appsec and microservices
play

APPSEC AND MICROSERVICES Sam Newman GOTO Copenhagen 2016 @gotocph - PowerPoint PPT Presentation

Sep 01, 2022 •260 likes •1.25k views

APPSEC AND MICROSERVICES Sam Newman GOTO Copenhagen 2016 @gotocph @samnewman @gotocph @samnewman https://www. fl ickr.com/photos/seattlemunicipalarchives/4058808950 @gotocph @samnewman https://www. fl

  2. APPSEC AND MICROSERVICES Sam Newman GOTO Copenhagen 2016

  3. @gotocph @samnewman

  4. @gotocph @samnewman https://www. fl ickr.com/photos/seattlemunicipalarchives/4058808950

  5. @gotocph @samnewman https://www. fl ickr.com/photos/theseanster93/485390997/

  6. http://map.norsecorp.com/ @gotocph @samnewman

  7. @gotocph @samnewman

  8. @gotocph @samnewman

  9. Shipping Returns Customer Service Invoicing Accounts Inventory @gotocph @samnewman

  10. Shipping Returns Small Autonomous services that work together , modelled Customer Service around a business domain Invoicing Accounts Inventory @gotocph @samnewman

  11. https://www. fl ickr.com/photos/wwworks/2607036664/

  12. https://www. fl ickr.com/photos/lkowen/15803718243/

  13. @gotocph @samnewman

  14. @gotocph @samnewman

  15. @gotocph @samnewman

  16. @gotocph @samnewman

  17. @gotocph @samnewman

  18. Prevention @gotocph @samnewman

  19. Prevention Detection @gotocph @samnewman

  20. Prevention Detection Response @gotocph @samnewman

  21. Prevention Detection Recovery Response @gotocph @samnewman

  22. Prevention Detection Recovery Response @gotocph @samnewman

  23. Prevention Detection Recovery Response @gotocph @samnewman

  24. @gotocph @samnewman https://www. fl ickr.com/photos/adulau/15680439035/

  25. https://www. fl ickr.com/photos/duanestorey/469163789/ @gotocph @samnewman

  26. https://www.schneier.com/paper-attacktrees-ddj-ft.html @gotocph @samnewman

  27. Open Safe @gotocph @samnewman

  28. Open Safe Pick Lock Learn Combo Cut Open @gotocph @samnewman

  29. Open Safe Pick Lock Learn Combo Cut Open Find Written Get Combo from Combo the target @gotocph @samnewman

  30. Open Safe Pick Lock Learn Combo Cut Open Find Written Get Combo from Combo the target Blackmail Threaten Bribe @gotocph @samnewman

  31. Open Safe Pick Lock Learn Combo Cut Open Impossible Possible Find Written Get Combo from Combo the target Possible Blackmail Threaten Bribe Impossible Impossible Possible @gotocph @samnewman

  32. Mobile Web app browsers Royalty Catalog Music Payment service Web Shop Gateway Recommend User service service @gotocph @samnewman

  33. Mobile Web app browsers Royalty Catalog Music Payment service Web Shop Gateway Transport Security Recommend User service service @gotocph @samnewman

  34. HTTPS Everywhere! @gotocph @samnewman

  35. BENEFITS OF HTTPS?

  36. BENEFITS OF HTTPS? ▫︎ Server guarantees!

  37. BENEFITS OF HTTPS? ▫︎ Server guarantees! ▫︎ Payload not manipulated…

  38. BENEFITS OF HTTPS? ▫︎ Server guarantees! ▫︎ Payload not manipulated… ▫︎ …but no client guarantee and…

  39. BENEFITS OF HTTPS? ▫︎ Server guarantees! ▫︎ Payload not manipulated… ▫︎ …but no client guarantee and… ▫︎ …certi fi cates can be a pain

  40. https://letsencrypt.org/ @gotocph @samnewman

  41. @gotocph @samnewman

  42. Mobile Web app browsers Royalty Catalog Music Payment service Web Shop Gateway Recommend User service service

  43. CLIENT-SIDE CERTIFICATES?

  44. CLIENT-SIDE CERTIFICATES? ▫︎ Client guarantees!

  45. CLIENT-SIDE CERTIFICATES? ▫︎ Client guarantees! ▫︎ …but a PITA to manage….

  46. http://techblog.net fl ix.com/2015/09/introducing-lemur.html @gotocph @samnewman

