Modern App Architecture - Microservices, API Friendly
•
0 likes•218 views
This document summarizes a presentation given at DevOpsDays Jakarta 2020 about modern application architecture and microservices. It discusses how application landscapes are transforming to use more cloud, DevOps practices, and container-based workloads. It also covers challenges around security with modern applications and microservices. Specific topics discussed include API security, attacks on applications and infrastructure, and the F5 application security framework. The presentation advocates for an API gateway and management to help secure microservices applications and provides examples of benefits. It also discusses site reliability engineering practices, automation approaches like the application factory, and integrating security into the software development lifecycle.
Report
Share
Modern App Architecture - Microservices, API Friendly
- 1. DevOpsDays Jakarta 2020 Modern App Architecture: Microservices, API Friendly by Andre Iswanto BRI Corporate University, March 12th 2020
- 5. | ©2019 F5 NETWORKS5 CONFIDENTIAL Modern App Architecture: Microservices, API Friendly Andre Iswanto
- 6. | ©2019 F5 NETWORKS6 CONFIDENTIAL Three outcomes enterprises expect from digital transformation Customer experience Business agility Digital ROI
- 7. | ©2019 F57 Applications drive business MOBILE GLOBAL LOGISTICS ERP TODAY
- 8. | ©2019 F5 NETWORKS8 The Application Landscape Is Transforming 1 F5 State of Application Services Report 2018 2 IDC FutureScape 2019 3 Cisco Global Cloud Index: 2016-2021 Cloud is now DevOps is rising Technology is changing 65% Organizations expanding DevOps methods into larger business by 20212 87% Customers adopting multi- cloud strategies and approaches1 85% New app workload instances that are container-based— 95% by 20213
- 9. Microservices Architecture from Gartner N/S E/W
- 11. | ©2019 F511 D.T. challenges ORGANIZATIONS MUST RETHINK SECURITY Applications Processes and skills Technology stacks and tools Security How do you deploy and manage a global application security policy? SOURCE: F5 STATE OF APPLICATION SERVICES 2019 REPORT Applications and identities were the initial targets in 86% of breaches. 86%
- 12. | ©2019 F512 APPLICATION ATTACKS L7 DoS API attacks SQL/PHP Injection Client-side attacks APP INFRASTRUCTURE ATTACKS DDoS Encrypted threats Man-in-the-middle DNS spoofing SOPHISTICATED ATTACKS APT Multi-cloud threats Malicious bots Threat campaigns and malware ACCESS LEVEL ATTACKS Session hijacking Credential theft Brute force Phishing Application threats
- 13. | ©2019 F513 OWASP API Security 1. HTTPS 2. Access Control 3. JWT 4. API Keys 5. Restrict HTTP Methods 6. Input Validation 7. Validate Content Type 8. Management endpoints 9. Error handling 10. Audit logs 11. Security headers 12. Cross-Origin Resource Sharing (CORS) 13. Sensitive information in HTTP requests 14. HTTP Return Code https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/REST_Security_Cheat_Sheet.md
- 14. Confidential / Sophisticated Attack on Client Side Magecart-style Attacks Steal PCI and PII Malicious or compromised JavaScript on the webpage (Event Listeners) The JS instructs the browser to make outbound XHR calls to exfiltrate sensitive data SE 14
- 15. | ©2019 F515 Autonomous Fraud
- 16. | ©2019 F516 F5 Application Security framework INTELLIGENT SECURITY THREAT SERVICES Risk-based analytics and security stop today's sophisticated attacks. APPLICATION INFRASTRUCTURE SECURITY Security infused into business and application development practices TRUSTED APPLICATION ACCESS Modern authentication with every app and service APPLICATION LAYER SECURITY Common security policies across all multi-cloud apps
- 17. | ©2019 F5 NETWORKS17 API Gateway
