNicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security Center
 
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-MelhaouiCSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
 
Security Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas AzureSecurity Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas Azure
 
Application layer security protocol
Application layer security protocolApplication layer security protocol
Application layer security protocol
 
The Security Policy Management Maturity Model: How to Move Up the Curve
The Security Policy Management Maturity Model: How to Move Up the CurveThe Security Policy Management Maturity Model: How to Move Up the Curve
The Security Policy Management Maturity Model: How to Move Up the Curve
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure Sentinel
 

Similar to Protecting microservices using secure design patterns 1.0

Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Trupti Shiralkar, CISSP
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityLarry Ball
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information SecurityAhmed Sayed-
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Amazon Web Services
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudTjylen Veselyj
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Deborah Schalm
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...DevOps for Enterprise Systems
 
Managed security services
Managed security servicesManaged security services
Managed security servicesmanoharparakh
 
Foxtrot Division Capabilities Collection
Foxtrot Division Capabilities Collection Foxtrot Division Capabilities Collection
Foxtrot Division Capabilities Collection Jeff Hunter
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project 99X Technology
 
Daniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity storyDaniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity storyMicrosoft Österreich
 
microsoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxmicrosoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxGenericName6
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Sqreen
 

Similar to Protecting microservices using secure design patterns 1.0 (20)

Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information Security
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
Security Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdfSecurity Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdf
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Managed security services
Managed security servicesManaged security services
Managed security services
 
Foxtrot Division Capabilities Collection
Foxtrot Division Capabilities Collection Foxtrot Division Capabilities Collection
Foxtrot Division Capabilities Collection
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
 
How to produce more secure web apps
How to produce more secure web appsHow to produce more secure web apps
How to produce more secure web apps
 
Daniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity storyDaniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity story
 
microsoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxmicrosoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptx
 
Cyber Security # Lec 4
Cyber Security # Lec 4 Cyber Security # Lec 4
Cyber Security # Lec 4
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
 

More from Trupti Shiralkar, CISSP

Guardians and Glitches: Navigating the Duality of Gen AI in AppSec
Guardians and Glitches: Navigating the Duality of Gen AI in AppSecGuardians and Glitches: Navigating the Duality of Gen AI in AppSec
Guardians and Glitches: Navigating the Duality of Gen AI in AppSecTrupti Shiralkar, CISSP
 
IKIGAI for security professionals B sides Seattle.pptx
IKIGAI for security professionals B sides Seattle.pptxIKIGAI for security professionals B sides Seattle.pptx
IKIGAI for security professionals B sides Seattle.pptxTrupti Shiralkar, CISSP
 
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdfTru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdfTrupti Shiralkar, CISSP
 
Self-care, breathing exercises, meditation
Self-care, breathing exercises, meditationSelf-care, breathing exercises, meditation
Self-care, breathing exercises, meditationTrupti Shiralkar, CISSP
 
The Road Less Traveled: Use-cases, Challenges, and Solutions of Homomorphic E...
The Road Less Traveled: Use-cases, Challenges, and Solutions of Homomorphic E...The Road Less Traveled: Use-cases, Challenges, and Solutions of Homomorphic E...
The Road Less Traveled: Use-cases, Challenges, and Solutions of Homomorphic E...Trupti Shiralkar, CISSP
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementationsTrupti Shiralkar, CISSP
 
Security evaluation of_libraries_lascon_2017_v2
Security evaluation of_libraries_lascon_2017_v2Security evaluation of_libraries_lascon_2017_v2
Security evaluation of_libraries_lascon_2017_v2Trupti Shiralkar, CISSP
 
Security evaluation of_libraries_lascon_2017_v2
Security evaluation of_libraries_lascon_2017_v2Security evaluation of_libraries_lascon_2017_v2
Security evaluation of_libraries_lascon_2017_v2Trupti Shiralkar, CISSP
 

More from Trupti Shiralkar, CISSP (11)

Guardians and Glitches: Navigating the Duality of Gen AI in AppSec
Guardians and Glitches: Navigating the Duality of Gen AI in AppSecGuardians and Glitches: Navigating the Duality of Gen AI in AppSec
Guardians and Glitches: Navigating the Duality of Gen AI in AppSec
 
IKIGAI for security professionals B sides Seattle.pptx
IKIGAI for security professionals B sides Seattle.pptxIKIGAI for security professionals B sides Seattle.pptx
IKIGAI for security professionals B sides Seattle.pptx
 
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdfTru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
 
