Explore gRPC security challenges and solutions in this 31-minute conference talk from NorthSec. Delve into the expanded attack surface of gRPC/gRPC-web compared to traditional HTTP1.1 REST, focusing on applicative service misconfigurations. Examine new attack vectors arising from issues like HTTP2 downgrade and disabled reflection. Discover a comprehensive code configuration for securing generic gRPC services, featuring an automatically generated Kubernetes authentication service with an interceptor to an authorization engine. Learn how to simplify complex access delegation using open-source Ory engines. Gain insights into critical applicative issues related to currency, math, and conversions that demand attention in gRPC implementations.
Overview
Syllabus
NSEC2023 - gRPC security with less effort
Taught by
NorthSec