Interview: Sam Newman about security and microservices

Sam Newman will talkĀ at ASAS about security and microservices. 'Just because a system hasn't been hacked yet, doesn't mean it can't be hacked!'


What is your practical experience with microservices?

'Lots! My experience goes back to way before we even called them microservices. I've been working with different service-oriented architectures since 2004 in one form or another.'

In what way is security different for microservices than for a multi-app environment?

'The fundamental challenge is that microservice architectures increase the surface area of attack: there are more services that can be breached and there is more data that flows over networks. The flip side is that this allows for improved defence in depth when compared to more monolithic systems.'

Do you have a practical example in which you (successful) applied security for microservices?

'I think defining a 'successful' system is always problematic, especially when discussing it in the context of security! Just because it hasn't been hacked yet, doesn't mean it can't be hacked!'

Over the last 5 years though, since microservices became my focus, security has been an aspect of virtually every piece of work I've done. Often it is basic things, like ensuring good account hygiene with AWS, or ensuring that machines are patched regularly. For other pieces of work it's been much more complex, such as implementing fine-grained permissions to avoid the confused deputy problem.

What are the most important points of attention, according to you?

'Building a 'secure' microservice system is more than just focusing on technical aspects. It's more than just focusing on prevention. You need a broad approach to embracing a secure mindset, which understands that:

1. Humans make mistakes
2. No system is un-hackable
3. You need to start understanding what your stance is with respect to security when designing the systems in the first place.

Ultimately the human factors end up being just as important as the technical and I'll be addressing both in my talk.

Sam Newman will talk at ASAS from 11:50 - 12:35

More about Sam
More about Sam's talk at ASAS
More about the program of ASAS 2017