DevSecCon
Solving Trust Issues at Scale
May 12, 2020
Microservices are social constructs: they can’t function without talking with other services. This also raises an interesting question: do we trust all of our microservices?
Not all microservices are the same: some are more sensitive – for example, services that handle personal user data or payment information. Others are user-facing and therefore riskier. We shouldn’t treat all services as equal. A robust mechanism that describes who can talk with who is required.
We dealt with this challenge whilst I was working for Soluto. In this talk, I’ll share the journey we went through until we found a solution we’re happy with: a simple and declarative system that allows services to define who can access them. Any dev can request access to any service, and the service owner can review it. I’ll share how we build this solution (including all the technical details and live demos!), using open source tools like Open Policy Agent, so you can easily build something similar.
Resources:
-
Slides: https://www.slideshare.net/SolutoTLV/solving-trust-issues-at-scale-appsec-california
-
Open Policy Agent: https://www.openpolicyagent.org/docs/latest/envoy-authorization/
-
https://www.envoyproxy.io/docs/envoy/v1.8.0/configuration/http_filters/jwt_authn_filter
-
https://www.omerlh.info/2020/01/22/solving-trust-issues-at-scale/
About Omer Levi Hevroni
Omer Levi Hevroni has been coding since the 4th grade, when his father taught him BASIC (Beginner’s All-purpose Symbolic Instruction Code). Today, he’s doing AppSec/DevSecOps at Soluto. He is also an active open source contributor, OWASP Member, and OWASPGlue project leader.