Insecure Transit - Microservice Security Challenges and Solutions

Dive deep into the technical challenges and solutions for securing microservice architectures in this conference talk. Explore the benefits and potential security risks of microservices, including protecting information flow across networks. Learn about data breaches, software development practices, and assessing risks in microservice security. Discover practical advice on password management, short-lived credentials, secret stores, and patching systems. Examine container scanning, threat modeling, and network communication concerns, including HTTP, TLS, and mutual TLS. Investigate authentication, authorization, and the Confused Deputy Problem. Gain insights into making decisions upstream, using JWT tokens, and implementing service mesh solutions. Equip yourself with valuable knowledge to enhance the security of your microservice-based applications and infrastructure.

Intro
Data Breaches
Software Development
Microservice Security
Microservice Architecture
Surface Area of Attack
Assessing Risks
Password Manager
Advanced Persistent Threat
Three pieces of advice
Shortlived credentials
Qi tools
Credentials
Secret Stores
Vault
Console Template
Security Breaches
Patch Your Stuff
Equifax Data Breach
Vulnerabilities
Equifax
Systems building on systems
Normal running infrastructure
Solutions
Container Scanning
Threat Modelling
Network Communication
Key Concerns
HTTP and TLS
HTTP TLS
Mutual TLS
Other protocols
Authentication
Authorization
Confused Deputy Problem
Making Decisions Upstream
What We Want
JWT Token
Service Mesh
Summary