SlideShare a Scribd company logo

Zerotrusting serverless applications protecting microservices using secure design patterns 3.0

Trupti Shiralkar, CISSP, profile picture
Trupti Shiralkar, CISSP

Trupti Shiralkar presented on securing serverless applications and microservices. She began with an overview of serverless architectures and microservices, noting the evolution from monoliths and increased security challenges from complexity and dynamic interactions. She then analyzed common microservices security design patterns like API gateways, JSON web tokens, circuit breakers, service meshes, and log aggregators. Finally, she discussed best practices for securing serverless applications, including zero trust, input/output validation, secret handling, security scanning in CI/CD, and conclusion security testing. The presentation provided context on serverless architectures and microservices before analyzing related security patterns and recommendations.

Engineering
1 of 29
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Zerotrusting Serverless Applications: Protecting Microservices using Secure Design Patterns Trupti Shiralkar
About Me • Principal Application Security Engineer, Illumio • Mobile game developer turned security professional - MS In Security Engineering, Johns Hopkins University - Previously worked at Amazon, Q2Ebanking, HP & ATSEC • When I am not doing security - Travel - Paint • Yoga Alliance Certified Instructor - Breathing exercises - Meditation Twitter: @tshiralkar LinkedIn: https://www.linkedin.com/in/trupti-shiralkar-0a085a8/ Email: s.trupts@gmail.com
Agenda ● Understanding serverless applications and microservices ● Analyzing microservices security design patterns ● Securing serverless applications and microservices
Understanding Serverless and Microservices ● Evolution ● Security pain points ● Overall changing role of security
Evolution of Software Architecture
What exactly is serverless ? Serverless Ecosystem Serverless Functions (AWS Lambda) Serverless Applications (AWS dynamo DB) Serverless Containers AWS (Fargate) • No management of servers • Operational tasks done by cloud provider • Event driven • Stateless • Short lived • On demand scalable • Pay as you use
Monolith vs Microservices vs Serverless Attributes Monolith Microservices Serverless Modularity Tightly coupled Loosely coupled Loosely coupled Interservice Communication Smart pipes, heavy weight protocol, SOAP Dumb pipes, lightweight protocols such as REST and gRPC REST APIs Data Global data model, shared database Data model and database per service Data model per function, ephemeral Typical Service Giant Monolith Application Small independent Services Short lived, event driven, stateless, pay as you used functions Deployment slow faster Super fast
Microservices are not silver bullet! Credit: KRAZAM
Security pain points ● Increased complexity ● Implicit trust is dangerous ● Static vs Dynamic Order of API calls ● Serverless attack surface is unknown ● Inadequate security tooling can’t detect vulnerabilities in microservices ● Traditional application security lacks the speed of development & deployment
OWASP vulnerabilities are still applicable ● A1: Injection ● A2: broken Authentication ● A3: Sensitive Data Exposure ● A4: XML External Entities ● A5: Broken Authentication ● A6: Security Misconfiguration ● A7: Cross-Site Scripting (XSS) ● A8: Insecure Deserialization ● A9: Using components with known Vulnerabilities ● A10: Insufficient Logging & Monitoring
AWS Lambda Available since 2014 Code Injection Access Bypass - CVE- 2015-3373 Command Injection- CVE- 2019-10777 ● Debugging through logging ● Limited testing ● Temp data leakage ● Misconfigured IAM policies using wildcards ● Command Injection in CLI tool of AWS- Lambda
Changing role of security
Microservice Design Patterns ● What are microservice design patterns? ● Why do we need it? ● Can we leverage them to achieve security goals?
