SlideShare a Scribd company logo

Protecting microservices using secure design patterns 1.0

Trupti Shiralkar, CISSP
Trupti Shiralkar, CISSP

The presentation covers an analysis of microservices architecture and design patterns (such as API gateway, Log aggregation and more) in order to analyze how certain aspects of security is achievable at scale through these patterns.

Software
1 of 37
Download to read offline
Protecting Microservices using Secure Design Patterns Trupti Shiralkar Principal Application Security Engineer, Illumio
Disclaimer This disclaimer informs readers that the views, thoughts, and opinions expressed in the presentation belong solely to the author, and not necessarily to the author’s employer, organization, committee or other group or individual.
About Me • Mobile game developer turned security professional - MS In Security Engineering, Johns Hopkins University - Appsec Lead at Illumio - Previously worked at Amazon, Q2Ebanking, HP & ATSEC • When I am not doing security - Travel - Paint - Read • Yoga Alliance Certified Instructor - Breathing exercises - MeditationPrincipal Application Security Engineer, Illumio
Agenda Part 1: Understanding microservices Part 2: Microservices security design patterns Part 3: Serverless application security Part 4: Application security best practices
Understanding Microservices ● Evolution ● Monolith vs Microservices ● Security pain points ● Overall changing role of security ● Attack example
Evolution of Software Architecture
Monolith vs Microservices
Microservices are not silver bullet!
Security pain points ● Increased complexity ● Implicit trust is replaced by zero trust among microservices ● Traditional application security assessment cannot match the speed of development & deployment ● Inadequate security tooling can’t detect vulnerabilities in microservices ● Varying technology stack across microservices
Microservices and Changing Role of Security
Cambridge Analytica Scandal 50 million user’s psychological profile Sold to Cambridge Analytica Facebook Login API provides token This is your Digital Life Third Party FB app 270,000 people opted for FB login 1. Privacy consent of only direct users 2. Data Collection allowed for research use only User data harvested by FB campaignFB’s over permissive API resulted in data abuse
Security Principles Authentication Authorization Confidentiality Privacy Resiliency Auditing Secure communication Accounting Non-repudiation Integrity Security Principles
Anatomy of security vulnerabilities • Absence of security features • Security misconfigurations • Security defects in implementation • Insecure operational environments
Microservice Design Patterns ● What are microservice design patterns? - Microservices design patterns are software design patterns that generates reusable autonomous services. ● Why do we need it? - The goal for developers using microservices is to accelerate application releases. ● Can we leverage them to achieve security goals? - Securing pattern/ templates is easy - Templates are reusable - Automation helps scale security
Design Patterns for Microservices Decomposition patterns Integration patterns Database patterns Observability patterns Cross-Cutting Concern patterns Decompose by Business Capability Decompose by Subdomain Decompose by Transactions Strangler Pattern Bulkhead Pattern Sidecar Pattern API Gateway Pattern Aggregator Pattern Proxy Pattern Gateway Routing Pattern Chained Microservice Pattern Branch Pattern Client-Side UI Composition Pattern Database per Service Shared Database per Service CQRS Event Sourcing Saga Pattern Log Aggregation Performance Metrics Distributed Tracing Health Check External Configuration Service Discovery Pattern Circuit Breaker Pattern Blue-Green Deployment Pattern
Domain Driven Design
Circuit Breaker Design Pattern Circuit Breaker Pattern • Handles failure gracefully • Prevents catastrophic cascading failure across multiple systems • Good for monitoring, logging and overall recovery • Fault tolerant • Resilient • Example: Netflix's Hystrix library Attacks • Breaker to broker- DDOS • API Gateway can be single point of failure
