Microservices - a security Nightmare?

Created by Tim Steffens, last modified on Dec 14, 2015

http://gotocon.com/berlin-2015/presentation/Microservices%20-%20A%20Security%20Nightmare?

container-solutions.com

  • attack surface bigger for micro-services
    • more apps
    • different technologies
      • how to keep track of vulnerabilities
    • internal APIs are exposed over the network
  • security gates
    • security testing
    • fits well for waterfall
    • how to do thread modeling and risk assessment in CD?
  • DevOps vs. Specialists
  • Containers: breakouts possible
  • Microservice system:
    • breaches are limited
    • only the data they need (need to know principle)
    • allows distribution among different network zones
    • AWS: different VPCs for different Teams
  • You can secure microservices with SSO
    • openId
    • SAML
    • OpenIdConnect
      • ID Tokens
    • it's good if receiving services can verify the signature by themselves
    • oauth2
  • The confused Deputy
  • API Gateways can be useful for
    • access control
    • rate limiting
    • https termination
    • Use WAF only for security critical services
  • the "zoo" of technologies
    • reduces the risk of one vulnerability compromising the whole system
  • Security in an agile microservice world
  • Important: Mindset and Tooling for "SecOps"
  • Summary
    • see slides

 

have a look

 

Thoughts:

  • oauth Service is a bottleneck
    • we should enable clients to check token by themselves
  • bei uns mal angehen:
    • Security should be part of the DOD
    • run services of different security levels on different hosts

 

ToDos

  • Tim Steffens Talk to PI Team (image scans, docker-security )
  • Tim Steffens Talk to Peter (image scans, docker-security, rugged software, docker security Buch, ggf. Typ vom Talk als Berater)
  • Tim Steffens Check for slides!