Title: Securing Modern API and Services/MicroServices-based Applications By Design
Speaker: Farshad Abasi, Co-Founder/Director of Application and Cloud Security, Mirai Security Inc.; CSO, Forward Security
Date: Thurs. Nov 22, 2018
Time: 6 - 7:30 pm. Networking starts at 6 pm, talk begins at 6:30 pm. Light refreshments will be served.
Location: ACL, 14th Floor, 980 Howe St. Vancouver
RSVP: Please rsvp below
Applications have taken many forms over the years, from single to multi-user, client-server, and distributed architectures. For the most part, these applications followed a monolithic design where various functions lived together inside a walled garden or trust boundary. These functions communicated primarily via memory or the local filesystem, removing the possibility of the network as an attack vector. With the advent of SOA (Service-Oriented Architecture) and microservices, the walls have fallen, and modern applications are being decomposed into discrete and independent units of functionality. Each component usually lives inside a container and is accessible over the network through an exposed API (typically RESTful). This results in flexible and independently deployable components, suitable for DevOps and Agile models.
At the same time, this requires having the right security controls in place to create a similar level of trust between these newly-decoupled units as existed previously when they lived closely together and communicated locally within the same application trust boundary. End-to-end trust needs to be maintained from the time user authentication takes place, all the way through to the end of the user journey across the various units of the application. In addition, the tools and technologies used to facilitate these modern architectures such as container engines and orchestration tools are fairly new and not mature or fully understood, leading to risks from misconfiguration or vulnerabilities that need to be addressed.
This presentation is targeted to application as well as security architects, developers, or anyone else who is dealing with these modern service-based applications and requires practical knowledge on how to best secure these applications. We will further this topic by bringing together the difference security concepts and required controls such as end-to-end trust and policy enforcement points into a single high level architecture pattern that can be applied when building services or microservices based applications.
Farshad Abasi is an innovative technologist with over twenty years of experience in software design and development, network and system architecture, management, and technical instruction. With a keen interest in security from the start, he has become an expert in that aspect of computing and communication over the last 16 years. He is currently the CSO at Forward Security, with a mission to provide world class information security services, particularly in the Application and Cloud security domains. Farshad is also the CTO/CISO at Machool Technologies, helping build a leading services marketplace. In addition, he co-founded Mirai Security, and spent the last decade as a senior member of HSBC Group's IT Security team with the most recent positions being the Principal Global Security Architect, and Head of IT Security of the Canadian division. Farshad is continuing a sixteen year stint as an instructor at BCIT where he shares his passion for information and network security, helping others build a career in this exciting field. He is also the security correspondent for CFAX radio, BSides Vancouver/MARS board member, Vancouver OWASP chapter lead, a CISSP designate, and a UBC CS alumnus.
Thanks to the following companies for sponsoring this event: