14.2 Microservices and Container Security

Question 1

What are the components of a typical web app?

Answer 1

• **front-end** server, responsible for displaying webpages and styling them in a readable format. This server is also responsible for receiving and responding to HTTP requests.
• A **back-end** server, for executing business logic and writing or reading corresponding data to and from a database. The back-end server knows how to interact with the database depending on the specific request received.
• A **database**, used to store information about employees, such as their employee IDs and names.

Question 2

Explain how information flows between application components: (8)

Answer 2

1. Andrew loads the application in his browser and clicks a button to see all HR employees.
2. Front end forwards the HTTP request to the back end.
3. A back-end script queries the database for HR employees.
4. Database searches for all IDs containing “HR.”
5. Database sends IDs with “HR” to back end.
6. Back-end script forwards list of HR employees to front end.
7. Front end prepares a new webpage listing all of the HR employees.
8. The browser displays a new page to Andrew, with a formatted list of HR employees.

Question 3

Monolith to Microservices What is a monolith?

Answer 3

A monolith is any machine that hosts all of the components required to serve a website or application. In other words, a monolith is a machine that has the front-end server, the back-end server, and database all on one machine.

Question 4

If Amazon used a monolithic server comprised of a front-end server, the back-end server, and database, it would contain: (3)

Answer 4

• A front-end HTML server: A GUI for customers to use when shopping. - A back-end MySQL server: A back-end server showing inventory and stock. - A MySQL database: A database of customers, their information, and purchases.

Question 5

In the Amazon monolithic example, what would be the problems?

Answer 5

• If the company needs to update any of the components—the front end, back end, or database—the entire server and all of its components must be taken down. This creates long periods of downtime.
• If one component is compromised by a hacker, environmental issue, or human error, the entire machine is potentially compromised. Today’s business standards expect companies to ensure *availability* by maintaining almost 100% uptime. Because of this,

Question 6

Amazon decides that the monolith architecture comes with too much risk, and instead creates a more ______ set up: a whole consisting of smaller and separate parts.

Answer 6

Amazon decides that the monolith architecture comes with too much risk, and instead creates a more **modular** set up: a whole consisting of smaller and separate parts.

Question 7

The new approach of separating application components into their own machines is called __________.

Answer 7

The new approach of separating application components into their own machines is called **microservices**.

Question 8

Each of the smaller blocks represent a single, independent machine. Within each machine is a component that executes one primary function or ________.

Answer 8

Each of the smaller blocks represent a single, independent machine. Within each machine is a component that executes one primary function or **service**.

Question 9

The ultimate goal of microservices is _______ through _______, which has the following benefits:(4)

Answer 9

The ultimate goal of microservices is flexibility through modularity, which has the following benefits:

1. Scalability and resiliency: Replication of identical components allows you to serve more clients and provides identical backup components if one fails.

2. Rapid response: Since microservice components are inherently smaller than monoliths, they can be replaced and updated quickly.

For example, an entire VM might require 150 GB of total disk space. An individual component could have a maximum capacity of one or two hundred MB.

3. Isolated improvement: Since microservices should be reduced to serving one primary function, they can be developed to optimize their functionality.

• For example: Developers working on an API for storing employee data are developing a way to create new employee accounts more quickly. They’ll be able to work directly on this API, without the need of a front end to view it.

4. Isolated security: One compromised component does not equal a compromised application.

Question 10

Since not every system uses Ansible to communicate, most systems use ________.

Answer 10

Most systems use **application programming interfaces (APIs)**.

Think of an API like a menu in a restaurant. The menu provides a list of dishes you can order, along with a description of each dish. When you specify what menu items you want, the restaurant’s kitchen does the work and provides you with some finished dishes. You don’t know exactly how the restaurant prepares that food, and you don’t really need to.

Similarly, an API lists a bunch of operations that developers can use, along with a description of what they do. The developer doesn’t necessarily need to know how, for example, an operating system builds and presents a “Save As” dialog box. They just need to know that it’s available for use in their app.

This isn’t a perfect metaphor, as developers may have to provide their own data to the API to get the results, so perhaps it’s more like a fancy restaurant where you can provide some of your own ingredients the kitchen will work with.

Question 11

What is the technical definition of API?

Answer 11

An API is the implementation of new protocols or features onto an existing software application to alter the way that application is used or accessed.

Question 12

Explain what APIs allow developers to do:

Answer 12

APIs allow developers to save time by taking advantage of a platform’s implementation to do the nitty-gritty work. This helps reduce the amount of code developers need to create, and also helps create more consistency across apps for the same platform. APIs can control access to hardware and software resources.

