[Owasp-community] Threat Models and Microservices

steve.springett at owasp.org steve.springett at owasp.org
Wed Jul 8 23:04:01 UTC 2015

I'll be conducting a series of threat models next week for my employer for cloud-based microservices. Architecturally these are completely different from traditional applications, webapps, or mobile apps that I'm use to modeling.

Some services are specific to an application that consumes it, other services are generic and the use of them may be unknown or vary widely depending on the application consuming them.

Does anyone have advice or best practices for threat modeling microservices? My thinking is that I may have to perform threat modeling on each of the microservices then on to the applications themselves. It's my assumption that microservices will require much more thought (security wise) than other architectural patterns.


More information about the Owasp-community mailing list