Security reviews and microservices

We love to do security reviews on the projects, products, and services our companies use. Security reviews are one of those ways we can show how important security is. If those reviews didn’t get done we might end up using a service that could put our users and data at risk. Every good horror story involving dinosaurs starts with bad security reviews! It’s a lesson too few of us really take to heart.

The reality is someone picks a service, we review it, and it will probably still put our data at risk, but went through a very rigorous review so we can show how much … review it got? I’m not really sure what that means but we know that security reviews are really important.

These reviews are quite complex and fairly important in all seriousness. Doing any sort of review of an application takes a certain amount of knowledge and understanding. There’s a lot of value in making sure you’re not shipping or using something that is a tire fire of security problems. All these rules are going to change. The world of microservices is going to make us rethink how everything works.

One security review can take a day or more depending what you’re looking for. If something is large enough it wouldn’t be unreasonable for someone to spend a week going over all the details you need to understand before trusting something with your most important data.

But what happens when we have to review a dozen microservices?

What happens when we have to review a thousand microservices?

We can’t review a thousand microservices. We probably can’t review a dozen in all seriousness. It’s possible some things can be grouped together in some sane and reasonable manner but we all know that’s not going to be the norm, it’s going to be the exception.

What do we do now? There are two basic paths we can take. The first is we spend some quality time crying under our desk. It’s not terribly useful but will make you feel better. The second option is to automate the heck out of this stuff.

Humans don’t scale, not even linearly. In fact adding more humans probably results in worse performance. If you need to review a thousand services you will need an incredible number of people, and anytime people are involved there are going to be a lot of mistakes made. There is no secret option three where we just staff up to get this done. Staffing up probably just means you now have two problems instead of one.

Automation is the only plausible solution.

I did some digging into this, there isn’t a ton of information on automating this sort of process. I find that interesting as it’s a pretty big problem for most everyone, yet we don’t have a nice way to simplify this process.

I did manage to find a project Google seems to use called VSAQ

It’s not exactly automation as a human from the vendor has to fill out a form. Once the details are entered you can do things with the data and results. It puts all the work on the vendor to get things right. I don’t think vendors try to purposely mislead, but mistakes happen. And if you’re using open source there is no vendor to fill out the form.

Unfortunately this blog post is going to end without any sort of actionable advice. I had hoped to spend time reviewing options in this space but I found nothing. So the call to action is two things.

Firstly, if there is something I’m missing, please let me know. Nothing would please me more than a giant “updated” section showing off some tools.

Second, if this is a problem you have let’s collaborate a bit. This would make a great open source project (I have some ideas I’m already working on, more about those in a future post). The best way is to hit me up on twitter @joshbressers