API Gateway API Gateway • Login (IAM) • DOS protection • API Authorization • Routing of Request • Throttling, API rate limit & load balancing • HTTPS endpoints • Security and resiliency monitoring • Logging and auditing • Caching for better latency Attacks • Layer 7 DDOS with counterfeit requests • DDOS with cascading requests • Layer 3 DDOS with syn flood • Login/Identity attacks • Static API key abuse • Common web application attacks like XSS, SQLi
JSON Web Token • Authentication of APIs • Authorization with each request • Service to service authentication • Service to service communication • Attacks - JWT reply attack - JWT cipher misconfiguration (none) - JWT information leakage
Service Mesh Design Pattern Service Mesh • Inter-service communication infrastructure • Authentication and authorization of services • mTLS for inter-service communication • Enforcing security policies Attacks • Security misconfigurations • Increased complexity
Log Aggregator Design Pattern Log Aggregator • Collection of all logs • Real time monitoring of anomaly patterns (deviation from regular pattern) • Automated notification Attacks • Logging sensitive information • Unauthorized access to logs
Secure Communication TLS Attacks: • ROBOT (1998-2017) • EC DRBG Backdoor (2007-2013) • Lucky 13 (2013) • BEAST (2013) • POODLE (2014) • Heartbleed (2014) • Logjam (2015) • FREAK (2015) • DROWN (2016) Security Best Practices • Do not use insecure SSL protocols (SSLv3, TLS 1.0, TLS 1.1) • Use cipher with 120+ bit of cryptographic strength (AES-256, RSA 2048, SHA-256 +) • Crypto agility • Mutual TLS
Input and Output Validation
Secure handling and storage of Secrets
Advantages of using design patterns ● Inbuilt security functionalities ● Reduce Attack Surface ● Smaller functionality ● Layered Security/Defense in depth ● Simpler code structure ● Faster remediation ● Containerized deployments
Attack - Capital One Breach 26 1. Insecure AWS metadata Service 2. Obtained credentials of the ****_WAF-Role 3. List S3 Buckets 4. Sync bucketsThird-Party Mod Security Firewall Over permissive AWS Metadata Service
Role of microsegmentation in microservices ● Container Security Challenges ● Insufficient protection by traditional Network Zoning ● Host based microsegmentation ● Microsegmentation of microservices a. Cluster level b. Pod level c. Container level
Serverless Security Serverless applications or Function as a service (FaaS) are event-driven cloud-based systems where application development rely solely on a combination of third-party services, client-side logic and cloud-hosted remote procedure calls.
Reality of Serverless Security
OWASP Vulnerabilities are still applicable A1: Injection A2: Broken Authentication A3: Sensitive Data Exposure A4: XML External Entities A5: Broken Access Control A6: Security Misconfiguration A7: Cross-Site Scripting (XSS) A8: Insecure Deserialization A9: Using components with known Vulnerabilities A10: Insufficient Logging & Monitoring
Security Scanning within CI/CD
Security Testing of Microservices ● Security unit test cases ● Abuse test cases ● Build scanners for detecting common application security vulnerabilities
Best Practices ● Appsec best practices ● Appsec assessment tooling ● Container security
Application security best practices ● Zerotrust code, applications, interprocess communications, configurations, networks ● Secure coding convention must be followed ● Data in transit must be secure using mTLS ● Secrets must be stored and manage using secret store ● Generate logs, perform auditing and monitoring, use SIEM ● Stay on top of 3rd party known CVEs associated with open source libraries ● Containers and Orchestration security - CIS benchmark - Clair - Dagda - Anchore - KubeSec - Kubehunter ● Adapt APPSEC modern tooling - Interactive Application Security Testing (IAST) - Real Time Application Security Protection RASP) - Application Whitelisting - Microsegmentation
Conclusion ● Begin with Zerotrust by default ● Earn trust as you validate the authenticity of microservices ● Vetted microservice design patterns foster security ● Automating appsec tools promote shift left security transformation ● Threat Modeling is priceless ● Classic appsec attacks are still applicable ● Be open minded about modern security tooling ● Micro-segmentation increases resiliency ● Secure the complete stack and not just microservices
References Chris Richardson Sam Newman Prabhat Siriwardena Newan Dias Jim Manico & Many contributors
Questions? Contact: s.trupts@gmail.com

