SLIDE 1
Laura Bell
Founder and Lead Consultant - SafeStack
@lady_nerd laura@safestack.io http:/ /safestack.io
Practical Microservice Security Laura Bell Practical Microservice - - PowerPoint PPT Presentation
Practical Microservice Security Laura Bell Practical Microservice - - PowerPoint PPT Presentation
Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd laura@safestack.io http:/ /safestack.io caution: fast paced field ahead watch for out of date
SLIDE 2
SLIDE 3
caution: fast paced field ahead watch for out of date content
SLIDE 4
SLIDE 5
In this talk
Security Fundamentals
Some important points that are worth refreshing
Prevention
Avoid common vulnerabilities and avoid mistakes
Detection
Prepare for survival and response
SLIDE 6
SLIDE 7
SLIDE 8
SLIDE 9
apps that automatically scale up to handle millions of users and scale down again to have this be done by smaller teams
SLIDE 10
Integrity Availability Confidentiality
SLIDE 11
Spoofing Tampering Repudiation Information Disclosure Denial of Service Escalation of Privilege
SLIDE 12
SLIDE 13
Basic controls
SLIDE 14
so bad that StackOverflow has a process to handle it
SLIDE 15
For storing passwords in a database, MD5 is ac acceptab able, supposed you salt it properly. For this usage, the known attack is entirely unimportant. If you are in paranoia mode, you can use a more complicated scheme like bcrypt too, but for most people, storing a salted password is just good enough. It prevents the easiest, most
- bvious attack, is easy to implement, hard to do wrong, and has
low overhead.
SLIDE 16
https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
find good trusted, peer reviewed sources
SLIDE 17
- r why acronyms make you less secure
SLIDE 18
2FA
SLIDE 19
Planned
SLIDE 20
I’m sorry Dave, I can’t let you do that
SLIDE 21
(fast updating, never cached, multi-device default)
SLIDE 22
the keys to token success
SLIDE 23
header field format method
SLIDE 24
Service decomposition
SLIDE 25
the reality of immature application segmentation
SLIDE 26
SLIDE 27
shouldn’t
SLIDE 28
SLIDE 29
exhaustion
SLIDE 30
Orchestration layer attacks
SLIDE 31
rule them all?
SLIDE 32
<quote> protect your APIs from OWASP Top 10 threats such as SQL Injection, XSS and application DDoS, and adaptive threats such as bad bots. </quote>
SLIDE 33
simple
SLIDE 34
features that scare me
impersonation 2) investigation mode 3) demo accounts on production 4) SSL interception and analysis 5) many password sins
SLIDE 35
Choose Restrict Monitor Configure Challenge Test
SLIDE 36
never assume a security vendor is better at secure development than you are
SLIDE 37
SLIDE 38
SLIDE 39
Identity and access management
SLIDE 40
the lowest set of permissions and accesses required to do your job
SLIDE 41
require well defined roles
SLIDE 42
v.s.
SLIDE 43
Automate and alert
SLIDE 44
mature groups and role assistance
SLIDE 45
Immutable architectures
matter in microservice security
SLIDE 46
but you might not be the right person to audit them
SLIDE 47
including those changes made by an attacker
SLIDE 48
Typical Actions :
SLIDE 49
become hard to persist
SLIDE 50
Heterogeneous language and technology spaces
SLIDE 51
SLIDE 52
you
SLIDE 53
technologies
SLIDE 54
vulnerability management can be challenging in microservice architectures
SLIDE 55
SLIDE 56
SLIDE 57
All
SLIDE 58
secure location immutable format away from production
SLIDE 59
denial of service attacks
SLIDE 60
backup, health check, domains
SLIDE 61
like actually, for real, not just when you’re debugging
SLIDE 62
TL;DR
Security Fundamentals
Some important points that are worth refreshing
Prevention
Avoid common vulnerabilities and avoid mistakes
Detection
Prepare for survival and response
SLIDE 63
SLIDE 64
SLIDE 65
Laura Bell
Founder and Lead Consultant - SafeStack
@lady_nerd laura@safestack.io http:/ /safestack.io
Questions?
SLIDE 66