1 / 34

Microservices – What Exactly Am I Securing Again?

Microservices – What Exactly Am I Securing Again?. A presentation where Travis and David talk to the Dallas OWASP chapter about microservices architecture. Intros. Travis Biehn David Bohannon Synopsys, Inc. Agenda. Overview of Microservices Common Problems What Now? Questions.

williamjgarcia
Télécharger la présentation

Microservices – What Exactly Am I Securing Again?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Microservices – What Exactly Am I Securing Again? A presentation where Travis and David talk to the Dallas OWASP chapter about microservices architecture.

  2. Intros Travis Biehn David Bohannon Synopsys, Inc

  3. Agenda • Overview of Microservices • Common Problems • What Now? • Questions

  4. Background • Tech giants Amazon and Netflix have embraced Microservice architecture for over a decade • Other organizations are following suite as they realize the benefits • Technological independence • Scalability and redundancy • Reusability • CI/CD compatibility • Microservices exhibit unique problems not seen in monolithic applications

  5. New Business • Interesting technologies and protocols require SMEs • 87% use multiple technologies within their microservices • Examples include Thrift, Protocol Buffers, AMQP, Kafka, GraphQL, etc. • Mis-matched with existing security tooling • More to look at • Increased network presence and additional platforms, gateways, circuit breakers, etc. • Interesting deployment models • Infrastructure as code, container management, etc.

  6. Components Microservices Services Composition (API Gateway) Orchestration Service Registry Circuit Breaker

  7. Territory • Service Providers • AWS Lambda and API Gateway • Google App Engine • Microsoft Azure Kubernetes Services • Technologies • Containerization (Kubernetes, Docker) • Message Queueing (AMQP, MQTT, Kafka, etc.) • Synchronous Communication (REST, Thrift, XML-RPC, GraphQL, etc.) • Service Discovery (SmartStack, Zookeeper, Etcd, Consul, NSQ, Serf, and Doozer, Eureka) • Orchestration (Azure Service Fabric, Azure Kubernetes Service, Netflix Conductor, etc.)

  8. Microservices Valhalla

  9. Valhalla, NY

  10. Concepts Monolithic application – functionality is invoked internally.

  11. Concepts Microservices – each services is invoked via network call.

  12. Securing Access to Services https://csrc.nist.gov/publications/detail/sp/800-204/draft

  13. M&M Security Hard external surface with a soft, vulnerable middle…

  14. Testing is Difficult Because… • We often do not know who is using the service • Lack of support for unique protocols/technologies • Inability of tools to follow flows across services • Increased attack surface compared to monolithic applications • Calling services directly • Middling network communications • Attacking containerization technologies • Attacking registration services • Etc …

  15. Mutual TLS A partial solution… preventing attackers from accessing services directly Use Mutual TLS to ensure only expected clients connect to services = mTLS

  16. SAST Tooling Difficult for SAST tools to follow data flows across services VS.

  17. Weird Message Formats Difficult for dynamic tooling and security testers to manipulate uncommon/unsupported protocols VS.

  18. The Problem We are speaking “GraphQL”…

  19. BurpSuite Doesn’t Speak “GraphQL”

  20. Pub-Sub Communications So, what are you doing later today? Nothing much, you?

  21. Pub-Sub Communications https://aws.amazon.com/pub-sub-messaging/

  22. Pub-Sub Communications Microservices pub-sub architecture and the mailbox analogy…

  23. Pub-Sub Communications Manipulating messages

  24. Orchestration • Responsible for ensuring there are enough concrete instances to serve the requests • Possesses complete control over the service instances, making it a valuable target

  25. Service Registry

  26. Service Registry I’m a new service at 10.0.2.6 I’m a new service at 10.0.2.7 I’m a new service at 10.0.2.5 Hey, discovery server! Where can I access the ManageWidgets service??? Hey, discovery server! I’m a new instance of the billing service at 10.0.3.5 – send sensitive billing info to me! You can access the ManageWidgets service at 10.0.2.5, 10.0.2.6, or 10.0.2.7

  27. Etcd-anger

  28. Monitoring I’m still up and running… all is good here. …In a monolithic application. No problems here either.

  29. Monitoring I’m still up and running… all is good here. No problems here either. No problems here either. …in a microservices architecture. I’m still up and running… all is good here. I’m still up and running… all is good here. I’m still up and running… all is good here. I’m still up and running… all is good here. I’m still up and running… all is good here. No problems here either. I’m still up and running… all is good here. No problems here either.

  30. Monitoring Difficulty correlating inbound requests to services that handle the request VS.

  31. Monitoring A few helpful tools… • https://netflix.github.io/ • Repo containing many open-source tools including some of Netflix monitoring solutions • Includes the famous Simian Army and Chaos Monkey used to test resilience and monitoring capabilities

  32. So What Microservices are here to stay. Evaluate all the new things. Turn PDFs and governance into code. Help develop security features. Push the tools.

  33. Questions?

  34. Drop us a note tbiehn@synopsys.com bohannon@synopsys.com

More Related