Microservices – What Exactly Am I Securing Again?

Slides:

Advertisements

Similar presentations

IETF in the Browser Harald Alvestrand. The Purpose of the IETF The goal of the IETF is to make the Internet work better. The mission of the IETF is to.

Advertisements

REST Introduction 吴海生博克软件(杭州)有限公司.

Technical Architectures

UC Security with Microsoft Office Communication Server R1/R2 FRHACK Sept 8, 2009 Abhijeet Hatekar Vulnerability Research Engineer.

Microsoft and Community Tour 2011 – Infrastrutture in evoluzione Community Tour 2011 Infrastrutture in evoluzione.

DEVELOPING A MESSAGING SOLUTION WITH MICROSOFT BIZTALK 2013 Ed Jones MCT, MCPD, MCTS.

Distributed Information Systems. Motivation ● To understand the problems that Web services try to solve it is helpful to understand how distributed information.

Distribution and components. 2 What is the problem? Enterprise computing is Large scale & complex: It supports large scale and complex organisations Spanning.

Advanced Web Technologies Lecture #4 By: Faraz Ahmed.

Creating highly available and resilient Microservices on Microsoft Azure Service Fabric

Intro to Web Services Dr. John P. Abraham UTPA. What are Web Services? Applications execute across multiple computers on a network.  The machine on which.

IPS Infrastructure Technological Overview of Work Done.

Structured Container Delivery Oscar Renalias Accenture Container Lead (NOTE: PASTE IN PORTRAIT AND SEND BEHIND FOREGROUND GRAPHIC FOR CROP)

6. Application Server Issues for the Project

Building Azure Mobile Apps

Java Web Services Orca Knowledge Center – Web Service key concepts.

Messaging in Distributed Systems

Unit 3 Virtualization.

CLOUD ARCHITECTURE Many organizations and researchers have defined the architecture for cloud computing. Basically the whole system can be divided into.

Microservice Bus Tutorial Huabing Zhao

AuraPortal Cloud Helps Empower Organizations to Organize and Control Their Business Processes via Applications on the Microsoft Azure Cloud Platform MICROSOFT.

Going Serverless with AWS Lambda

Smart Building Solution

Netscape Application Server

Connected Health Solution

Connected Maintenance Solution

OpenLegacy Training Day Four Introduction to Microservices

MSB Integration Guide.

Parcel Tracking Solution Parcel Tracking What to look for Architecture

Smart Building Solution

Connected Maintenance Solution

Distribution and components

DL (Deep Learning) Workspace

Connected Health Solution

Dmytro Mykhailov How HashiCorp platform tools can make the difference in development and deployment Target and goal of HashiCorp.

Introduction to Microservices Prepared for

EdgeX System Management Nov 14th 2017

Serverless Architecture in Azure

Microservices with .NET Core

Building High Performance Microservices with Apache Thrift

Amazon AWS Solution Architect Associate Exam Dumps For Full Exam Info Visit This Link:

Moving Cloud Services to Service Fabric

Modernize Your Existing Applications with Microservices

Using docker containers

Azure Container Instances

Securing Cloud-Native Applications Jason Schmitt CEO

Intro to Docker Containers and Orchestration in the Cloud

VOLTHA Lock-In January 10 & 11, 2018.

Microsoft Ignite NZ October 2016 SKYCITY, Auckland.

Connecting, Managing, Observing, and Securing Services

Developing for the cloud with Visual Studio

Lecture 1: Multi-tier Architecture Overview

Inventory of Distributed Computing Concepts

Intro about Contanier and Docker Technology

Container cluster management solutions

Frankenstein Microservices

Serverless Architecture in the Cloud

Distributed Systems through Web Services

2/16/2019 9:42 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

IST346: Scalability.

5 Azure Services Every .NET Developer Needs to Know

OpenShift as a cloud for Data Science

ESB Modernization Prepared by: OIT As of May 23, 2016.

Containers and DevOps.

Containers on Azure Peter Lasne Sr. Software Development Engineer

Talking Between Services with gRPC

Matthew Farmer Making Azure Integration Services Real

9/16/2019 6:55 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

.NET Core and Kubernetes

Presentation transcript:

Microservices – What Exactly Am I Securing Again? A presentation where Travis and David talk to the Dallas OWASP chapter about microservices architecture.

