Presentation: Insecure Transit - Microservice Security
Share this on:
Abstract
Microservices are great, and they offer us lots of options for how we can build, scale and evolve our applications. On the face of it, they should also help us create much more secure applications - the ability to protect in depth is a key part of protecting systems, and microservices make this much easier. On the other hand, information that used to flow within single processes, now flows over our networks, giving us a real headache. How do we make sure our shiny new microservices architectures aren’t less secure than their monolithic predecessors?
In this talk, Sam Newman outlines some of the key challenges associated with microservice architectures with respect to security, and then looks at approaches to address these issues. From secret stores, time-limited credentials and better backups, to confused deputy problems, JWT tokens and service meshes, this talk looks at the state of the art for building secure microservice architectures.
How you you describe the persona and level of the target audience?
Anyone who is currently building, or planning to build a microservice architecture. I used to say "anyone who cares about security of a microservice architecture" but I sort of feel that if you are building software of any sort and *don't* care about security, then something is wrong! I don't expect people to be experts in security to understand what I am sharing, I focus on helping developers get "just enough security" knowledge to be useful.
What do you want “that” persona to walk away with from your talk knowing that they might not have known 50 minutes before?
I'd say a few things, specifically:
- Microservices can make implementing secure systems easier and harder
- You have to think about security concerns up front
- There are some technology solutions that can make this less daunting and easier to consider
- That any developer building a distributed system can and should have some level of awareness of security issues, and be able to do something meaningful about them
What trend in the next 12 months would you recommend an early adopter/early majority SWE to pay particular attention to?
If you aren't already looking at actively using a kubernetes-based platform for your microservice architecture, you should - the ecosystem is offering so many useful tools ot make your life easier that you may well be losing out if you're using alternative platforms. Of particular interest are service meshes, which offer the potential to simplify implementation of cross cutting concerns (security, load balancing, canary releases) and reduce the amount of things that need to be done "in service". The space is quite vibrant at the moment (by which I mean there are loads of service meshes out there!) so picking a winner right now is difficult, but as an early adopter I'd suggest taking a look at the stuff from Buoyant (Linkerd and Conduit) and Isito.
Similar Talks
Tracks
-
Microservices/ Serverless: Patterns and Practices
Stories of success and failure building modern service and function-based applications, including event sourcing, reactive, decomposition, & more.
-
Distributed Stateful Systems
Architecting and leveraging NoSQL revisitied
-
Evolving Java and the JVM: Mobile, Micro and Modular
Although the Java language is holding strong as a developer favourite, new languages and paradigms are being embraced on JVM.
-
The Practice & Frontiers of AI
Learn about machine learning in practice and on the horizon
-
Operating Systems: LinuxKit, Unikernels, & Beyond
Applied, practical, & real-world deep-dive into industry adoption of OS, containers and virtualisation, including Linux on Windows, LinuxKit, and Unikernels
-
Stream Processing in the Modern Age
Compelling applications of stream processing & recent advances in the field
-
Leading Edge Backend Languages
Code the future! How cutting-edge programming languages and their more-established forerunners can help solve today and tomorrow’s server-side technical problems.
-
Modern CS in the Real World
Applied trends in Computer Science that are likely to affect Software Engineers today.
-
DevEx: The Next Evolution of DevOps
Removing friction from the developer experience.
-
Bare Knuckle Performance
Killing latency and getting the most out of your hardware
-
Tech Ethics in Action
Learning from the experiences of real-world companies driving technology decisions from ethics as much as technology.
-
Security: Red XOR Blue Team
Security from the defender's AND the attacker's point of view
-
Architecting for Failure
If you're not architecting for failure you're heading for failure
-
Architectures You've Always Wondered About
Topics like next-gen architecture mixed with applied use cases found in today's large-scale systems, self-driving cars, network routing, scale, robotics, cloud deployments, and more.
-
Observability: Logging, Alerting and Tracing
Observability in modern large distributed computer systems
-
Speaker AMAs (Ask Me Anything)
-
Building Great Engineering Cultures & Organizations
Stories of cultural change in organizations
-
Speaker AMAs (Ask Me Anything)