  47. Mobile Web app browsers Royalty Catalog Music Payment service Web Shop Gateway Recommend User service service @gotocph @samnewman

  48. Auth? @gotocph @samnewman

  49. Mobile Web Web app browsers browsers OAuth Form Auth Royalty Catalog Music Payment service Web Shop Gateway Recommend User service service @gotocph @samnewman

  50. Mobile Web Web app browsers browsers OAuth Form Auth Royalty Catalog Music Payment service Web Shop Gateway Recommend User User service service service @gotocph @samnewman

  51. Mobile Web Web app browsers browsers OAuth Form Auth Royalty Catalog Music Payment service Web Shop Gateway Recommend User User service service service @gotocph @samnewman

  52. Confused Deputy Problem! @gotocph @samnewman

  53. Data At Rest? @gotocph @samnewman

  54. Mobile Web app browsers Royalty Catalog Music Payment service Web Shop Gateway Recommend User User service service service @gotocph @samnewman

  55. Aside: Docker @gotocph @samnewman

  56. http://www.banyanops.com/blog/analyzing-docker-hub/ @gotocph @samnewman

  57. Security? Security? Build S/M Tests Large Tests Production @gotocph @samnewman

  58. Security? Security? Build S/M Tests Large Tests Production @gotocph @samnewman

  59. https://www.microsoft.com/en-us/sdl/ @gotocph @samnewman

  60. Patch Your Stu ff @gotocph @samnewman

  61. Prevention Detection Recovery Response @gotocph @samnewman

  62. Prevention Detection Recovery Response @gotocph @samnewman

  63. https://www.qualys.com/research/top10/ @gotocph @samnewman

  64. http://www.extremetech.com/computing/190959-shellshock-a-deadly-new-vulnerability-that-could-lay-waste-to-the-internet @gotocph @samnewman

  65. @gotocph @samnewman

  66. https://www.modsecurity.org/ @gotocph @samnewman

  67. Mobile Web app browsers Catalog Music Royalty service Web Shop service Recommend User service service @gotocph @samnewman

  68. Mobile Web app browsers PERIMETER SECURITY! Catalog Music Royalty service Web Shop service Recommend User service service @gotocph @samnewman

  69. Polyglot = more stu ff to track! @gotocph @samnewman

  70. Polyglot = more things to break? @gotocph @samnewman

  71. Prevention Detection Recovery Response @gotocph @samnewman

  72. Prevention Detection Recovery Response @gotocph @samnewman

  73. @gotocph @samnewman

  74. @gotocph @samnewman

  75. @gotocph @samnewman

  76. http://krebsonsecurity.com/tag/target-data-breach/ @gotocph @samnewman

  77. Comms @gotocph @samnewman

  78. Show teams with direct connection to users… Then show ‘backend services’ team Uni fi ed comms are needed! @gotocph @samnewman

  79. @gotocph @samnewman

  80. @gotocph @samnewman

  81. https://en.wikipedia.org/wiki/Chicago_Tylenol_murders @gotocph @samnewman

  82. http://www.smh.com.au/digital-life/mobiles/telstra-outage-manager-connected-customers-to-faulty-node-in-embarrassing- error-20160209-gmpn7f.html @gotocph @samnewman

  83. "[The employee responsible] didn't follow procedures and clearly that's not a good thing but I wouldn't want to pre-empt the proper investigation and we'll figure out what the right response is when we've had a chance to dig into the detail." - Australian Financial Review http://www.afr.com/business/telecommunications/telstra-mobile-network-down-across- australia-reports-20160209-gmpaty @gotocph @samnewman

  84. https://vimeo.com/102167635 @gotocph @samnewman

  85. “Finding the root cause of a failure is like finding a root cause of a success.” John Allspaw http://www.kitchensoap.com/2012/02/10/each-necessary-but-only-jointly-su ffi cient/ @gotocph @samnewman

  86. http://www.smh.com.au/technology/technology-news/telstra-free-data-guy-clocks-up-almost- a-terabyte-of-downloads-20160404-gnxu14.html @gotocph @samnewman

