Microservice Security
Published by O'Reilly Media, Inc.
Best practices for microservice-style architectures
Microservice architectures are increasingly popular, but they bring with them increased complexity and new challenges. One of the more challenging areas with any microservice-style architecture is security. Application security is different from security with a monolith. With more moving parts in a microservices architecture, understanding what security posture is required can be difficult.
Join expert Sam Newman to learn the challenges microservice architectures can present for the security of applications even while they provide more ways to build and operate secure systems. At the end of the class you’ll have a better understanding of best practices for protecting microservice-style architectures and where to spend your time to deliver the right level of security.
What you’ll learn and how you can apply it
By the end of this live online course, you’ll understand:
- How microservice architectures change some of the common challenges of application security
- What types of protection may be needed to protect data in transit and at rest
- How to identify where technologies like JWT or Open Policy Agent can be used in the context of authentication and authorization
- Where security concerns occur
And you’ll be able to:
- Better prioritize where you spend your time to build a secure application
- Better protect your microservices while still allowing a high degree of independence
This live event is for you because...
- You have a microservice architecture and are worried it isn’t secure.
- You’re planning a microservice architecture and don’t know where to start regarding security.
- You’re a developer or architect who wants to gain skills in security so that you can apply security principles when building your system.
Prerequisites
- A basic understanding of microservices
Recommended preparation:
- Read chapters 1–3 in Building Microservices, second edition (book)
Recommended follow-up:
- Finish reading Building Microservices, second edition (book)
Schedule
The time frames are only estimates and may vary according to how the class is progressing.
Introduction (5 minutes)
- Presentation: What are microservices?; challenges of microservices security
- Q&A
5 functions of cybersecurity in microservices (20 minutes)
- Presentation: Identify, protect, detect, respond, and recover
- Q&A
4 principles of microservice security (35 minutes)
- Presentation: Principle of least privilege; defense in depth; automation; build security in (shift left)
- Group discussion
- Q&A
- Break
Threat modeling (20 minutes)
- Presentation: Knowing what to protect; attack tree example; applying the example to application architecture
- Group discussion
- Q&A
Zero versus implicit trust (15 minutes)
- Presentation
- Q&A
Patching (5 minutes)
- Presentation
- Q&A
Data at rest (20 minutes)
- Presentation: User data; secrets
- Break
Data in transit (20 minutes)
- Presentation: Transport security; HTTPS example
Authentication and authorization (30 minutes)
- Presentation: Example authentication flow; confused deputy problem; upstream versus downstream validation; JWT tokens; Open Policy Agent
- Group discussion
- Q&A
Summary (10 minutes)
- Presentation: Five parts of cybersecurity; four principles; know your threats
Your Instructor
Sam Newman
Sam Newman is a technologist focusing on the areas of cloud, microservices, and continuous delivery—three topics which seem to overlap frequently. He provides consulting, training, and advisory services to startups and large multinational enterprises alike, drawing on his more than 20 years in IT as a developer, sysadmin, and architect. Sam is the author of the best-selling Building Microservices and Monolith to Microservices, both from O’Reilly, and is also an experienced conference speaker.