Design Patterns for Microservices Decomposition patterns Integration patterns Database patterns Observability patterns Cross-Cutting Concern patterns Decompose by Business Capability Decompose by Subdomain Decompose by Transactions Strangler Pattern Bulkhead Pattern Sidecar Pattern API Gateway Pattern Aggregator Pattern Proxy Pattern Gateway Routing Pattern Chained Microservice Pattern Branch Pattern Client-Side UI Composition Pattern Database per Service Shared Database per Service CQRS Event Sourcing Saga Pattern Log Aggregation Performance Metrics Distributed Tracing Health Check External Configuration Service Discovery Pattern Circuit Breaker Pattern Blue-Green Deployment Pattern Image credit: https://medium.com/@madhukaudantha/microservice- architecture-and-design-patterns-for-microservices-e0e5013fd58a
API Gateway API Gateway • Login (IAM) • DOS protection • API Authorization • Routing of Request • Throttling, API rate limit & load balancing • HTTPS endpoints • Security and resiliency monitoring • Logging and auditing • Caching for better latency Still vulnerable to attacks • Layer 7 DDOS with counterfeit requests • DDOS with cascading requests • Layer 3 DDOS with syn flood • Implementation specific Login/Identity attacks • Static API key abuse • Common web application attacks like XSS, SQLi
JSON Web Token • Authentication of APIs • Authorization with each request • Service to service authentication • Service to service communication • Vulnerable to implementation attacks - JWT cipher misconfiguration (none) - JWT reply attack (jti) - JWT information leakage
Circuit Breaker Design Pattern Circuit Breaker Pattern • Handles failure gracefully • Prevents catastrophic cascading failure across multiple systems • Good for monitoring, logging and overall recovery • Fault tolerant • Resilient • Example: Netflix's Hystrix library Attacks • Breaker to broker- DDOS • API Gateway can be single point of failure
Service Mesh Design Pattern Service Mesh • Inter-service communication infrastructure • Authentication and authorization of services • mTLS for inter-service communication • Enforcing security policies Vulnerable to attacks • Security misconfigurations • Increased complexity
Log Aggregator Design Pattern Log Aggregator • Collection of all logs • Real time monitoring of anomaly patterns (deviation from regular pattern) • Automated notification Limitations + Attacks • Correlation of logs across microservice • Logging sensitive information • Unauthorized access to logs
Securing Serverless Applications and Microservices ● Security best practices ● Security scanning and tooling
Security best practices ● Zero trust everything (code, applications, inter-process communications, configurations, networks ) ● Select encryption at rest wisely ● Secure coding convention must be followed ● Generate logs, perform auditing and monitoring, use SIEM ● Stay on top of 3rd party known CVEs associated with open source libraries ● Involve your security team early
Secure Communication TLS Attacks: • ROBOT (1998-2017) • EC DRBG Backdoor (2007-2013) • Lucky 13 (2013) • BEAST (2013) • POODLE (2014) • Heartbleed (2014) • Logjam (2015) • FREAK (2015) • DROWN (2016) Security Best Practices • Do not use insecure SSL protocols (SSLv3, TLS 1.0, TLS 1.1) • Use cipher with 128+ bit of cryptographic strength (AES-256, RSA 2048, SHA-256 +) • Crypto agility (plan for TLS 1.3) • Mutual TLS
Input and Output Validation
Secure handling and storage of Secrets
Security Scanning within CI/CD Containers and Orchestration security - CIS benchmark - Clair - Dagda - Anchore - KubeSec - Kubehunter (RASP) - DAST - IAST
Security Testing of Microservices ● Security unit test cases ● Perform threat model to abuse cases ● Build scanners for detecting common application security vulnerabilities
Conclusion ● Begin with Zerotrust by default ● Earn trust as you validate the authenticity of serverless applications ● Vetted microservice design patterns foster security ● Classic AppSec attacks are still applicable ● Be open minded about modern security tooling ● Automating AppSec tools promote shift left security transformation ● Threat Modeling is priceless ● Secure the complete stack and not just microservices
References Chris Richardson Sam Newman Prabhat Siriwardena Newan Dias Jim Manico & many contributors Heather Adkins Bestsy Beyer Paul Blankinship Piotr Lewandowski Oprea & Adam Stubblefield
Questions? Twitter: @tshiralkar LinkedIn: https://www.linkedin.com/in/trupti-shiralkar-0a085a8/ Email: s.trupts@gmail.com