Self-care, breathing exercises, meditation
Self-care, breathing exercises, meditationSelf-care, breathing exercises, meditation
Self-care, breathing exercises, meditation
 
Cloud Security Trends.pdf
Cloud Security Trends.pdfCloud Security Trends.pdf
Cloud Security Trends.pdf
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
 
The Road Less Traveled: Use-cases, Challenges, and Solutions of Homomorphic E...
The Road Less Traveled: Use-cases, Challenges, and Solutions of Homomorphic E...The Road Less Traveled: Use-cases, Challenges, and Solutions of Homomorphic E...
The Road Less Traveled: Use-cases, Challenges, and Solutions of Homomorphic E...
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementations
 
Security evaluation of_libraries_lascon_2017_v2
Security evaluation of_libraries_lascon_2017_v2Security evaluation of_libraries_lascon_2017_v2
Security evaluation of_libraries_lascon_2017_v2
 
Purple team strategy_lascon_2016
Purple team strategy_lascon_2016Purple team strategy_lascon_2016
Purple team strategy_lascon_2016
 
Security evaluation of_libraries_lascon_2017_v2
Security evaluation of_libraries_lascon_2017_v2Security evaluation of_libraries_lascon_2017_v2
Security evaluation of_libraries_lascon_2017_v2
 

Recently uploaded

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 

Recently uploaded (20)