Recommended

Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
DevOps.com
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
Alert Logic
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
InfosecTrain
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)
Arvind Bhardwaj [AB]
 
Application security
Application securityApplication security
Application security
Hagar Alaa el-din
 
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_alCss sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Alert Logic
 
Sumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkSumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing Framework
Anna Royzman
 

Recommended

Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
DevOps.com
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
Alert Logic
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
InfosecTrain
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)
Arvind Bhardwaj [AB]
 
Application security
Application securityApplication security
Application security
Hagar Alaa el-din
 
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_alCss sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Alert Logic
 
Sumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkSumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing Framework
Anna Royzman
 
#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration
Alert Logic
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
Bill Ross
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Stories from the Security Operations Center
Stories from the Security Operations CenterStories from the Security Operations Center
Stories from the Security Operations Center
Alert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach
Alert Logic
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
Camilo Fandiño Gómez
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Andris Soroka
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...
Microsoft Österreich
 
#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment
Alert Logic
 
Nicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security CenterNicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security Center
Microsoft Österreich
 
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-MelhaouiCSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
NCCOMMS
 
Security Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas AzureSecurity Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas Azure
Alert Logic
 
Application layer security protocol
Application layer security protocolApplication layer security protocol
Application layer security protocol
Kirti Ahirrao
 
The Security Policy Management Maturity Model: How to Move Up the Curve
The Security Policy Management Maturity Model: How to Move Up the CurveThe Security Policy Management Maturity Model: How to Move Up the Curve
The Security Policy Management Maturity Model: How to Move Up the Curve
AlgoSec
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure Sentinel
BGA Cyber Security
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
Trupti Shiralkar, CISSP
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
DicodingEvent
 

More Related Content

What's hot

Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 

What's hot (20)

#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Stories from the Security Operations Center
Stories from the Security Operations CenterStories from the Security Operations Center
Stories from the Security Operations Center
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach
 
Application Security
Application SecurityApplication Security
Application Security
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...
 
#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment
 
Nicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security CenterNicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security Center
 
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-MelhaouiCSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
 
Security Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas AzureSecurity Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas Azure
 
Application layer security protocol
Application layer security protocolApplication layer security protocol
Application layer security protocol
 
The Security Policy Management Maturity Model: How to Move Up the Curve
The Security Policy Management Maturity Model: How to Move Up the CurveThe Security Policy Management Maturity Model: How to Move Up the Curve
The Security Policy Management Maturity Model: How to Move Up the Curve
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure Sentinel
 

Similar to Protecting microservices using secure design patterns 1.0

TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
DicodingEvent
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
Larry Ball
 

Similar to Protecting microservices using secure design patterns 1.0 (20)

Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information Security
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
Security Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdfSecurity Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdf
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Managed security services
Managed security servicesManaged security services
Managed security services
 
Foxtrot Division Capabilities Collection
Foxtrot Division Capabilities Collection Foxtrot Division Capabilities Collection
Foxtrot Division Capabilities Collection
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
 
How to produce more secure web apps
How to produce more secure web appsHow to produce more secure web apps
How to produce more secure web apps
 
Daniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity storyDaniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity story
 
microsoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxmicrosoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptx
 
Cyber Security # Lec 4
Cyber Security # Lec 4 Cyber Security # Lec 4
Cyber Security # Lec 4
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
 

More from Trupti Shiralkar, CISSP

Gratitude Ignites, Growth Fortifies: Building an unbreakable cyber security V...
Gratitude Ignites, Growth Fortifies: Building an unbreakable cyber security V...Gratitude Ignites, Growth Fortifies: Building an unbreakable cyber security V...
Gratitude Ignites, Growth Fortifies: Building an unbreakable cyber security V...
Trupti Shiralkar, CISSP
 
Guardians and Glitches: Navigating the Duality of Gen AI in AppSec
Guardians and Glitches: Navigating the Duality of Gen AI in AppSecGuardians and Glitches: Navigating the Duality of Gen AI in AppSec
Guardians and Glitches: Navigating the Duality of Gen AI in AppSec
Trupti Shiralkar, CISSP
 
IKIGAI for security professionals B sides Seattle.pptx
IKIGAI for security professionals B sides Seattle.pptxIKIGAI for security professionals B sides Seattle.pptx
IKIGAI for security professionals B sides Seattle.pptx
Trupti Shiralkar, CISSP
 
The Road Less Traveled: Use-cases, Challenges, and Solutions of Homomorphic E...
The Road Less Traveled: Use-cases, Challenges, and Solutions of Homomorphic E...The Road Less Traveled: Use-cases, Challenges, and Solutions of Homomorphic E...
The Road Less Traveled: Use-cases, Challenges, and Solutions of Homomorphic E...
Trupti Shiralkar, CISSP
 
Security evaluation of_libraries_lascon_2017_v2
Security evaluation of_libraries_lascon_2017_v2Security evaluation of_libraries_lascon_2017_v2
Security evaluation of_libraries_lascon_2017_v2
Trupti Shiralkar, CISSP
 
Purple team strategy_lascon_2016
Purple team strategy_lascon_2016Purple team strategy_lascon_2016
Purple team strategy_lascon_2016
Trupti Shiralkar, CISSP
 
Security evaluation of_libraries_lascon_2017_v2
Security evaluation of_libraries_lascon_2017_v2Security evaluation of_libraries_lascon_2017_v2
Security evaluation of_libraries_lascon_2017_v2
Trupti Shiralkar, CISSP
 

More from Trupti Shiralkar, CISSP (12)

Gratitude Ignites, Growth Fortifies: Building an unbreakable cyber security V...
Gratitude Ignites, Growth Fortifies: Building an unbreakable cyber security V...Gratitude Ignites, Growth Fortifies: Building an unbreakable cyber security V...
Gratitude Ignites, Growth Fortifies: Building an unbreakable cyber security V...
 
Guardians and Glitches: Navigating the Duality of Gen AI in AppSec
Guardians and Glitches: Navigating the Duality of Gen AI in AppSecGuardians and Glitches: Navigating the Duality of Gen AI in AppSec
Guardians and Glitches: Navigating the Duality of Gen AI in AppSec
 
IKIGAI for security professionals B sides Seattle.pptx
IKIGAI for security professionals B sides Seattle.pptxIKIGAI for security professionals B sides Seattle.pptx
IKIGAI for security professionals B sides Seattle.pptx
 
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdfTru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
 
Self-care, breathing exercises, meditation
Self-care, breathing exercises, meditationSelf-care, breathing exercises, meditation
Self-care, breathing exercises, meditation
 
Cloud Security Trends.pdf
Cloud Security Trends.pdfCloud Security Trends.pdf
Cloud Security Trends.pdf
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
 
The Road Less Traveled: Use-cases, Challenges, and Solutions of Homomorphic E...
The Road Less Traveled: Use-cases, Challenges, and Solutions of Homomorphic E...The Road Less Traveled: Use-cases, Challenges, and Solutions of Homomorphic E...
The Road Less Traveled: Use-cases, Challenges, and Solutions of Homomorphic E...
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementations
 
Security evaluation of_libraries_lascon_2017_v2
Security evaluation of_libraries_lascon_2017_v2Security evaluation of_libraries_lascon_2017_v2
Security evaluation of_libraries_lascon_2017_v2
 
Purple team strategy_lascon_2016
Purple team strategy_lascon_2016Purple team strategy_lascon_2016
Purple team strategy_lascon_2016
 
Security evaluation of_libraries_lascon_2017_v2
Security evaluation of_libraries_lascon_2017_v2Security evaluation of_libraries_lascon_2017_v2
Security evaluation of_libraries_lascon_2017_v2
 