More Related Content

PDF
Common crypto attacks and secure implementations
Trupti Shiralkar, CISSP
 
PDF
Pki 201 Key Management
NCC Group
 
PDF
Cryptography101
NCC Group
 
PPTX
Attacking VPN's
n|u - The Open Security Community
 
PDF
Ch 6: Attacking Authentication
Sam Bowne
 
PDF
CNIT 128 3. Attacking iOS Applications (Part 1)
Sam Bowne
 
PPTX
Slide Deck – Session 9 – FRSecure CISSP
FRSecure
 
PDF
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
NCCOMMS
 
Common crypto attacks and secure implementations
Trupti Shiralkar, CISSP
 
Pki 201 Key Management
NCC Group
 
Cryptography101
NCC Group
 
Attacking VPN's
n|u - The Open Security Community
 
Ch 6: Attacking Authentication
Sam Bowne
 
CNIT 128 3. Attacking iOS Applications (Part 1)
Sam Bowne
 
Slide Deck – Session 9 – FRSecure CISSP
FRSecure
 
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
NCCOMMS
 

What's hot (20)

PPTX
Bypass Security Checking with Frida
Satria Ady Pradana
 
PPTX
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey
 
PPTX
Secure Application Development in the Age of Continuous Delivery
Tim Mackey
 
PDF
Network Security in 2016
Qrator Labs
 
PDF
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat Security Conference
 
PDF
Heartbleed && Wireless
Luis Grangeia
 
PPTX
Secure application deployment in Apache CloudStack
Tim Mackey
 
PDF
Real World Application Threat Modelling By Example
NCC Group
 
PPTX
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
FRSecure
 
PPTX
Malware for Red Team
Satria Ady Pradana
 
PDF
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
CanSecWest
 
PPTX
Security in the Age of Open Source
Black Duck by Synopsys
 
PPTX
Continuous Automated Red Teaming (CART) - Bikash Barai
AllanGray11
 
PPTX
How to write secure code
Flaskdata.io
 
PDF
IT security for all. Bootcamp slides
Wallarm
 
PDF
NGINX User Summit. Wallarm llightning talk
Wallarm
 
PPTX
Slide Deck – Session 7 – FRSecure CISSP Mentor Program 2017
FRSecure
 
PDF
Slide Deck CISSP Class Session 6
FRSecure
 
PDF
07182013 Hacking Appliances: Ironic exploits in security products
NCC Group
 
PPTX
Certificate pinning in android applications
Arash Ramez
 
Bypass Security Checking with Frida
Satria Ady Pradana
 
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey
 
Secure Application Development in the Age of Continuous Delivery
Tim Mackey
 
Network Security in 2016
Qrator Labs
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat Security Conference
 
Heartbleed && Wireless
Luis Grangeia
 
Secure application deployment in Apache CloudStack
Tim Mackey
 
Real World Application Threat Modelling By Example
NCC Group
 
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
FRSecure
 
Malware for Red Team
Satria Ady Pradana
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
CanSecWest
 
Security in the Age of Open Source
Black Duck by Synopsys
 
Continuous Automated Red Teaming (CART) - Bikash Barai
AllanGray11
 
How to write secure code
Flaskdata.io
 
IT security for all. Bootcamp slides
Wallarm
 
NGINX User Summit. Wallarm llightning talk
Wallarm
 
Slide Deck – Session 7 – FRSecure CISSP Mentor Program 2017
FRSecure
 
Slide Deck CISSP Class Session 6
FRSecure
 
07182013 Hacking Appliances: Ironic exploits in security products
NCC Group
 
Certificate pinning in android applications
Arash Ramez
 
Ad

Similar to Zerotrusting serverless applications protecting microservices using secure design patterns 3.0 (20)

PDF
Protecting microservices using secure design patterns 1.0
Trupti Shiralkar, CISSP
 
PDF
Serverless security - how to protect what you don't see?
Sqreen
 
PDF
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays
 
PPTX
microsoft-cybersecurity-reference-architectures (1).pptx
GenericName6
 
PPTX
Fundamentals of Microsoft 365 Security , Identity and Compliance
Vignesh Ganesan I Microsoft MVP
 
PDF
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
DicodingEvent
 
PPTX
Security as an Enabler for the Digital World - CISO Perspective
Apigee | Google Cloud
 
PDF
Security Shift Leftmost - Secure Architecture.pdf
Narudom Roongsiriwong, CISSP
 
PDF
Hardening Microservices Security: Building a Layered Defense Strategy
Cloudflare
 
PPTX
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Deborah Schalm
 
PPTX
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
DevOps for Enterprise Systems
 
PDF
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
DevOps.com
 
PDF
Securing DevOps through Privileged Access Management
BeyondTrust
 
PDF
Daniel Grabski | Microsofts cybersecurity story
Microsoft Österreich
 
PDF
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
PDF
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato
 
PPTX
Security Architecture Best Practices for SaaS Applications
Techcello
 
PPTX
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
PDF
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
PPTX
Starting your Career in Information Security
Ahmed Sayed-
 
Protecting microservices using secure design patterns 1.0
Trupti Shiralkar, CISSP
 
Serverless security - how to protect what you don't see?
Sqreen
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays
 
microsoft-cybersecurity-reference-architectures (1).pptx
GenericName6
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Vignesh Ganesan I Microsoft MVP
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
DicodingEvent
 
