Understanding Microservices Security Challenges

Slide Note
Embed
Share

Presentation by Travis and David at the Dallas OWASP chapter delves into the intricacies of securing microservices architecture, highlighting common issues, diverse technologies, and key components. With tech giants like Amazon and Netflix already onboard, organizations are navigating the unique security concerns posed by microservices' distributed nature and varied technologies landscape.

dvand
dvand Follow

Uploaded on Oct 04, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Microservices What Exactly Am I Securing Again? A presentation where Travis and David talk to the Dallas OWASP chapter about microservices architecture.

  2. Intros Travis Biehn David Bohannon Synopsys, Inc

  3. Agenda Overview of Microservices Common Problems What Now? Questions

  4. Background Tech giants Amazon and Netflix have embraced Microservice architecture for over a decade Other organizations are following suite as they realize the benefits Technological independence Scalability and redundancy Reusability CI/CD compatibility Microservices exhibit unique problems not seen in monolithic applications

  5. New Business Interesting technologies and protocols require SMEs 87% use multiple technologies within their microservices Examples include Thrift, Protocol Buffers, AMQP, Kafka, GraphQL, etc. Mis-matched with existing security tooling More to look at Increased network presence and additional platforms, gateways, circuit breakers, etc. Interesting deployment models Infrastructure as code, container management, etc.

  6. Components Microservices Services Composition (API Gateway) Orchestration Service Registry Circuit Breaker

  7. Territory Service Providers AWS Lambda and API Gateway Google App Engine Microsoft Azure Kubernetes Services Technologies Containerization (Kubernetes, Docker) Message Queueing (AMQP, MQTT, Kafka, etc.) Synchronous Communication (REST, Thrift, XML-RPC, GraphQL, etc.) Service Discovery (SmartStack, Zookeeper, Etcd, Consul, NSQ, Serf, and Doozer, Eureka) Orchestration (Azure Service Fabric, Azure Kubernetes Service, Netflix Conductor, etc.)

  8. Microservices Valhalla

  9. Valhalla, NY

  10. Concepts Monolithic application functionality is invoked internally.

  11. Concepts Microservices each services is invoked via network call.

  12. Securing Access to Services https://csrc.nist.gov/publications/detail/sp/800-204/draft

  13. M&M Security Hard external surface with a soft, vulnerable middle

  14. Testing is Difficult Because We often do not know who is using the service Lack of support for unique protocols/technologies Inability of tools to follow flows across services Increased attack surface compared to monolithic applications Calling services directly Middling network communications Attacking containerization technologies Attacking registration services Etc

  15. Mutual TLS A partial solution preventing attackers from accessing services directly Use Mutual TLS to ensure only expected clients connect to services = mTLS

  16. SAST Tooling Difficult for SAST tools to follow data flows across services VS.

  17. Weird Message Formats Difficult for dynamic tooling and security testers to manipulate uncommon/unsupported protocols VS.

  18. The Problem We are speaking GraphQL

  19. BurpSuite Doesnt Speak GraphQL

  20. Pub-Sub Communications So, what are you doing later today? Nothing much, you?

  21. Pub-Sub Communications https://aws.amazon.com/pub-sub-messaging/

  22. Pub-Sub Communications Microservices pub-sub architecture and the mailbox analogy

  23. Pub-Sub Communications Manipulating messages

  24. Orchestration Responsible for ensuring there are enough concrete instances to serve the requests Possesses complete control over the service instances, making it a valuable target

  25. Service Registry

  26. Service Registry I m a new service at 10.0.2.6 I m a new service at 10.0.2.7 I m a new service at 10.0.2.5 Hey, discovery server! Where can I access the ManageWidgets service??? Hey, discovery server! I m a new instance of the billing service at 10.0.3.5 send sensitive billing info to me! You can access the ManageWidgets service at 10.0.2.5, 10.0.2.6, or 10.0.2.7

  27. Etcd-anger

  28. Monitoring In a monolithic application. I m still up and running all is good here. No problems here either.

  29. Im still up and running all is good here. Monitoring in a microservices architecture. No problems here either. No problems here either. I m still up and running all is good here. I m still up and running all is good here. I m still up and running all is good here. I m still up and running all is good here. I m still up and running all is good here. I m still up and running all is No problems here either. good here. No problems here either.

  30. Monitoring Difficulty correlating inbound requests to services that handle the request VS.

  31. Monitoring A few helpful tools https://netflix.github.io/ Repo containing many open-source tools including some of Netflix monitoring solutions Includes the famous Simian Army and Chaos Monkey used to test resilience and monitoring capabilities

  32. So What Microservices are here to stay. Evaluate all the new things. Turn PDFs and governance into code. Help develop security features. Push the tools.

