Friday, February 19, 2016

NIST Defines Microservices, Application Containers and System Virtual Machines


I'm back on about microservices again, as I was in my
last post, Microservices and Linters. Because yesterday NIST released a draft of Definition of Microservices, Application Containers and System Virtual Machines, which you can see at

I have problems with it. The public comments period runs through 2016-03-18, and a comment template is available at the link above. If you don't read many NIST drafts, note that line numbers are part of the document. While that is useful if you catch a typo, or take exception to one statement, it is less useful if you take exception to the entire thing, to the extent of labeling it FUBAR.

That is, of course, just one opinion. I could make a claim about not wanting to bias any opinions, but then I've just done that, to at least some extent. This is mostly about not even knowing where to start, regarding this specific document.

I still regard microservices as something that is not nearly as widely deployed as one might think, given the trade press hype coverage. But it might be nice if, for once, security considerations might be taken into account early in the game. Yes, that is a forlorn hope, but even long odds will come home, given enough time.

Bur, srsly.  "Microservices are built around capabilities as opposed to services..."? Wut? I am not at all convinced that we have a robust system, Linux or otherwise, based on the capabilities security model. Because

  • the capabilities security model is still a current research topic
  • implementations will contain flaws or a long time to come
  • all microservices architectures I have seen have been composed around the services (function) model

In this case, NIST seems to muddy the water through poor definitions. Particularly as it seems unlikely that wide awareness of capabilities-based security models, even as a research topic, exists at all within the wider software developer community. I've certainly seen little evidence for it, for whatever that might be worth.

Perhaps their usage of 'capabilities' was all about a possibly rapid evolution of APIs in containerized software, and not the capabilities security model. But rapid replacement of containerized software is about far more than API changes. Rather importantly, they are also about bug fixes. A percentage of which have always been exploitable, and as these are inherently remotely-accessible, would tend to have severity numbers reflecting that broad attack surface.

A lack of clarity over what, exactly, 'capabilities' might mean, in a NIST publication with 'Definition' in the title is, in and of itself, a problem.

Of course this is just anecdotal, from some random security worker. Not even remotely real evidence. So please ask around in your own organization, form your own conclusions, and comment on 800-180, if at all, as you see fit.

UUID: 92ce460e-58a6-4fd1-b3ed-d44f2d9c0183