Microservices are social constructs: they can’t function without talking with other services. This also raises an interesting question: do we trust all of our microservices?
Not all microservices are the same: some are more sensitive - for example, services that handle personal user data or payment information. Others are user-facing and therefore riskier. We shouldn’t treat all services as equal. A robust mechanism that describes who can talk with who is required.
We dealt with this challenge whilst I was working for Soluto. In this talk, I’ll share the journey we went through until we found a solution we’re happy with: a simple and declarative system that allows services to define who can access them. Any dev can request access to any service, and the service owner can review it. I’ll share how we build this solution (including all the technical details and live demos!), using open source tools like Open Policy Agent, so you can easily build something similar.
Resources mentioned in this session:
Open Policy Agent: https://www.openpolicyagent.org/docs/latest/envoy-authorization/
Omer Levi Hevroni
I’ve been coding since 4th grade when my dad taught me BASIC and haven’t looked back since. AppSec/DevSecOps enthusiast, and always curious about integrating more hacking tools into the CI/CD pipeline. Always looking for new interesting ways to increase security awareness over the entire R&D - developers, product, and UX. And besides all that, I’m active open source contributor, and proud OWASP member. Currently, I’m working at Snyk as AppSec Engineer and before that I was the Security champion at Soluto, leading the security efforts and doing various DevOps/DevSecOps task.