  87. Prevention Detection Recovery Response @gotocph @samnewman

  88. Prevention Detection Recovery Response @gotocph @samnewman

  89. Backups @gotocph @samnewman

  90. Backups Burn it all down @gotocph @samnewman

  91. Backups Burn it all down Harder with microservices? @gotocph @samnewman

  92. Review your old post-mortems @gotocph @samnewman

  93. Review your old post-mortems …and the resulting action plans! @gotocph @samnewman

  94. Prevention Detection Recovery Response @gotocph @samnewman

  95. Building Microservices DESIGNING FINE - GRAINED SYSTEMS Sam Newman http://buildingmicroservices.com/ @gotocph @samnewman

  96. Building Microservices DESIGNING FINE - GRAINED SYSTEMS Sam Newman http://buildingmicroservices.com/ http://samnewman.io/ @gotocph @samnewman

  97. Building Microservices DESIGNING FINE - GRAINED SYSTEMS Sam Newman http://buildingmicroservices.com/ http://samnewman.io/ http://magpietalkshow.com/ @gotocph @samnewman

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

WHAT COMES AFTER MICROSERVICES? MATT RANNEY WHAT COMES AFTER MICROSERVICES? MATT RANNEY We

WHAT COMES AFTER MICROSERVICES? MATT RANNEY WHAT COMES AFTER MICROSERVICES? MATT RANNEY We

WHAT COMES AFTER MICROSERVICES? MATT RANNEY WHAT COMES AFTER MICROSERVICES? MATT RANNEY We hired lots of engineers. They wrote lots of software. This causes lots of problems. Why use microservices at all? Easier releases? Ef fj ciency

709 views • 55 slides
Microservices Security Fundamentals MICROSERVICES SECURITY CHALLENGES Wojciech Lesniak PRINCIPAL

Microservices Security Fundamentals MICROSERVICES SECURITY CHALLENGES Wojciech Lesniak PRINCIPAL

Microservices Security Fundamentals MICROSERVICES SECURITY CHALLENGES Wojciech Lesniak PRINCIPAL DEVELOPER / TECH LEAD @voit3k Microservices International Data Corporation (IDC) predicts that by: 2019 Q1 Microservices International Data

641 views • 39 slides
From Dev to Security Rey Bango (@reybango) AppSec is hard Credit:

From Dev to Security Rey Bango (@reybango) AppSec is hard Credit:

From Dev to Security Rey Bango (@reybango) AppSec is hard Credit: https://imgur.com/user/PipePistoleer Implicit trust On average, each Web application that Positive Technologies inspected contained 33 vulnerabilities . Of those, six were high-

763 views • 47 slides
KrakenD API Gateway Product overview @devopsfaith Microservices are challenging The need for

KrakenD API Gateway Product overview @devopsfaith Microservices are challenging The need for

KrakenD API Gateway Product overview @devopsfaith Microservices are challenging The need for agility and scalability has driven Microservices adoption, but: 91% of Internet businesses are using or have plans to use microservices 86% expect

696 views • 53 slides
Reactive Microsystems The Evolution of Microservices at Scale Jonas Bonr @jboner

Reactive Microsystems The Evolution of Microservices at Scale Jonas Bonr @jboner

Reactive Microsystems The Evolution of Microservices at Scale Jonas Bonr @jboner Microservices Are Hyped So You Want To strangle The Almighty Monolith And Move Towards Microservices? Do Not Settle For Microliths Microlith Single

1.66k views • 127 slides
FROM HTTP TO KAFKA-BASED FROM HTTP TO KAFKA-BASED MICROSERVICES MICROSERVICES Wojciech Rzsa,

FROM HTTP TO KAFKA-BASED FROM HTTP TO KAFKA-BASED MICROSERVICES MICROSERVICES Wojciech Rzsa,

7/17/2019 From HTTP to Kafka-based microservices FROM HTTP TO KAFKA-BASED FROM HTTP TO KAFKA-BASED MICROSERVICES MICROSERVICES Wojciech Rzsa, FLYR Poland @wrzasa localhost:4567/index.html?print-pdf#/ 1/83 From HTTP to Kafka-based