Question 13

How would you separate a monolith into microservices: (4)

Answer 13

1. Separate each component of the monolith by function, moving it into its own machine.
2. Add communication between each microservice.
3. Turn the back-end server into an API to interact with more than just the front end.
4. Rename the rest of the component services to match their main functions.

Question 14

A primary challenge of microservices is _________ and _________ as the application and number of components grow.

Answer 14

A primary challenge of microservices is the increase in complexity and required maintenance as the application and number of components grow.

Question 15

What are the benefits of using microservices?(4)

Answer 15

1. Easier to build and maintain apps
2. Organized around business capabilities
3. Improved productivity and speed
4. Flexibility and scalability

Question 16

Microservices require lightweight environments to run on because ( 4)

Answer 16

1. Live services need to be deployed quickly.
2. Multiple copies of a service can be replicated as needed to meet demand.
3. Developers and maintainers can deploy their own copies of these services locally for their own testing purposes.
4. Full-sized VMs for each service requires more resources and costs more.

This is why we give each service its _own_ lightweight virtual environment.

Question 17

What is the most popular container platform?

Answer 17

Docker is the most popular container platform.

Question 18

___________ is the process of packaging all of the requirements to set up a microservice into a container.

Answer 18

**Containerization** is the process of packaging all of the requirements to set up a microservice into a container.

Question 19

What is the containerization process?(3)

Answer 19

1. Declares a base operating system for the microservice to run on.
2. Copies the microservice’s source code to the container.
3. Sets a command that launches the microservice.

Question 20

This containerization process is declared in a simple text file called a _________?

Answer 20

This containerization process is declared in a simple text file called a Dockerfile

Question 21

True or False:

The security issues are inherited from the underlying operating system to the application will also exist in a docker container?

Answer 21

True

Question 22

That tool can you use to scan containers for vulnerabilities?

Answer 22

Trivy

Trivy is a comprehensive and easy-to-use open source vulnerability scanner for container images. Unlike other open source scanners, Trivy covers both OS packages and language-specific dependencies and is extremely easy to integrate into organizations’ software development pipelines.

Question 23

Scanning container images and Dockerfiles before they are deployed for vulnerabilities is called__________.

Answer 23

Scanning container images and Dockerfiles before they are deployed for vulnerabilities is called **vulnerability scanning**.

Question 24

What command-line tool do you need to use to inspect json files?

Answer 24

jq

Question 25

jq is like ___ , but for JSON data. It is used to filter through JSON files and has the same text editing functionalities that are built into sed, awk, and grep.

Answer 25

sed

Question 26

JSON is a structured data format that is used ubiquitously within software development ________, ________, and _______.

Answer 26

JSON is a structured data format that is used ubiquitously within software development languages, logging, and security.

Question 27

JSON is ________, and its pure data format also makes it the standard for web services and APIs. Those looking into web application security roles should get comfortable using JSON.

Answer 27

JSON is language-agnostic, and its pure data format also makes it the standard for web services and APIs. Those looking into web application security roles should get comfortable using JSON.

It is also used in all log aggregators, such as ELK and Splunk. In order to work with other platforms, every log transporter and collector understands and ingests JSON.

Question 28

Fill in the blanks: (JSON)

• It writes objects as _____ pairs.
• Data is separated by _______.
• Curly braces hold _____.
• Square brackets hold ______.

Answer 28

• It writes objects as key:value pairs.
• Data is separated by commas.
• Curly braces hold objects.
• Square brackets hold arrays.

Question 29

True or False:

A security engineer will often have to filter through JSON logs in order to find the most relevant information for an organization

Answer 29

True

Question 30

Similar to NIDS and HIDS, ___________ detect intrusions on deployed containers.

Answer 30

Similar to NIDS and HIDS, **container intrusion detection systems (CIDS)** detect intrusions on deployed containers.

Question 31

True or False:

The attack surface of containers is multiplied by the amount of containers deployed.

Answer 31

True

Question 32

Falco is an _________ that alerts security professionals of potential intrusion attempts, much like a normal network intrusion detection system.

Answer 32

Falco is an open-source CIDS that alerts security professionals of potential intrusion attempts, much like a normal network intrusion detection system.

Question 33

What are some common intrusion behaviors specific to containers? (4)

Answer 33

• A new shell running inside a container. Unknown shells starting in containers is a potential sign that an attacker has gained access to a system and will start executing commands.
• When sensitive files, such as /etc/shadow, are read.At no point during a container deployment should the contents of /etc/shadow be read. This is a clear sign that an attacker is retrieving the hashed passwords of accounts within the system.
• Unprompted configuration changes. After an attacker gains access to a system, they will often create a user in order to maintain persistence within that system.
• File creations at /root or /. At no point during a container’s runtime should new files be created in the / or /root directories. Files created in these directories indicate compromise.