Recently uploaded

Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
ayushiqss
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 

Recently uploaded (20)

Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
Generic or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
SHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions PresentationSHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions Presentation
 

Protecting microservices using secure design patterns 1.0

  • 1. Protecting Microservices using Secure Design Patterns Trupti Shiralkar Principal Application Security Engineer, Illumio
  • 2. Disclaimer This disclaimer informs readers that the views, thoughts, and opinions expressed in the presentation belong solely to the author, and not necessarily to the author’s employer, organization, committee or other group or individual.
  • 3. About Me • Mobile game developer turned security professional - MS In Security Engineering, Johns Hopkins University - Appsec Lead at Illumio - Previously worked at Amazon, Q2Ebanking, HP & ATSEC • When I am not doing security - Travel - Paint - Read • Yoga Alliance Certified Instructor - Breathing exercises - MeditationPrincipal Application Security Engineer, Illumio
  • 4. Agenda Part 1: Understanding microservices Part 2: Microservices security design patterns Part 3: Serverless application security Part 4: Application security best practices
  • 5. Understanding Microservices ● Evolution ● Monolith vs Microservices ● Security pain points ● Overall changing role of security ● Attack example
  • 6. Evolution of Software Architecture
  • 8. Microservices are not silver bullet!
  • 9. Security pain points ● Increased complexity ● Implicit trust is replaced by zero trust among microservices ● Traditional application security assessment cannot match the speed of development & deployment ● Inadequate security tooling can’t detect vulnerabilities in microservices ● Varying technology stack across microservices
  • 10. Microservices and Changing Role of Security
  • 11. Cambridge Analytica Scandal 50 million user’s psychological profile Sold to Cambridge Analytica Facebook Login API provides token This is your Digital Life Third Party FB app 270,000 people opted for FB login 1. Privacy consent of only direct users 2. Data Collection allowed for research use only User data harvested by FB campaignFB’s over permissive API resulted in data abuse
  • 13. Anatomy of security vulnerabilities • Absence of security features • Security misconfigurations • Security defects in implementation • Insecure operational environments
  • 14. Microservice Design Patterns ● What are microservice design patterns? - Microservices design patterns are software design patterns that generates reusable autonomous services. ● Why do we need it? - The goal for developers using microservices is to accelerate application releases. ● Can we leverage them to achieve security goals? - Securing pattern/ templates is easy - Templates are reusable - Automation helps scale security
  • 15. Design Patterns for Microservices Decomposition patterns Integration patterns Database patterns Observability patterns Cross-Cutting Concern patterns Decompose by Business Capability Decompose by Subdomain Decompose by Transactions Strangler Pattern Bulkhead Pattern Sidecar Pattern API Gateway Pattern Aggregator Pattern Proxy Pattern Gateway Routing Pattern Chained Microservice Pattern Branch Pattern Client-Side UI Composition Pattern Database per Service Shared Database per Service CQRS Event Sourcing Saga Pattern Log Aggregation Performance Metrics Distributed Tracing Health Check External Configuration Service Discovery Pattern Circuit Breaker Pattern Blue-Green Deployment Pattern
  • 17. Circuit Breaker Design Pattern Circuit Breaker Pattern • Handles failure gracefully • Prevents catastrophic cascading failure across multiple systems • Good for monitoring, logging and overall recovery • Fault tolerant • Resilient • Example: Netflix's Hystrix library Attacks • Breaker to broker- DDOS • API Gateway can be single point of failure
