Sessions

GOTO Berlin 2018

A deep dive into some of the technical challenges and solutions to securing a microservice architecture.

Microservices are great, and they offer us lots of options for how we can build, scale and evolve our applications. On the face of it, they should also help us create much more secure applications - the ability to protect in depth is a key part of protecting systems, and microservices make this much easier. On the other hand, information that used to flow within single processes, now flows over our networks, giving us a real headache. How do we make sure our shiny new microservices architectures aren’t less secure than their monolithic predecessors?

Picking up where my previous presentation on this topic left off, in this talk, I outline some of the key challenges associated with microservice architectures with respect to security, and then looks at approaches to address these issues. From secret stores, time-limited credentials and better backups, to confused deputy problems, JWT tokens and service meshes, this talk looks at the state of the art for building secure microservice architectures.

prerequisite attendee experience level: beginner This talk is for anyone who is currently building, or planning to build a microservice architecture. I used to say "anyone who cares about security of a microservice architecture" but I sort of feel that if you are building software of any sort and don't care about security, then something is wrong! I don't expect people to be experts in security to understand what I am sharing, I focus on helping developers get "just enough security" knowledge to be useful.