Security as an Enabler for the Digital World - CISO Perspective
Apigee | Google Cloud
 
Security Shift Leftmost - Secure Architecture.pdf
Narudom Roongsiriwong, CISSP
 
Hardening Microservices Security: Building a Layered Defense Strategy
Cloudflare
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Deborah Schalm
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
DevOps for Enterprise Systems
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
DevOps.com
 
Securing DevOps through Privileged Access Management
BeyondTrust
 
Daniel Grabski | Microsofts cybersecurity story
Microsoft Österreich
 
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato
 
Security Architecture Best Practices for SaaS Applications
Techcello
 
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
Starting your Career in Information Security
Ahmed Sayed-
 
Ad

More from Trupti Shiralkar, CISSP (11)

PDF
Gratitude Ignites, Growth Fortifies: Building an unbreakable cyber security V...
Trupti Shiralkar, CISSP
 
PDF
Guardians and Glitches: Navigating the Duality of Gen AI in AppSec
Trupti Shiralkar, CISSP
 
PPTX
IKIGAI for security professionals B sides Seattle.pptx
Trupti Shiralkar, CISSP
 
PDF
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
Trupti Shiralkar, CISSP
 
PDF
Self-care, breathing exercises, meditation
Trupti Shiralkar, CISSP
 
PDF
Cloud Security Trends.pdf
Trupti Shiralkar, CISSP
 
PDF
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
PDF
The Road Less Traveled: Use-cases, Challenges, and Solutions of Homomorphic E...
Trupti Shiralkar, CISSP
 
PDF
Security evaluation of_libraries_lascon_2017_v2
Trupti Shiralkar, CISSP
 
PDF
Purple team strategy_lascon_2016
Trupti Shiralkar, CISSP
 
PDF
Security evaluation of_libraries_lascon_2017_v2
Trupti Shiralkar, CISSP
 
Gratitude Ignites, Growth Fortifies: Building an unbreakable cyber security V...
Trupti Shiralkar, CISSP
 
Guardians and Glitches: Navigating the Duality of Gen AI in AppSec
Trupti Shiralkar, CISSP
 
IKIGAI for security professionals B sides Seattle.pptx
Trupti Shiralkar, CISSP
 
Tru_Shiralkar_Gen AI Sec_ ISACA 2024.pdf
Trupti Shiralkar, CISSP
 
Self-care, breathing exercises, meditation
Trupti Shiralkar, CISSP
 
Cloud Security Trends.pdf
Trupti Shiralkar, CISSP
 
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
The Road Less Traveled: Use-cases, Challenges, and Solutions of Homomorphic E...
Trupti Shiralkar, CISSP
 
Security evaluation of_libraries_lascon_2017_v2
Trupti Shiralkar, CISSP
 
Purple team strategy_lascon_2016
Trupti Shiralkar, CISSP
 
Security evaluation of_libraries_lascon_2017_v2
Trupti Shiralkar, CISSP
 

Recently uploaded (20)

PPTX
Fluid Mechanics, Module 3: Basics of Fluid Mechanics
Dr. Rahul Kumar
 
PDF
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
PPTX
Strings in CPP - Strings in C++ are sequences of characters used to store and...
sangeethamtech26
 
PPTX
Road Safety tips for School Kids by a k maurya.pptx
akhileshakm
 
PPTX
ANIMAL INTERVENTION WARNING SYSTEM (4).pptx
dodultrongaming
 
PPTX
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
PDF
composite construction of structures.pdf
AinieButt1
 
PDF
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
PPT
Project quality management in manufacturing
BarMusaTetik
 
PPTX
anatomy of limbus and anterior chamber .pptx
ZePowe
 
PPT
Chapter 6 Design in software Engineeing.ppt
RahulBhole12
 
PPTX
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
PDF
Unit 4 Tunnel Engineering in Civil .pdf
D. Y. Patil College of Engineering & Technology, Kolhapur, Maharastra, India
 
PPTX
web development for engineering and engineering
keshriji700
 
PDF
Unit 5 Alignment of Tunnel in Civil .pdf
D. Y. Patil College of Engineering & Technology, Kolhapur, Maharastra, India
 
PPTX
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
PDF
Structs to JSON How Go Powers REST APIs.pdf
Emily Achieng
 