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 

Protecting microservices using secure design patterns 1.0

  • 1. Protecting Microservices using Secure Design Patterns Trupti Shiralkar Principal Application Security Engineer, Illumio
  • 2. Disclaimer This disclaimer informs readers that the views, thoughts, and opinions expressed in the presentation belong solely to the author, and not necessarily to the author’s employer, organization, committee or other group or individual.
  • 3. About Me • Mobile game developer turned security professional - MS In Security Engineering, Johns Hopkins University - Appsec Lead at Illumio - Previously worked at Amazon, Q2Ebanking, HP & ATSEC • When I am not doing security - Travel - Paint - Read • Yoga Alliance Certified Instructor - Breathing exercises - MeditationPrincipal Application Security Engineer, Illumio
  • 4. Agenda Part 1: Understanding microservices Part 2: Microservices security design patterns Part 3: Serverless application security Part 4: Application security best practices
  • 5. Understanding Microservices ● Evolution ● Monolith vs Microservices ● Security pain points ● Overall changing role of security ● Attack example
  • 6. Evolution of Software Architecture
  • 8. Microservices are not silver bullet!
  • 9. Security pain points ● Increased complexity ● Implicit trust is replaced by zero trust among microservices ● Traditional application security assessment cannot match the speed of development & deployment ● Inadequate security tooling can’t detect vulnerabilities in microservices ● Varying technology stack across microservices
  • 10. Microservices and Changing Role of Security
  • 11. Cambridge Analytica Scandal 50 million user’s psychological profile Sold to Cambridge Analytica Facebook Login API provides token This is your Digital Life Third Party FB app 270,000 people opted for FB login 1. Privacy consent of only direct users 2. Data Collection allowed for research use only User data harvested by FB campaignFB’s over permissive API resulted in data abuse
  • 13. Anatomy of security vulnerabilities • Absence of security features • Security misconfigurations • Security defects in implementation • Insecure operational environments
  • 14. Microservice Design Patterns ● What are microservice design patterns? - Microservices design patterns are software design patterns that generates reusable autonomous services. ● Why do we need it? - The goal for developers using microservices is to accelerate application releases. ● Can we leverage them to achieve security goals? - Securing pattern/ templates is easy - Templates are reusable - Automation helps scale security
  • 15. Design Patterns for Microservices Decomposition patterns Integration patterns Database patterns Observability patterns Cross-Cutting Concern patterns Decompose by Business Capability Decompose by Subdomain Decompose by Transactions Strangler Pattern Bulkhead Pattern Sidecar Pattern API Gateway Pattern Aggregator Pattern Proxy Pattern Gateway Routing Pattern Chained Microservice Pattern Branch Pattern Client-Side UI Composition Pattern Database per Service Shared Database per Service CQRS Event Sourcing Saga Pattern Log Aggregation Performance Metrics Distributed Tracing Health Check External Configuration Service Discovery Pattern Circuit Breaker Pattern Blue-Green Deployment Pattern
  • 17. Circuit Breaker Design Pattern Circuit Breaker Pattern • Handles failure gracefully • Prevents catastrophic cascading failure across multiple systems • Good for monitoring, logging and overall recovery • Fault tolerant • Resilient • Example: Netflix's Hystrix library Attacks • Breaker to broker- DDOS • API Gateway can be single point of failure
  • 18. API Gateway API Gateway • Login (IAM) • DOS protection • API Authorization • Routing of Request • Throttling, API rate limit & load balancing • HTTPS endpoints • Security and resiliency monitoring • Logging and auditing • Caching for better latency Attacks • Layer 7 DDOS with counterfeit requests • DDOS with cascading requests • Layer 3 DDOS with syn flood • Login/Identity attacks • Static API key abuse • Common web application attacks like XSS, SQLi
  • 19. JSON Web Token • Authentication of APIs • Authorization with each request • Service to service authentication • Service to service communication • Attacks - JWT reply attack - JWT cipher misconfiguration (none) - JWT information leakage
  • 20. Service Mesh Design Pattern Service Mesh • Inter-service communication infrastructure • Authentication and authorization of services • mTLS for inter-service communication • Enforcing security policies Attacks • Security misconfigurations • Increased complexity
  • 21. Log Aggregator Design Pattern Log Aggregator • Collection of all logs • Real time monitoring of anomaly patterns (deviation from regular pattern) • Automated notification Attacks • Logging sensitive information • Unauthorized access to logs
  • 22. Secure Communication TLS Attacks: • ROBOT (1998-2017) • EC DRBG Backdoor (2007-2013) • Lucky 13 (2013) • BEAST (2013) • POODLE (2014) • Heartbleed (2014) • Logjam (2015) • FREAK (2015) • DROWN (2016) Security Best Practices • Do not use insecure SSL protocols (SSLv3, TLS 1.0, TLS 1.1) • Use cipher with 120+ bit of cryptographic strength (AES-256, RSA 2048, SHA-256 +) • Crypto agility • Mutual TLS
  • 23. Input and Output Validation
  • 24. Secure handling and storage of Secrets
  • 25. Advantages of using design patterns ● Inbuilt security functionalities ● Reduce Attack Surface ● Smaller functionality ● Layered Security/Defense in depth ● Simpler code structure ● Faster remediation ● Containerized deployments
  • 26. Attack - Capital One Breach 26 1. Insecure AWS metadata Service 2. Obtained credentials of the ****_WAF-Role 3. List S3 Buckets 4. Sync bucketsThird-Party Mod Security Firewall Over permissive AWS Metadata Service
  • 27. Role of microsegmentation in microservices ● Container Security Challenges ● Insufficient protection by traditional Network Zoning ● Host based microsegmentation ● Microsegmentation of microservices a. Cluster level b. Pod level c. Container level
  • 28. Serverless Security Serverless applications or Function as a service (FaaS) are event-driven cloud-based systems where application development rely solely on a combination of third-party services, client-side logic and cloud-hosted remote procedure calls.
  • 30. OWASP Vulnerabilities are still applicable A1: Injection A2: Broken Authentication A3: Sensitive Data Exposure A4: XML External Entities A5: Broken Access Control A6: Security Misconfiguration A7: Cross-Site Scripting (XSS) A8: Insecure Deserialization A9: Using components with known Vulnerabilities A10: Insufficient Logging & Monitoring
  • 32. Security Testing of Microservices ● Security unit test cases ● Abuse test cases ● Build scanners for detecting common application security vulnerabilities
  • 33. Best Practices ● Appsec best practices ● Appsec assessment tooling ● Container security
  • 34. Application security best practices ● Zerotrust code, applications, interprocess communications, configurations, networks ● Secure coding convention must be followed ● Data in transit must be secure using mTLS ● Secrets must be stored and manage using secret store ● Generate logs, perform auditing and monitoring, use SIEM ● Stay on top of 3rd party known CVEs associated with open source libraries ● Containers and Orchestration security - CIS benchmark - Clair - Dagda - Anchore - KubeSec - Kubehunter ● Adapt APPSEC modern tooling - Interactive Application Security Testing (IAST) - Real Time Application Security Protection RASP) - Application Whitelisting - Microsegmentation
  • 35. Conclusion ● Begin with Zerotrust by default ● Earn trust as you validate the authenticity of microservices ● Vetted microservice design patterns foster security ● Automating appsec tools promote shift left security transformation ● Threat Modeling is priceless ● Classic appsec attacks are still applicable ● Be open minded about modern security tooling ● Micro-segmentation increases resiliency ● Secure the complete stack and not just microservices
  • 36. References Chris Richardson Sam Newman Prabhat Siriwardena Newan Dias Jim Manico & Many contributors