APPSEC AND MICROSERVICES Sam Newman GOTO Copenhagen 2016 @gotocph - - PowerPoint PPT Presentation

APPSEC AND MICROSERVICES

Sam Newman GOTO Copenhagen 2016

@samnewman @gotocph

@samnewman @gotocph

https://www.flickr.com/photos/seattlemunicipalarchives/4058808950

@samnewman @gotocph

https://www.flickr.com/photos/theseanster93/485390997/

@samnewman @gotocph

http://map.norsecorp.com/

@samnewman @gotocph

@samnewman @gotocph

@samnewman @gotocph

Accounts Returns Invoicing Shipping Inventory Customer Service

@samnewman @gotocph

Accounts Returns Invoicing Shipping Inventory Customer Service

Small Autonomous services that work together, modelled around a business domain

https://www.flickr.com/photos/wwworks/2607036664/

https://www.flickr.com/photos/lkowen/15803718243/

@samnewman @gotocph

@samnewman @gotocph

@samnewman @gotocph

@samnewman @gotocph

@samnewman @gotocph

@samnewman @gotocph

Prevention

@samnewman @gotocph

Prevention Detection

@samnewman @gotocph

Prevention Detection Response

@samnewman @gotocph

Prevention Detection Response Recovery

@samnewman @gotocph

Prevention Detection Response Recovery

@samnewman @gotocph

Prevention Detection Response Recovery

@samnewman @gotocph

https://www.flickr.com/photos/adulau/15680439035/

@samnewman @gotocph

https://www.flickr.com/photos/duanestorey/469163789/

@samnewman @gotocph

https://www.schneier.com/paper-attacktrees-ddj-ft.html

@samnewman @gotocph

Open Safe

@samnewman @gotocph

Open Safe Pick Lock Learn Combo Cut Open

@samnewman @gotocph

Open Safe Pick Lock Learn Combo Cut Open Find Written Combo Get Combo from the target

@samnewman @gotocph

Open Safe Pick Lock Learn Combo Cut Open Find Written Combo Get Combo from the target Blackmail Threaten Bribe

@samnewman @gotocph

Open Safe Pick Lock Learn Combo Cut Open Find Written Combo Get Combo from the target Blackmail Threaten Bribe

Impossible Impossible Impossible Possible Possible Possible

@samnewman @gotocph

Catalog service Music Web Shop Recommend service Royalty Payment Gateway Mobile app Web browsers User service

@samnewman @gotocph

Catalog service Music Web Shop Recommend service Royalty Payment Gateway Mobile app Web browsers User service

Transport Security

@samnewman @gotocph

HTTPS Everywhere!

BENEFITS OF HTTPS?

BENEFITS OF HTTPS?

▫︎ Server guarantees!

BENEFITS OF HTTPS?

▫︎ Server guarantees! ▫︎ Payload not manipulated…

BENEFITS OF HTTPS?

▫︎ Server guarantees! ▫︎ Payload not manipulated… ▫︎ …but no client guarantee and…

BENEFITS OF HTTPS?

▫︎ Server guarantees! ▫︎ Payload not manipulated… ▫︎ …but no client guarantee and… ▫︎ …certificates can be a pain

@samnewman @gotocph

https://letsencrypt.org/

@samnewman @gotocph

Catalog service Music Web Shop Recommend service Royalty Payment Gateway Mobile app Web browsers User service

CLIENT-SIDE CERTIFICATES?

CLIENT-SIDE CERTIFICATES?

▫︎ Client guarantees!

CLIENT-SIDE CERTIFICATES?

▫︎ Client guarantees! ▫︎ …but a PITA to manage….

@samnewman @gotocph

http://techblog.netflix.com/2015/09/introducing-lemur.html

@samnewman @gotocph

Catalog service Music Web Shop Recommend service Royalty Payment Gateway Mobile app Web browsers User service

@samnewman @gotocph

Auth?

@samnewman @gotocph

Catalog service Music Web Shop Recommend service Royalty Payment Gateway Mobile app Web browsers User service Web browsers

Form Auth OAuth

@samnewman @gotocph

Catalog service Music Web Shop Recommend service Royalty Payment Gateway Mobile app Web browsers User service Web browsers

Form Auth OAuth

User service

@samnewman @gotocph

Catalog service Music Web Shop Recommend service Royalty Payment Gateway Mobile app Web browsers User service Web browsers

Form Auth OAuth

User service

@samnewman @gotocph

Confused Deputy Problem!

