Upload
lyhanh
View
242
Download
2
Embed Size (px)
Citation preview
container-solutions.com | @containersoluti
Microservices– asecuritynightmare?
GOTOBerlin-Dec2,2015MaximilianSchöfmannContainerSolutionsSwitzerland
Autonomy
Security
microservices…
small,hencemanyservices
talkingoverthenetwork
builtwithdifferenttechnologies
byautonomousteamswithend-to-endresponsibility
doingDevOpsandContinuousDelivery
usingcontainers
many small services
talking overthenetwork
Java7(1.7.0_03)
built with differenttechnologies
nodejs0.9
Ruby2.1
Java7
Go1.4
Java8
by autonomousteams with end-to-endresponsibility
(ISC)2®
doing DevOps
OWASP??
Specification
Implementation Validation
and ContinuousDelivery
using containers
using containers
XENHypervisor-10^5LOC
LinuxKernel-10^7LOC
many small services
talking overthenetwork
payment_data
(stateless)
cat_ pictures
(stateless)
user_db
talking overthenetwork
payment_data
(stateless)
cat_ pictures
(stateless)
user_db
Authentication: Basic Authtalking overthenetwork
Authorization: Basic c21hcnRhc3MuLi4uCg==
Authentication: Client certificatestalking overthenetwork
Authentication: API Keys
X-My-API-Key: YWxsIHVyIGJhc2UgYXJlIGJlbG9uZ3MgMiAgdXMK
talking overthenetwork
Authentication: HMAC
Authorization: AWS FOOBR7EXAMPLE:frJIUN8h81ADYpKg=
talking overthenetwork
Secrets management
vaultproject.io square.github.io/keywhiz
talking overthenetwork
Single-Sign-Ontalking overthenetwork
SAML
Single-Sign-Ontalking overthenetwork
client SSO service
authenticate
token
requestwithtoken
verify
sendresponse
Single-Sign-Ontalking overthenetwork
client SSO service
authenticate
token
requestwithtoken
verifysendresponse
Authorizationtalking overthenetwork
Authorizationtalking overthenetwork
{ "iss":"[email protected]", “scope”:”https://www.googleapis.com/auth/bigquery", "aud":"https://www.googleapis.com/oauth2/v3/token", "exp":1328554385, "iat":1328550785 }
ID Tokenstalking overthenetwork
{ "sub" : "bob", "email" : "[email protected]", "name" : "Bob Example”, “exp" : 1328672194, "https://mycorp.tld/groups": ["admin", "publisher"] }
Translating ID Tokenstalking overthenetwork
dumbtoken Gateway JWT ServiceA
ServiceB
ServiceC
JWT
JWT
The Confused Deputytalking overthenetwork
API Gatewaystalking overthenetwork
APIG
atew
ay
•Accesscontrol•Ratelimiting•HTTPStermination ...
API Gatewaystalking overthenetwork
APIG
atew
ay
WAF PaymentSvc.
built withdifferenttechnologies
by autonomousteams with end-to-endresponsibility
Trustby autonomousteams with end-to-endresponsibility
IdeafromA.T.KearnyAnalysis
Accountability Expertise
Autonomy&Entrepreneurship
Collaboration&Support
Trust
Definition of Done
“It’s not done, before it’s fast!”
by autonomousteams with end-to-endresponsibility
Definition of Done
“It’s not done, before it’s secure!”
by autonomousteams with end-to-endresponsibility
Rugged Software Manifesto
ruggedsoftware.org
by autonomousteams with end-to-endresponsibility
doing DevOps
SecDevOps?
SecOps?
DevSec?
doing DevOps
SecDevOps
=
Mindset+Tooling
and ContinuousDelivery
Test pyramid
UnitTests
ServiceTests
UItests
fasterfeed
back
from“SucceedingwithAgile”(MikeCohn)
confiden
ce
and continuousdelivery
Security-Test pyramid
staticcodeanalysis
Vulnerabilityscanning
E2Esecuritytests
fasterfeed
back
confiden
ce
and continuousdelivery
BDD styleand continuousdelivery
continuumsecurity.net/bdd-intro.html
using containers
BSDJails2000
2001Virtuozzo
Linux-VServer
SolarisZones2004
LXC2008
2013Docker
rkt2014
1982chroot
2007cgroups
Defense in depth
paymentservice
instance#2
docsuploadservice
instance#1
paymentservice
instance#1
catpictureservice
instance#1
memegeneratorinstance#1
bookmarkmanager
instance#1
using containers
Freeze & replace
paymentservice
instance#2
docsuploadservice
instance#1
paymentservice
instance#1
catpictureservice
instance#1
memegeneratorinstance#1
bookmarkmanager
instance#1
using containers
paymentservice
instance#1
Freeze & replace
paymentservice
instance#2
docsuploadservice
instance#1
paymentservice
instance#3
catpictureservice
instance#1
memegeneratorinstance#1
bookmarkmanager
instance#1
using containers
Docker securityusing containers
tinyurl.com/docker-security
•read-onlycontainers•minimalbaseimages•dropcapabilities•verifysignedimages•traditionalhardening(AppArmor,SELinux…)
...
Scan images for vulnerabilitiesusing containers
Clair(CoreOS)Nautilus(DockerInc.)
Secure deploymentsusing containers
Dockerdaemon-“justHTTP”
•TLS•Authentication•Authorisation•Logging&Auditing
scprsync
git
Summary
small,distributedservicescanlimittheimpactofbreaches
isolateserviceswithdifferentsecurityrequirements
usestandardmechanismsforauth, butmakesuretheyarescalable
consideranAPIgateway, butdon'toverusethispattern
Summary
monoculturescandoharm
embraceruggedsoftwareprinciples
accountabilityensuressecurityisbuiltin, notboltedon
investinautomationandtooling aroundsecuritytoolsandsecuritytesting
Summary
usecontainersasadditionallineofdefense
usecontainersasimmutableinfrastructure
ifyouneedto,usecontainerstodoforensics
secureyourcontainerhoststhoroughly
scanimagescentrallyforvulnerabilities
abolishobsoletedeploymentmethods
Nightmare?
Image References (all CC-BY or public domain)Pumpkin:https://www.flickr.com/photos/wwarby/5144858705BillGates:https://c2.staticflickr.com/8/7331/16335705267_b6e9d9b223.jpgAnarchySymbol: https://pixabay.com/p-32917/Sandwich:https://upload.wikimedia.org/wikipedia/commons/6/6a/Peanut-Butter-Jelly-Sandwich.pngWasp: https://pixabay.com/p-538470Whack-a-mole:https://c1.staticflickr.com/9/8484/8195620894_4b68d7df76_b.jpgRustycontainer:https://www.flickr.com/photos/annspan/3912153466Server: https://upload.wikimedia.org/wikipedia/commons/0/0c/Chassis-Plans-3U.jpgRuggedvehicle:https://c1.staticflickr.com/5/4036/4669861882_742023ed7a_b.jpgCertificate:https://pixabay.com/p-576790ConfusedDeputy: https://en.wikipedia.org/wiki/Confused_deputy_problemAphid:https://en.wikipedia.org/wiki/Aphid#/media/File:Acyrthosiphon_pisum_(pea_aphid)-PLoS.jpg
container-solutions.com | @containersoluti
container-solutions.com