  33. QUESTIONS?

  34. Drop us a note tbiehn@synopsys.com bohannon@synopsys.com

Related


Understanding Microservices Architecture for Libraries

Understanding Microservices Architecture for Libraries

marigold
Understanding Microservices and Service Mesh in Modern Cloud Architecture

Understanding Microservices and Service Mesh in Modern Cloud Architecture

kborm
Understanding Communication Patterns in Microservices Technology

Understanding Communication Patterns in Microservices Technology

arsalanz
Understanding the Transition to Microservices Architecture

Understanding the Transition to Microservices Architecture

nada_ryl
Evolution of LinkedIn's Service Architecture: From Monolith to Microservices

Evolution of LinkedIn's Service Architecture: From Monolith to Microservices

mako_253
Rethinking Security from the Ground Up with a Microservices Mindset

Rethinking Security from the Ground Up with a Microservices Mindset

dem_kon
Empowering Imperial's Future with Microservices: Advantages, Challenges, and Benefits

Empowering Imperial's Future with Microservices: Advantages, Challenges, and Benefits

euan193
Stability Patterns to Combat Microservices Antipatterns

Stability Patterns to Combat Microservices Antipatterns

mand558
Yet Another Microservices Solution (Yams) Overview

Yet Another Microservices Solution (Yams) Overview

shom448
Understanding Security in World Politics

Understanding Security in World Politics

eisenberg_k
Understanding the Role of Security Champions in Organizations

Understanding the Role of Security Champions in Organizations

irvin
Understanding the Roles of a Security Partner

Understanding the Roles of a Security Partner

zaara
Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University

Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University

kol_lov
Software Engineering Features, Scenarios, and Stories Course Overview

Software Engineering Features, Scenarios, and Stories Course Overview

decembe
Understanding HTTP Security Headers for Web Apps

Understanding HTTP Security Headers for Web Apps

pembroke_l
Effective Strategies for Virtualizing Intrusion Detection Systems

Effective Strategies for Virtualizing Intrusion Detection Systems

eshee
Workflow Design and Implementation Challenges in Change Management

Workflow Design and Implementation Challenges in Change Management

lexie
UIC Security Division Overview and International Activities

UIC Security Division Overview and International Activities

hadri
Automating Security Operations Using Phantom

Automating Security Operations Using Phantom

gwe_sad
Understanding Computer Security Principles and Practices

Understanding Computer Security Principles and Practices

jos_o
Evolving Security Practices in DevOps: A Holistic Approach

Evolving Security Practices in DevOps: A Holistic Approach

madisyn
Comprehensive Guide to Designing Physical Security and Security Planning by Susan Lincke

Comprehensive Guide to Designing Physical Security and Security Planning by Susan Lincke

jes_mcg
IPv6 Security and Threats Workshop Summary

IPv6 Security and Threats Workshop Summary

lori_4
International Approaches to Enhance Nuclear Safety and Security

International Approaches to Enhance Nuclear Safety and Security

mazarine

More Related Content

Understanding Security Onion: Network Security Monitoring Tools
Understanding Security Onion: Network Security Monitoring Tools
Understanding Transport Layer Security (TLS)
Understanding Transport Layer Security (TLS)
Understanding Cyber Security and Risks
Understanding Cyber Security and Risks
Understanding Provable Security Models in Cryptography
Understanding Provable Security Models in Cryptography
Understanding Security Threats and Countermeasures
Understanding Security Threats and Countermeasures
BCA 601(N): Computer Network Security
BCA 601(N): Computer Network Security
Enhancing Security Definitions for Functional Encryption
Enhancing Security Definitions for Functional Encryption
TSA Updates on Security Training Rule for OTRB Companies
TSA Updates on Security Training Rule for OTRB Companies
AEP Enterprise Security Program Overview - June 2021 Update
AEP Enterprise Security Program Overview - June 2021 Update
Certification and Training in Information Security
Certification and Training in Information Security
Overview of Social Security and Health Care System in Turkey
Overview of Social Security and Health Care System in Turkey
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication
Enhancing SWIFT Security Measures for ReBIT: March 2018 Update
Enhancing SWIFT Security Measures for ReBIT: March 2018 Update
Managing Application Security in Large Organizations: Insights and Best Practices
Managing Application Security in Large Organizations: Insights and Best Practices
Exploring Web Hosting Security: Principles, Layers, and Monitoring
Exploring Web Hosting Security: Principles, Layers, and Monitoring
Network Security Fundamentals and Today's Security Challenges
Network Security Fundamentals and Today's Security Challenges
OWASP Bricks - Web Application Security Learning Platform
OWASP Bricks - Web Application Security Learning Platform
Understanding Information Security Policies for Effective Cybersecurity
Understanding Information Security Policies for Effective Cybersecurity
Securing Protocols with Fully Encrypted Protocols (FEPs)
Securing Protocols with Fully Encrypted Protocols (FEPs)
Understanding Food Security and Social Welfare Administration
Understanding Food Security and Social Welfare Administration
Rethinking Public Security: Civil Society's Role and Modern Challenges
Rethinking Public Security: Civil Society's Role and Modern Challenges
Enhancing Browser Security for Mobile Devices Using Smart CDNs
Enhancing Browser Security for Mobile Devices Using Smart CDNs
Cyber Security Toolkit for Boards: Comprehensive Briefings and Key Questions
Cyber Security Toolkit for Boards: Comprehensive Briefings and Key Questions
Understanding Security Reports and Hospital Security Services
Understanding Security Reports and Hospital Security Services