APPSEC AND MICROSERVICESSam Newman O’Reilly Software Architecture Conference, NYC 2016
@samnewmanhttps://www.flickr.com/photos/seattlemunicipalarchives/4058808950
@samnewmanhttps://www.flickr.com/photos/theseanster93/485390997/
@samnewman
http://map.norsecorp.com/
@samnewman
Accounts
Returns
Invoicing
Shipping
Inventory
Customer Service
@samnewman
Accounts
Returns
Invoicing
Shipping
Inventory
Customer Service
Small Autonomous services that work together, modelled around
a business domain
https://www.flickr.com/photos/wwworks/2607036664/
https://www.flickr.com/photos/lkowen/15803718243/
@samnewman
Prevention
@samnewman
Prevention Detection
@samnewman
Prevention Detection
Response
@samnewman
Prevention Detection
ResponseRecovery
@samnewman
Prevention Detection
ResponseRecovery
@samnewman
Prevention Detection
ResponseRecovery
@samnewmanhttps://www.flickr.com/photos/adulau/15680439035/
@samnewmanhttps://www.flickr.com/photos/duanestorey/469163789/
@samnewman
https://www.schneier.com/paper-attacktrees-ddj-ft.html
@samnewman
Open Safe
@samnewman
Open Safe
Pick Lock Learn Combo Cut Open
@samnewman
Open Safe
Pick Lock Learn Combo Cut Open
Find Written Combo
Get Combo from the target
@samnewman
Open Safe
Pick Lock Learn Combo Cut Open
Find Written Combo
Get Combo from the target
Blackmail Threaten Bribe
@samnewman
Open Safe
Pick Lock Learn Combo Cut Open
Find Written Combo
Get Combo from the target
Blackmail Threaten Bribe
Impossible
Impossible ImpossiblePossible
Possible
Possible
@samnewman
Catalog service
Music Web Shop
Recommend service
Royalty Payment Gateway
Mobile app
Web browsers
User service
@samnewman
Catalog service
Music Web Shop
Recommend service
Royalty Payment Gateway
Mobile app
Web browsers
User service
Transport Security
@samnewman
HTTPS Everywhere!
BENEFITS OF HTTPS?
BENEFITS OF HTTPS?
▫︎ Server guarantees!
BENEFITS OF HTTPS?
▫︎ Server guarantees!
▫︎ Payload not manipulated…
BENEFITS OF HTTPS?
▫︎ Server guarantees!
▫︎ Payload not manipulated…
▫︎…but no client guarantee and…
BENEFITS OF HTTPS?
▫︎ Server guarantees!
▫︎ Payload not manipulated…
▫︎…but no client guarantee and…
▫︎…certificates can be a pain
@samnewman
https://letsencrypt.org/
Catalog service
Music Web Shop
Recommend service
Royalty Payment Gateway
Mobile app
Web browsers
User service
CLIENT-SIDE CERTIFICATES?
CLIENT-SIDE CERTIFICATES?
▫︎Client guarantees!
CLIENT-SIDE CERTIFICATES?
▫︎Client guarantees!
▫︎…but a PITA to manage….
@samnewman
http://techblog.netflix.com/2015/09/introducing-lemur.html
@samnewman
Catalog service
Music Web Shop
Recommend service
Royalty Payment Gateway
Mobile app
Web browsers
User service
@samnewman
Catalog service
Music Web Shop
Recommend service
Royalty Payment Gateway
Mobile app
Web browsers
User service
Web browsers
Form AuthOAuth
@samnewman
Catalog service
Music Web Shop
Recommend service
Royalty Payment Gateway
Mobile app
Web browsers
User service
Web browsers
Form AuthOAuth
User service
@samnewman
Catalog service
Music Web Shop
Recommend service
Royalty Payment Gateway
Mobile app
Web browsers
User service
Web browsers
Form AuthOAuth
User service
@samnewman
Confused Deputy Problem!
@samnewman
Data At Rest?
@samnewman
Catalog service
Music Web Shop
Recommend service
Royalty Payment Gateway
Mobile app
Web browsers
User serviceUser
service
@samnewman
Patch Your Stuff
@samnewman
Prevention Detection
ResponseRecovery
@samnewman
Prevention Detection
ResponseRecovery
@samnewmanhttps://www.qualys.com/research/top10/
@samnewman
https://www.modsecurity.org/
@samnewman
Catalog service
Music Web Shop
Recommend service
Royalty service
Mobile app
Web browsers
User service
@samnewman
Catalog service
Music Web Shop
Recommend service
Royalty service
Mobile app
Web browsers
User service
PERIMITER SECURITY!
@samnewman
Polyglot = more stuff to track!
@samnewman
Polyglot = more things to break?
@samnewman
Prevention Detection
ResponseRecovery
@samnewman
Prevention Detection
ResponseRecovery
@samnewmanhttp://krebsonsecurity.com/tag/target-data-breach/
@samnewmanhttps://en.wikipedia.org/wiki/Chicago_Tylenol_murders
@samnewman
Prevention Detection
ResponseRecovery
@samnewman
Prevention Detection
ResponseRecovery
@samnewman
Backups
@samnewman
Backups
Burn it all down
@samnewman
Backups
Burn it all down
Harder with microservices?
@samnewman
Prevention Detection
ResponseRecovery
@samnewman
Sam Newman
Building MicroservicesDESIGNING FINE-GRAINED SYSTEMS
http://buildingmicroservices.com/
@samnewman
Sam Newman
Building MicroservicesDESIGNING FINE-GRAINED SYSTEMS
http://buildingmicroservices.com/
http://samnewman.io/
@samnewman
Sam Newman
Building MicroservicesDESIGNING FINE-GRAINED SYSTEMS
http://buildingmicroservices.com/
http://magpietalkshow.com/
http://samnewman.io/
@samnewman [email protected]
THANKS!