Intros Travis Biehn David Bohannon Synopsys, Inc

Agenda Overview of Microservices Common Problems What Now? Questions

Background Tech giants Amazon and Netflix have embraced Microservice architecture for over a decade Other organizations are following suite as they realize the benefits Technological independence Scalability and redundancy Reusability CI/CD compatibility Microservices exhibit unique problems not seen in monolithic applications

New Business Interesting technologies and protocols require SMEs 87% use multiple technologies within their microservices Examples include Thrift, Protocol Buffers, AMQP, Kafka, GraphQL, etc. Mis-matched with existing security tooling More to look at Increased network presence and additional platforms, gateways, circuit breakers, etc. Interesting deployment models Infrastructure as code, container management, etc.

Components Microservices Services Composition (API Gateway) Orchestration Service Registry Circuit Breaker

Territory Service Providers Technologies AWS Lambda and API Gateway Google App Engine Microsoft Azure Kubernetes Services Technologies Containerization (Kubernetes, Docker) Message Queueing (AMQP, MQTT, Kafka, etc.) Synchronous Communication (REST, Thrift, XML-RPC, GraphQL, etc.) Service Discovery (SmartStack, Zookeeper, Etcd, Consul, NSQ, Serf, and Doozer, Eureka) Orchestration (Azure Service Fabric, Azure Kubernetes Service, Netflix Conductor, etc.)

Microservices Valhalla

Valhalla, NY

Concepts Monolithic application – functionality is invoked internally.

Concepts Microservices – each services is invoked via network call.

Securing Access to Services https://csrc.nist.gov/publications/detail/sp/800-204/draft

M&M Security Hard external surface with a soft, vulnerable middle…

Testing is Difficult Because… We often do not know who is using the service Lack of support for unique protocols/technologies Inability of tools to follow flows across services Increased attack surface compared to monolithic applications Calling services directly Middling network communications Attacking containerization technologies Attacking registration services Etc …

Use Mutual TLS to ensure only expected clients connect to services A partial solution… preventing attackers from accessing services directly Use Mutual TLS to ensure only expected clients connect to services = mTLS

SAST Tooling Difficult for SAST tools to follow data flows across services VS.

Weird Message Formats VS. Difficult for dynamic tooling and security testers to manipulate uncommon/unsupported protocols VS.

The Problem We are speaking “GraphQL”…

BurpSuite Doesn’t Speak “GraphQL”

Pub-Sub Communications So, what are you doing later today? Nothing much, you?

Pub-Sub Communications https://aws.amazon.com/pub-sub-messaging/

Pub-Sub Communications Microservices pub-sub architecture and the mailbox analogy…

Pub-Sub Communications Manipulating messages

Orchestration Responsible for ensuring there are enough concrete instances to serve the requests Possesses complete control over the service instances, making it a valuable target

Service Registry

Hey, discovery server! Where can I access the ManageWidgets service??? Service Registry I’m a new service at 10.0.2.6 I’m a new service at 10.0.2.7 I’m a new service at 10.0.2.5 Hey, discovery server! Where can I access the ManageWidgets service??? Hey, discovery server! I’m a new instance of the billing service at 10.0.3.5 – send sensitive billing info to me! You can access the ManageWidgets service at 10.0.2.5, 10.0.2.6, or 10.0.2.7

Etcd-anger

Monitoring …In a monolithic application. I’m still up and running… all is good here. No problems here either.

Monitoring …in a microservices architecture. I’m still up and running… all is good here. No problems here either. No problems here either. …in a microservices architecture. I’m still up and running… all is good here. I’m still up and running… all is good here. I’m still up and running… all is good here. I’m still up and running… all is good here. I’m still up and running… all is good here. No problems here either. I’m still up and running… all is good here. No problems here either.

Monitoring Difficulty correlating inbound requests to services that handle the request VS.

Monitoring https://netflix.github.io/ A few helpful tools… https://netflix.github.io/ Repo containing many open-source tools including some of Netflix monitoring solutions Includes the famous Simian Army and Chaos Monkey used to test resilience and monitoring capabilities

So What Microservices are here to stay. Evaluate all the new things. Turn PDFs and governance into code. Help develop security features. Push the tools.

Questions?

tbiehn@synopsys.com bohannon@synopsys.com Drop us a note tbiehn@synopsys.com bohannon@synopsys.com