PDF
ETO & MEO Certificate of Competency Questions and Answers
Mahmoud Moghtaderi
 
PDF
Arduino robotics embedded978-1-4302-3184-4.pdf
AbdullahEmam4
 
PPTX
AgentX UiPath Community Webinar series - Delhi
RohitRadhakrishnan8
 
Fluid Mechanics, Module 3: Basics of Fluid Mechanics
Dr. Rahul Kumar
 
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
Strings in CPP - Strings in C++ are sequences of characters used to store and...
sangeethamtech26
 
Road Safety tips for School Kids by a k maurya.pptx
akhileshakm
 
ANIMAL INTERVENTION WARNING SYSTEM (4).pptx
dodultrongaming
 
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
composite construction of structures.pdf
AinieButt1
 
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
Project quality management in manufacturing
BarMusaTetik
 
anatomy of limbus and anterior chamber .pptx
ZePowe
 
Chapter 6 Design in software Engineeing.ppt
RahulBhole12
 
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
Unit 4 Tunnel Engineering in Civil .pdf
D. Y. Patil College of Engineering & Technology, Kolhapur, Maharastra, India
 
web development for engineering and engineering
keshriji700
 
Unit 5 Alignment of Tunnel in Civil .pdf
D. Y. Patil College of Engineering & Technology, Kolhapur, Maharastra, India
 
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
Structs to JSON How Go Powers REST APIs.pdf
Emily Achieng
 
ETO & MEO Certificate of Competency Questions and Answers
Mahmoud Moghtaderi
 
Arduino robotics embedded978-1-4302-3184-4.pdf
AbdullahEmam4
 
AgentX UiPath Community Webinar series - Delhi
RohitRadhakrishnan8
 

Zerotrusting serverless applications protecting microservices using secure design patterns 3.0

