Voxxed Days Microservices: Vulnerabilities in Microservices

DZone 's Guide to

Voxxed Days Microservices: Vulnerabilities in Microservices

A developer and microservices enthusiast talks about ensuring security in software, especially microservices architecture.

· Microservices Zone ·
Free Resource

Hi Julien, tell us who you are and what lead you into microservices.

Hi, I'm a passionate developer coaching other devs @SocieteGenerale. I think that what's led me to microservices was the Domain Driven Design. Once the bounded contexts identified, it seems natural to isolate it into a single responsibility service. But how to manage, monitor, scale it, etc? One Netflix talk, and there we are now!

What will you be talking about at Voxxed Days Microservices?

"Security" is the new "automated tests." Some years ago people didn't use to write automated tests or even didn't know what it was. Nowadays, we are facing the same issue with application security. Everyone seems choked when hearing in the news that some massive leaks of personal data or credit card numbers happen. But we should ask ourselves, what are we doing to make sure that it won't happen on our own software?

Thanks to the great open-source community, we have frameworks which help us to spawn quickly the infrastructure of our microservices. Those frameworks are the prime targets of potential attackers, the major open-source communities know it and are pretty active in the remediation of their vulnerabilities.

But as an open-source user, are you aware of the risk you are facing? Are you using vulnerable versions of your frameworks? Looks like 88% of Java applications audited for this report have at least one vulnerability in third-party dependencies.

In this talk, we will see how to detect and track the known vulnerabilities in the third-party dependencies we use, using open-source software like OWASP Dependency-Check and OWASP Dependency-Track.

So what you are saying is that 88% of our Java application have vulnerabilities. Now, with microservices, we have more application, therefore more vulnerabilities, right? Is DevSecOps the way to go?

Microservices have increased the number of running software in production for sure. Maybe it increases the number of vulnerabilities as well but what we can be sure of the increase of the attack surface of our production environment.

When I started to work a decade ago, applicative security was owned by a central committee of Security Engineers, and sometimes those guys showed up to audit our application. But during those days we were doing something like one release every three months or something like that.

With the DevOps and the microservices philosophy, we understood that the responsibility of a development team was more than just writing code, we now ship in production in a continuous way and we are monitoring the production ourselves. Looks like security was lost in translation.

Adding the Sec in the DevOps with the right tools and best practices will therefore make sure that we build safer software for our users.

This talk will strive to demonstrate that we can easily increase the security of our software with a small amount of effort around a sample of a vulnerable microservice.

Voxxed Days Microservices and DZone, Partnering Up

DZoners! Visit Voxxed Days Microservices here to check out ticket info for the show, and use the DZone reader exclusive code: VXDMS_DZONE to get 20% off for the conference and workshop. Grab those tickets while you can, be sure to say hey to our Zone Leaders—Thomas Jardinet and Chris Ward—if you run into them at the show, and enjoy Paris!

devsecops, microservices, security, software architecture

Published at DZone with permission of Antonio Goncalves , DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}