@samnewman @gotocph

Data At Rest?

@samnewman @gotocph

Catalog service Music Web Shop Recommend service Royalty Payment Gateway Mobile app Web browsers User service User service

@samnewman @gotocph

Aside: Docker

@samnewman @gotocph

http://www.banyanops.com/blog/analyzing-docker-hub/

@samnewman @gotocph

S/M Tests Build Large Tests Production Security? Security?

@samnewman @gotocph

S/M Tests Build Large Tests Production Security? Security?

@samnewman @gotocph

https://www.microsoft.com/en-us/sdl/

@samnewman @gotocph

Patch Your Stuff

@samnewman @gotocph

Prevention Detection Response Recovery

@samnewman @gotocph

Prevention Detection Response Recovery

@samnewman @gotocph

https://www.qualys.com/research/top10/

@samnewman @gotocph

http://www.extremetech.com/computing/190959-shellshock-a-deadly-new-vulnerability-that-could-lay-waste-to-the-internet

@samnewman @gotocph

@samnewman @gotocph

https://www.modsecurity.org/

@samnewman @gotocph

Catalog service Music Web Shop Recommend service Royalty service Mobile app Web browsers User service

@samnewman @gotocph

Catalog service Music Web Shop Recommend service Royalty service Mobile app Web browsers User service

PERIMETER SECURITY!

@samnewman @gotocph

Polyglot = more stuff to track!

@samnewman @gotocph

Polyglot = more things to break?

@samnewman @gotocph

Prevention Detection Response Recovery

@samnewman @gotocph

Prevention Detection Response Recovery

@samnewman @gotocph

@samnewman @gotocph

@samnewman @gotocph

@samnewman @gotocph

http://krebsonsecurity.com/tag/target-data-breach/

@samnewman @gotocph

Comms

@samnewman @gotocph

Show teams with direct connection to users… Then show ‘backend services’ team Unified comms are needed!

@samnewman @gotocph

@samnewman @gotocph

@samnewman @gotocph

https://en.wikipedia.org/wiki/Chicago_Tylenol_murders

@samnewman @gotocph

http://www.smh.com.au/digital-life/mobiles/telstra-outage-manager-connected-customers-to-faulty-node-in-embarrassing- error-20160209-gmpn7f.html

@samnewman @gotocph

"[The employee responsible] didn't follow procedures and clearly that's not a good thing but I wouldn't want to pre-empt the proper investigation and we'll figure out what the right response is when we've had a chance to dig into the detail."

• Australian Financial Review

http://www.afr.com/business/telecommunications/telstra-mobile-network-down-across- australia-reports-20160209-gmpaty

@samnewman @gotocph

https://vimeo.com/102167635

@samnewman @gotocph

“Finding the root cause of a failure is like finding a root cause of a success.”

http://www.kitchensoap.com/2012/02/10/each-necessary-but-only-jointly-sufficient/

John Allspaw

@samnewman @gotocph

http://www.smh.com.au/technology/technology-news/telstra-free-data-guy-clocks-up-almost- a-terabyte-of-downloads-20160404-gnxu14.html

@samnewman @gotocph

Prevention Detection Response Recovery

@samnewman @gotocph

Prevention Detection Response Recovery

@samnewman @gotocph

Backups

@samnewman @gotocph

Backups Burn it all down

@samnewman @gotocph

Backups Burn it all down Harder with microservices?

@samnewman @gotocph

Review your old post-mortems

@samnewman @gotocph

Review your old post-mortems …and the resulting action plans!

@samnewman @gotocph

Prevention Detection Response Recovery

@samnewman @gotocph

Sam Newman

Building Microservices

http://buildingmicroservices.com/

@samnewman @gotocph

Sam Newman

Building Microservices

http://buildingmicroservices.com/ http://samnewman.io/

@samnewman @gotocph

Sam Newman

Building Microservices

http://buildingmicroservices.com/ http://magpietalkshow.com/ http://samnewman.io/