  • 1. Zerotrusting Serverless Applications: Protecting Microservices using Secure Design Patterns Trupti Shiralkar
  • 2. About Me • Principal Application Security Engineer, Illumio • Mobile game developer turned security professional - MS In Security Engineering, Johns Hopkins University - Previously worked at Amazon, Q2Ebanking, HP & ATSEC • When I am not doing security - Travel - Paint • Yoga Alliance Certified Instructor - Breathing exercises - Meditation Twitter: @tshiralkar LinkedIn: https://www.linkedin.com/in/trupti-shiralkar-0a085a8/ Email: [email protected]
  • 3. Agenda ● Understanding serverless applications and microservices ● Analyzing microservices security design patterns ● Securing serverless applications and microservices
  • 4. Understanding Serverless and Microservices ● Evolution ● Security pain points ● Overall changing role of security
  • 5. Evolution of Software Architecture
  • 6. What exactly is serverless ? Serverless Ecosystem Serverless Functions (AWS Lambda) Serverless Applications (AWS dynamo DB) Serverless Containers AWS (Fargate) • No management of servers • Operational tasks done by cloud provider • Event driven • Stateless • Short lived • On demand scalable • Pay as you use
  • 7. Monolith vs Microservices vs Serverless Attributes Monolith Microservices Serverless Modularity Tightly coupled Loosely coupled Loosely coupled Interservice Communication Smart pipes, heavy weight protocol, SOAP Dumb pipes, lightweight protocols such as REST and gRPC REST APIs Data Global data model, shared database Data model and database per service Data model per function, ephemeral Typical Service Giant Monolith Application Small independent Services Short lived, event driven, stateless, pay as you used functions Deployment slow faster Super fast
  • 8. Microservices are not silver bullet! Credit: KRAZAM
  • 9. Security pain points ● Increased complexity ● Implicit trust is dangerous ● Static vs Dynamic Order of API calls ● Serverless attack surface is unknown ● Inadequate security tooling can’t detect vulnerabilities in microservices ● Traditional application security lacks the speed of development & deployment
  • 10. OWASP vulnerabilities are still applicable ● A1: Injection ● A2: broken Authentication ● A3: Sensitive Data Exposure ● A4: XML External Entities ● A5: Broken Authentication ● A6: Security Misconfiguration ● A7: Cross-Site Scripting (XSS) ● A8: Insecure Deserialization ● A9: Using components with known Vulnerabilities ● A10: Insufficient Logging & Monitoring
  • 11. AWS Lambda Available since 2014 Code Injection Access Bypass - CVE- 2015-3373 Command Injection- CVE- 2019-10777 ● Debugging through logging ● Limited testing ● Temp data leakage ● Misconfigured IAM policies using wildcards ● Command Injection in CLI tool of AWS- Lambda
  • 12. Changing role of security
  • 13. Microservice Design Patterns ● What are microservice design patterns? ● Why do we need it? ● Can we leverage them to achieve security goals?
  • 14. Design Patterns for Microservices Decomposition patterns Integration patterns Database patterns Observability patterns Cross-Cutting Concern patterns Decompose by Business Capability Decompose by Subdomain Decompose by Transactions Strangler Pattern Bulkhead Pattern Sidecar Pattern API Gateway Pattern Aggregator Pattern Proxy Pattern Gateway Routing Pattern Chained Microservice Pattern Branch Pattern Client-Side UI Composition Pattern Database per Service Shared Database per Service CQRS Event Sourcing Saga Pattern Log Aggregation Performance Metrics Distributed Tracing Health Check External Configuration Service Discovery Pattern Circuit Breaker Pattern Blue-Green Deployment Pattern Image credit: https://medium.com/@madhukaudantha/microservice- architecture-and-design-patterns-for-microservices-e0e5013fd58a
  • 15. API Gateway API Gateway • Login (IAM) • DOS protection • API Authorization • Routing of Request • Throttling, API rate limit & load balancing • HTTPS endpoints • Security and resiliency monitoring • Logging and auditing • Caching for better latency Still vulnerable to attacks • Layer 7 DDOS with counterfeit requests • DDOS with cascading requests • Layer 3 DDOS with syn flood • Implementation specific Login/Identity attacks • Static API key abuse • Common web application attacks like XSS, SQLi
  • 16. JSON Web Token • Authentication of APIs • Authorization with each request • Service to service authentication • Service to service communication • Vulnerable to implementation attacks - JWT cipher misconfiguration (none) - JWT reply attack (jti) - JWT information leakage
  • 17. Circuit Breaker Design Pattern Circuit Breaker Pattern • Handles failure gracefully • Prevents catastrophic cascading failure across multiple systems • Good for monitoring, logging and overall recovery • Fault tolerant • Resilient • Example: Netflix's Hystrix library Attacks • Breaker to broker- DDOS • API Gateway can be single point of failure
  • 18. Service Mesh Design Pattern Service Mesh • Inter-service communication infrastructure • Authentication and authorization of services • mTLS for inter-service communication • Enforcing security policies Vulnerable to attacks • Security misconfigurations • Increased complexity
  • 19. Log Aggregator Design Pattern Log Aggregator • Collection of all logs • Real time monitoring of anomaly patterns (deviation from regular pattern) • Automated notification Limitations + Attacks • Correlation of logs across microservice • Logging sensitive information • Unauthorized access to logs
  • 20. Securing Serverless Applications and Microservices ● Security best practices ● Security scanning and tooling
  • 21. Security best practices ● Zero trust everything (code, applications, inter-process communications, configurations, networks ) ● Select encryption at rest wisely ● Secure coding convention must be followed ● Generate logs, perform auditing and monitoring, use SIEM ● Stay on top of 3rd party known CVEs associated with open source libraries ● Involve your security team early
  • 22. Secure Communication TLS Attacks: • ROBOT (1998-2017) • EC DRBG Backdoor (2007-2013) • Lucky 13 (2013) • BEAST (2013) • POODLE (2014) • Heartbleed (2014) • Logjam (2015) • FREAK (2015) • DROWN (2016) Security Best Practices • Do not use insecure SSL protocols (SSLv3, TLS 1.0, TLS 1.1) • Use cipher with 128+ bit of cryptographic strength (AES-256, RSA 2048, SHA-256 +) • Crypto agility (plan for TLS 1.3) • Mutual TLS
  • 23. Input and Output Validation
  • 24. Secure handling and storage of Secrets
  • 25. Security Scanning within CI/CD Containers and Orchestration security - CIS benchmark - Clair - Dagda - Anchore - KubeSec - Kubehunter (RASP) - DAST - IAST
  • 26. Security Testing of Microservices ● Security unit test cases ● Perform threat model to abuse cases ● Build scanners for detecting common application security vulnerabilities
  • 27. Conclusion ● Begin with Zerotrust by default ● Earn trust as you validate the authenticity of serverless applications ● Vetted microservice design patterns foster security ● Classic AppSec attacks are still applicable ● Be open minded about modern security tooling ● Automating AppSec tools promote shift left security transformation ● Threat Modeling is priceless ● Secure the complete stack and not just microservices
  • 28. References Chris Richardson Sam Newman Prabhat Siriwardena Newan Dias Jim Manico & many contributors Heather Adkins Bestsy Beyer Paul Blankinship Piotr Lewandowski Oprea & Adam Stubblefield