- 18. | ©2019 F518 BENEFITS • Create and publish multiple APIs, definitions, and configs quickly and easily • Protect apps from DDoS and other attacks while ensuring performance with proactive security features • Get deep visibility into app and API health with per- instance performance monitoring and proactive alerting • Deploy your way in the environment of your choice and leverage your existing technology investments API Management REDUCED COMPLEXITY, INCREASED PERFORMANCE | ©2019 F518 DEFINITION AND PUBLICATION SECURITY TRAFFIC MGMT. (API GW) ONGOING MONITORING AND MAINTENANCE ANALYTICS TO ASSESS API VALUE ONBOARDING (DEV PORTAL) API MANAGEMENT
- 19. Billing Service Edge API Gateway Billing Service Billing Service Other API /api/other/topup /api/other/user Payment API /api/payment/inquiry /api/payment/payment Paylater API /api/paylater/payment /api/paylater/settlement Payment Service Payment Service Payment Service Service registry Service registry API Security API API Protection Authentication • TLS Termination • API OWASP • Bot protection • DDoS protection • Authentication & Authorization with Oauth 2.0 Attackers Legitimate users {“filter”:”|cat /etc/password“,”order”:” asc”,”limit”:50} {“filter”:”user=marcel“, ”order”:”asc”,”limit”:5 0} API Security & Management
- 20. | ©2019 F520 Orchestration and Automation
- 21. | ©2019 F521 The Application Factory THE GROWTH ENGINE OF THE APPLICATION ECONOMY | ©2019 F521
- 22. | ©2019 F5 NETWORKS22 http://www.itsmacademy.com/content/webinar/SRE%20-%20An%20Enterprise%20Adoption%20Story.pdf
- 23. | ©2020 F523 CONFIDENTIAL SRE’s 5 Pillars of Success https://en.wikipedia.org/wiki/Site_Reliability_Engineering
- 24. | ©2019 F5 NETWORKS24 Code to Customer Device fingerprint User identity & behavior Future services CustomerCode API gateway CDNIngress Controller App / web server Load balancer DNSApp Security DDoSFuture services Containers Purpose-built hardware Public cloud Virtual machines Software as a Service Commodity hardware ANY INFRASTRUCTURE Mobile POSLaptop IoT ANY DEVICE PLATFORM CONTROL PLANES BIG-IP NGINX FUTURE VISIBILTY, INSIGHTS & ORCHESTRATION TELEMETRY TELEMETRY
- 25. | ©2019 F525 Automation lifecycle DEPLOY APP SERVICES BOOTSTRAP ONBOARD MONITORING/ TELEMETRY CHANGE
- 26. | ©2019 F526 F5 Automation Toolchain CLOUD TEMPLATES DECLARATIVE ONBOARDING EXTENSION APP SERVICES 3 EXTENSION TELEMETRY STREAMING EXTENSION Start BIG-IP instances in public and private clouds Initial configuration of BIG-IP instances Deploy classic and advanced application services on BIG-IP using declarative REST APIs Stream telemetry, events, and logs from BIG-IP to various analytics and logging solutions L4-L7L1-L3 BOOTSTRAP ONBOARD DEPLOY APP SERVICES MONITORING/TELEMETRY
- 27. | ©2019 F5 NETWORKS27 Secure SDLC
- 28. | ©2019 F5 NETWORKS28 Summary
- 29. Microservices-oriented application …. Node 1 Node N
- 30. CI/CD (Continuous Integration Continuous Delivery) Commit Changes Build Image Deploy Development Deploy Application Service Platform (F5 & NGINX) Apps Vulnerabilities Scan Penetration Testing Generate Reports Approval Workflow Deploy Production AS3 Big Data Logging, Application Performance Monitoring & Analytics TS TS HTTPS HTTPS HTTPS DC1 DC2 Controller & Dashboard AS3
- 31. | ©2019 F5 NETWORKS31
- 32. | ©2019 F5 NETWORKS32 DevOpsDays Jakarta 2020 Venue Sponsor
- 33. | ©2019 F5 NETWORKS33 DevOpsDays Jakarta 2020 Platinum Sponsors
- 34. | ©2019 F5 NETWORKS34 DevOpsDays Jakarta 2020 Gold Sponsors
- 35. | ©2019 F5 NETWORKS35 DevOpsDays Jakarta 2020 Silver Sponsors
- 36. | ©2019 F5 NETWORKS36 DevOpsDays Jakarta 2020 University Partners
- 37. | ©2019 F5 NETWORKS37 DevOpsDays Jakarta 2020 Community Partners
- 38. | ©2019 F5 NETWORKS38 DevOpsDays Jakarta 2020 Media Partners
- 39. | ©2019 F5 NETWORKS39 Stay Connected @IDDevOps @IDDevOps @IDDevOps DevOps Indonesia DevOps Indonesia DevOps Indonesia
- 40. | ©2019 F5 NETWORKS40 THANK YOU ! Alone We are smart, together We are brilliant