  • 18. API Gateway API Gateway • Login (IAM) • DOS protection • API Authorization • Routing of Request • Throttling, API rate limit & load balancing • HTTPS endpoints • Security and resiliency monitoring • Logging and auditing • Caching for better latency Attacks • Layer 7 DDOS with counterfeit requests • DDOS with cascading requests • Layer 3 DDOS with syn flood • Login/Identity attacks • Static API key abuse • Common web application attacks like XSS, SQLi
  • 19. JSON Web Token • Authentication of APIs • Authorization with each request • Service to service authentication • Service to service communication • Attacks - JWT reply attack - JWT cipher misconfiguration (none) - JWT information leakage
  • 20. Service Mesh Design Pattern Service Mesh • Inter-service communication infrastructure • Authentication and authorization of services • mTLS for inter-service communication • Enforcing security policies Attacks • Security misconfigurations • Increased complexity
  • 21. Log Aggregator Design Pattern Log Aggregator • Collection of all logs • Real time monitoring of anomaly patterns (deviation from regular pattern) • Automated notification Attacks • Logging sensitive information • Unauthorized access to logs
  • 22. Secure Communication TLS Attacks: • ROBOT (1998-2017) • EC DRBG Backdoor (2007-2013) • Lucky 13 (2013) • BEAST (2013) • POODLE (2014) • Heartbleed (2014) • Logjam (2015) • FREAK (2015) • DROWN (2016) Security Best Practices • Do not use insecure SSL protocols (SSLv3, TLS 1.0, TLS 1.1) • Use cipher with 120+ bit of cryptographic strength (AES-256, RSA 2048, SHA-256 +) • Crypto agility • Mutual TLS
  • 23. Input and Output Validation
  • 24. Secure handling and storage of Secrets
  • 25. Advantages of using design patterns ● Inbuilt security functionalities ● Reduce Attack Surface ● Smaller functionality ● Layered Security/Defense in depth ● Simpler code structure ● Faster remediation ● Containerized deployments
  • 26. Attack - Capital One Breach 26 1. Insecure AWS metadata Service 2. Obtained credentials of the ****_WAF-Role 3. List S3 Buckets 4. Sync bucketsThird-Party Mod Security Firewall Over permissive AWS Metadata Service
  • 27. Role of microsegmentation in microservices ● Container Security Challenges ● Insufficient protection by traditional Network Zoning ● Host based microsegmentation ● Microsegmentation of microservices a. Cluster level b. Pod level c. Container level
  • 28. Serverless Security Serverless applications or Function as a service (FaaS) are event-driven cloud-based systems where application development rely solely on a combination of third-party services, client-side logic and cloud-hosted remote procedure calls.
  • 30. OWASP Vulnerabilities are still applicable A1: Injection A2: Broken Authentication A3: Sensitive Data Exposure A4: XML External Entities A5: Broken Access Control A6: Security Misconfiguration A7: Cross-Site Scripting (XSS) A8: Insecure Deserialization A9: Using components with known Vulnerabilities A10: Insufficient Logging & Monitoring
  • 32. Security Testing of Microservices ● Security unit test cases ● Abuse test cases ● Build scanners for detecting common application security vulnerabilities
  • 33. Best Practices ● Appsec best practices ● Appsec assessment tooling ● Container security
  • 34. Application security best practices ● Zerotrust code, applications, interprocess communications, configurations, networks ● Secure coding convention must be followed ● Data in transit must be secure using mTLS ● Secrets must be stored and manage using secret store ● Generate logs, perform auditing and monitoring, use SIEM ● Stay on top of 3rd party known CVEs associated with open source libraries ● Containers and Orchestration security - CIS benchmark - Clair - Dagda - Anchore - KubeSec - Kubehunter ● Adapt APPSEC modern tooling - Interactive Application Security Testing (IAST) - Real Time Application Security Protection RASP) - Application Whitelisting - Microsegmentation
  • 35. Conclusion ● Begin with Zerotrust by default ● Earn trust as you validate the authenticity of microservices ● Vetted microservice design patterns foster security ● Automating appsec tools promote shift left security transformation ● Threat Modeling is priceless ● Classic appsec attacks are still applicable ● Be open minded about modern security tooling ● Micro-segmentation increases resiliency ● Secure the complete stack and not just microservices
  • 36. References Chris Richardson Sam Newman Prabhat Siriwardena Newan Dias Jim Manico & Many contributors