Presentation: Insecure Transit - Microservice Security
Share this on:
Abstract
Microservices are great, and they offer us lots of options for how we can build, scale and evolve our applications. On the face of it, they should also help us create much more secure applications - the ability to protect in depth is a key part of protecting systems, and microservices make this much easier. On the other hand, information that used to flow within single processes, now flows over our networks, giving us a real headache. How do we make sure our shiny new microservices architectures aren’t less secure than their monolithic predecessors?
In this talk, Sam Newman outlines some of the key challenges associated with microservice architectures with respect to security, and then looks at approaches to address these issues. From secret stores, time-limited credentials and better backups, to confused deputy problems, JWT tokens and service meshes, this talk looks at the state of the art for building secure microservice architectures.
How you you describe the persona and level of the target audience?
Anyone who is currently building, or planning to build a microservice architecture. I used to say "anyone who cares about security of a microservice architecture" but I sort of feel that if you are building software of any sort and *don't* care about security, then something is wrong! I don't expect people to be experts in security to understand what I am sharing, I focus on helping developers get "just enough security" knowledge to be useful.
What do you want “that” persona to walk away with from your talk knowing that they might not have known 50 minutes before?
I'd say a few things, specifically:
- Microservices can make implementing secure systems easier and harder
- You have to think about security concerns up front
- There are some technology solutions that can make this less daunting and easier to consider
- That any developer building a distributed system can and should have some level of awareness of security issues, and be able to do something meaningful about them
What trend in the next 12 months would you recommend an early adopter/early majority SWE to pay particular attention to?
If you aren't already looking at actively using a kubernetes-based platform for your microservice architecture, you should - the ecosystem is offering so many useful tools ot make your life easier that you may well be losing out if you're using alternative platforms. Of particular interest are service meshes, which offer the potential to simplify implementation of cross cutting concerns (security, load balancing, canary releases) and reduce the amount of things that need to be done "in service". The space is quite vibrant at the moment (by which I mean there are loads of service meshes out there!) so picking a winner right now is difficult, but as an early adopter I'd suggest taking a look at the stuff from Buoyant (Linkerd and Conduit) and Isito.
Similar Talks
Tracks
Monday, 5 March
-
Leading Edge Backend Languages
Code the future! How cutting-edge programming languages and their more-established forerunners can help solve today and tomorrow’s server-side technical problems.
-
Security: Red XOR Blue Team
Security from the defender's AND the attacker's point of view
-
Microservices/ Serverless: Patterns and Practices
Stories of success and failure building modern service and function-based applications, including event sourcing, reactive, decomposition, & more.
-
Stream Processing in the Modern Age
Compelling applications of stream processing & recent advances in the field
-
DevEx: The Next Evolution of DevOps
Removing friction from the developer experience.
-
Modern CS in the Real World
Applied trends in Computer Science that are likely to affect Software Engineers today.
-
Speaker AMAs (Ask Me Anything)
Tuesday, 6 March
-
Next Gen Banking: It’s not all Blockchains and ICOs
Great technologies like Blockchain, smartphones and biometrics must not be limited to just faster banking, but better banking.
-
Observability: Logging, Alerting and Tracing
Observability in modern large distributed computer systems
-
Building Great Engineering Cultures & Organizations
Stories of cultural change in organizations
-
Architectures You've Always Wondered About
Topics like next-gen architecture mixed with applied use cases found in today's large-scale systems, self-driving cars, network routing, scale, robotics, cloud deployments, and more.
-
The Practice & Frontiers of AI
Learn about machine learning in practice and on the horizon
-
JavaScript and Beyond: The Future of the Frontend
Exploring the great frontend frameworks that make JavaScript so popular and theg JavaScript-based languages revolutionising frontend development.
-
Speaker AMAs (Ask Me Anything)
Wednesday, 7 March
-
Distributed Stateful Systems
Architecting and leveraging NoSQL revisitied
-
Operating Systems: LinuxKit, Unikernels, & Beyond
Applied, practical, & real-world deep-dive into industry adoption of OS, containers and virtualisation, including Linux on Windows, LinuxKit, and Unikernels
-
Architecting for Failure
If you're not architecting for failure you're heading for failure
-
Evolving Java and the JVM: Mobile, Micro and Modular
Although the Java language is holding strong as a developer favourite, new languages and paradigms are being embraced on JVM.
-
Tech Ethics in Action
Learning from the experiences of real-world companies driving technology decisions from ethics as much as technology.
-
Bare Knuckle Performance
Killing latency and getting the most out of your hardware
-
Speaker AMAs (Ask Me Anything)