1.15k views • 83 slides
Microservices: Service Oriented Development Rafael Schloming How do I break up my monolith? How

Microservices: Service Oriented Development Rafael Schloming How do I break up my monolith? How

Microservices: Service Oriented Development Rafael Schloming How do I break up my monolith? How do I architect my app with microservices? What infrastructure do I need in place before I can benefit from microservices? datawire.io 2

770 views • 50 slides
Microservices Smaller is Better? Eberhard Wolff Freelance consultant & trainer

Microservices Smaller is Better? Eberhard Wolff Freelance consultant & trainer

Microservices Smaller is Better? Eberhard Wolff Freelance consultant & trainer http://ewolff.com Why Microservices? Eberhard Wolff - @ewolff Why Microservices? Strong modularization Sustainable Replaceability Development speed

1.25k views • 48 slides
DDD & Microservices At last, some boundaries! Eric Evans @ericevans0 domainlanguage.com

DDD & Microservices At last, some boundaries! Eric Evans @ericevans0 domainlanguage.com

DDD & Microservices At last, some boundaries! Eric Evans @ericevans0 domainlanguage.com Why do I like microservices? Autonomous teams with isolated implementation. Acknowledge the rough and tumble of enterprises. Cattle not

557 views • 37 slides
Beyond Microservices: Streams, State and Scalability Gwen Shapira, Engineering Manager @gwenshap

Beyond Microservices: Streams, State and Scalability Gwen Shapira, Engineering Manager @gwenshap

1 Beyond Microservices: Streams, State and Scalability Gwen Shapira, Engineering Manager @gwenshap 2 In the beginning 3 We Have Microservices 3 4 We Microservices 4 5 They need to communicate 5 I know! Ill use REST APIs 6

751 views • 64 slides
Microservices and OSGi running with Apache Karaf Agenda No free Lunch - microservices

Microservices and OSGi running with Apache Karaf Agenda No free Lunch - microservices

Microservices and OSGi running with Apache Karaf Agenda No free Lunch - microservices microservices or Service? Free Lunch? - OSGi Services Services in the Apache Karaf ecosystem Showcase: https:/

690 views • 44 slides
Testing Java Microservices with Consumer-driven contracts Andrew Morgan @mogronalol

Testing Java Microservices with Consumer-driven contracts Andrew Morgan @mogronalol

Testing Java Microservices with Consumer-driven contracts Andrew Morgan @mogronalol Microservices testing is hard Consumer driven contract testing About Me Independent Consultant specialising in microservices & continuous delivery

1.54k views • 75 slides
Securing the Perimeter around Your Microservices Wojciech Lesniak AUTHOR @voit3k Module

Securing the Perimeter around Your Microservices Wojciech Lesniak AUTHOR @voit3k Module

Securing the Perimeter around Your Microservices Wojciech Lesniak AUTHOR @voit3k Module Overview Basic Certificates Tokens, JWT Oauth2, OpenID authentication Connect Identity provider Microservices API Gateway Challenges with Edge

1.02k views • 87 slides
Managing Managing Microservices Microservices E ff ectively E ff ectively Daniel Hall

Managing Managing Microservices Microservices E ff ectively E ff ectively Daniel Hall

Managing Managing Microservices Microservices E ff ectively E ff ectively Daniel Hall (@smarthall) Daniel Hall (@smarthall) About Me About Me Systems Engineer at LIFX Making the 'Internet' in the Internet of Things About This Talk About

556 views • 18 slides
Test Driven Microservices System Confidence through Journeys, Traces & Contracts

Test Driven Microservices System Confidence through Journeys, Traces & Contracts

Test Driven Microservices System Confidence through Journeys, Traces & Contracts @russmiles Biker me TBD Say Microservices one more time Reactive TBD A Definition The kingdom of heaven is like a mustard seed, which

1.04k views • 77 slides
Events First Microservices Jonas Bonr @jboner So, you want to do microservices? Make sure

Events First Microservices Jonas Bonr @jboner So, you want to do microservices? Make sure

Designing Events First Microservices Jonas Bonr @jboner So, you want to do microservices? Make sure you dont end up with Microliths Make sure you dont end up with Microliths We can do better than this Events First Domain Driven

