Presentation: Insecure Transit - Microservice Security

Track: Microservices/ Serverless: Patterns and Practices

Location: Fleming, 3rd flr.

Duration: 4:10pm - 5:00pm

Day of week: Monday

Level: Intermediate

Share this on:


Microservices are great, and they offer us lots of options for how we can build, scale and evolve our applications. On the face of it, they should also help us create much more secure applications - the ability to protect in depth is a key part of protecting systems, and microservices make this much easier. On the other hand, information that used to flow within single processes, now flows over our networks, giving us a real headache. How do we make sure our shiny new microservices architectures aren’t less secure than their monolithic predecessors?

In this talk, Sam Newman outlines some of the key challenges associated with microservice architectures with respect to security, and then looks at approaches to address these issues. From secret stores, time-limited credentials and better backups, to confused deputy problems, JWT tokens and service meshes, this talk looks at the state of the art for building secure microservice architectures.


How you you describe the persona and level of the target audience?


Anyone who is currently building, or planning to build a microservice architecture. I used to say "anyone who cares about security of a microservice architecture" but I sort of feel that if you are building software of any sort and *don't* care about security, then something is wrong! I don't expect people to be experts in security to understand what I am sharing, I focus on helping developers get "just enough security" knowledge to be useful.


What do you want “that” persona to walk away with from your talk knowing that they might not have known 50 minutes before?


I'd say a few things, specifically:

  • Microservices can make implementing secure systems easier and harder
  • You have to think about security concerns up front
  • There are some technology solutions that can make this less daunting and easier to consider
  • That any developer building a distributed system can and should have some level of awareness of security issues, and be able to do something meaningful about them

What trend in the next 12 months would you recommend an early adopter/early majority SWE to pay particular attention to?


If you aren't already looking at actively using a kubernetes-based platform for your microservice architecture, you should - the ecosystem is offering so many useful tools ot make your life easier that you may well be losing out if you're using alternative platforms. Of particular interest are service meshes, which offer the potential to simplify implementation of cross cutting concerns (security, load balancing, canary releases) and reduce the amount of things that need to be done "in service". The space is quite vibrant at the moment (by which I mean there are loads of service meshes out there!) so picking a winner right now is difficult, but as an early adopter I'd suggest taking a look at the stuff from Buoyant (Linkerd and Conduit) and Isito.

Speaker: Sam Newman

Microservice, Cloud, CI/CD Thoughtleader

Sam Newman is an independent consultant specializing in helping people ship software fast. Sam has worked extensively with the cloud, continuous delivery, and microservices and is especially preoccupied with understanding how to more easily deploy working software into production. For the last few years, he has been exploring the capabilities of microservice architectures. He has worked with a variety of companies in multiple domains around the world, often with one foot in the developer world and another in the IT operations space. Previously, he spent over a decade at ThoughtWorks before leaving to work with a startup. Sam speaks frequently at conferences. He is the author of Building Microservices (O’Reilly). If you would like to get in touch, please email him.

Find Sam Newman at