Hi, I’m a passionate developer coaching other devs @SocieteGenerale. I think that what’s led me to microservices was the Domain Driven Design. Once the bounded contexts identified, it seems natural to isolate it into a single responsibility service. But how to manage, monitor, scale it etc? One Netflix talk and there we are now!
“Security” is the new “Automated tests”. Some years ago people didn’t use to write automated tests or even didn’t know what it was. Nowadays we are facing the same issue with the application security. Everyone seems choked when hearing in the news that some massive leaks of personal data or credit card numbers happen. But we should ask ourselves, what are we doing to make sure that it won’t happen on our own software ?
Thanks to the great open-source community, we have frameworks which help us to spawn quickly the infrastructure of our microservices. Those frameworks are the prime targets of potential attackers, the major open-source communities know it and are pretty active in the remediation of their vulnerabilities.
But as an open-source user, are you aware about the risk you are facing? Are you using vulnerable versions of your frameworks? Looks like 88% of java applications audited for this report have at least one vulnerability in a third-party dependencies.
In this talk we will see how to detect and track the known vulnerabilities in the third-party dependencies we use, using open-source software like OWASP Dependency-Check and OWASP Dependency-Track.
Microservices have increased the number of running softwares in production for sure. May be it increases the number of vulnerabilities as well but what we can be sure of the increase of the attack surface of our production environment.
When I started to work a decade ago, applicative security was owned by a central committee of Security Engineers, and sometimes those guys showed up to audit our application. But during those days we were doing something like one release every three months or something like that.
With the DevOps and the microservices philosophy, we understood that the responsibility of a development team was more than just writing code, we now ship in production in a continuous way and we are monitoring the production ourselves. Looks like security was lost in translation.
Adding the Sec in the DevOps with the right tools and best practices, will therefore make sure that we build safer softwares for our users.
This talk will strive to demonstrate that we can easily increase the security of our software with a small amount of efforts around a sample of a vulnerable microservice.
#owasp #devsecops #security
Twitter: @JulienTopcu
Blog: https://beyondxscratch.com
LinkedIn: https://www.linkedin.com/in/julien-top%C3%A7u