1.68k views • 150 slides
An OpenCL implementation of a forward sampling algorithm for CP-logic Wiebe Van Ranst Joost

An OpenCL implementation of a forward sampling algorithm for CP-logic Wiebe Van Ranst Joost

An OpenCL implementation of a forward sampling algorithm for CP-logic Wiebe Van Ranst Joost Vennekens KU Leuven Campus De Nayer CP-logic PLP language in family of distribution semantics languages PRISM [Sato,Kameya], Independent

646 views • 30 slides
PITAs PAPER matters! tters! 2018 18 Papers coming home! Mathem hematica atical l

PITAs PAPER matters! tters! 2018 18 Papers coming home! Mathem hematica atical l

PITAs PAPER matters! tters! 2018 18 Papers coming home! Mathem hematica atical l Modelli elling g Can you u real ally save Ener nergy y in the he Drye yer r Sect ction n using ng a S Slide de Rule? Consortium

201 views • 16 slides
Optimal bidding A dual approach Carlos Pita jampp.com August 5, 2019 Carlos Pita (jampp.com)

Optimal bidding A dual approach Carlos Pita jampp.com August 5, 2019 Carlos Pita (jampp.com)

Optimal bidding A dual approach Carlos Pita jampp.com August 5, 2019 Carlos Pita (jampp.com) Optimal bidding August 5, 2019 1 / 27 Outline Bidding Problems 1 Continuous Relaxation Solution 2 Convex Relaxation Solution 3 Practical

651 views • 27 slides
Tips for the Scientic Programmer Michele Simionato@GEM Foundation This talk is about

Tips for the Scientic Programmer Michele Simionato@GEM Foundation This talk is about

Tips for the Scientic Programmer Michele Simionato@GEM Foundation This talk is about "Middle Performance Computing" profiling is invaluable for finding bottlenecks like slow operations in inner loops, but I do that 1-2 times per

383 views • 20 slides
Our Panelists 1. Tisa LaSorte , CEO and President, AHATA 2. Maria Dijkhof-Pita , Director, Dept

Our Panelists 1. Tisa LaSorte , CEO and President, AHATA 2. Maria Dijkhof-Pita , Director, Dept

22-2-2019 Our Panelists 1. Tisa LaSorte , CEO and President, AHATA 2. Maria Dijkhof-Pita , Director, Dept Economic Affairs/Commerce/Industry 3. Ulrich Hermans , Innovation Advisor, FUTURA Innovation Lab Panel discussion How can Aruba benefit from

567 views • 4 slides
MCINTYRE: A Monte Carlo Algorithm for Probabilistic Logic Programming Fabrizio Riguzzi ENDIF

MCINTYRE: A Monte Carlo Algorithm for Probabilistic Logic Programming Fabrizio Riguzzi ENDIF

MCINTYRE: A Monte Carlo Algorithm for Probabilistic Logic Programming Fabrizio Riguzzi ENDIF University of Ferrara, Italy fabrizio.riguzzi@unife.it Fabrizio Riguzzi (University of Ferrara) MCINTYRE 1 / 32 Probabilistic Logic Languages

612 views • 32 slides
THE HEALTH PRODUCTION FUNCTION REVISITED: THE ROLE OF SOCIAL NETWORKS AND LIQUID WEALTH Carolina

THE HEALTH PRODUCTION FUNCTION REVISITED: THE ROLE OF SOCIAL NETWORKS AND LIQUID WEALTH Carolina

2017 Portuguese Stata Users Group Meeting THE HEALTH PRODUCTION FUNCTION REVISITED: THE ROLE OF SOCIAL NETWORKS AND LIQUID WEALTH Carolina Santos Pedro Pita Barros Nova School of Business and Economics Motivation He pays for his care from

453 views • 16 slides
What Prometheus means for monitoring vendors Jorge Salamero - @bencerillo Sysdig - PromCon 2018

What Prometheus means for monitoring vendors Jorge Salamero - @bencerillo Sysdig - PromCon 2018

What Prometheus means for monitoring vendors Jorge Salamero - @bencerillo Sysdig - PromCon 2018 What is a monitoring vendor? Different vendors provide monitoring - Traditional based vendors - Database based vendors - Prometheus added-value

418 views • 23 slides

More recommend