2023-05-18, 16:00–16:30, Ville-Marie
gRPC/gRPC-web even as a newer protocol can offer a greater attack surface than regular HTTP1.1 REST through applicative services misconfigurations. During this talk, we will enumerate the new attack vectors through misconfigurations such as HTTP2 downgrade allowing request smuggling, disabling reflection. We want to present an entire code configuration for a secure generic gRPC service leveraging an automatically generated Kubernetes authentication service with an interceptor to an authorization engine to simplify complex delegation of access with open source Ory engines. Finally in-depth applicative problems with currency, math and conversions to watch out for.
Spearheading the technology and development methodology at Pvotal Technologies centered around event driven asynchronous go gRPC microservices in the backend. In the front-end, we are developing with Flutter cross-platform using the BloC pattern to interact with our backends in gRPC and gRPC-web. Everything orchestrated strictly in infrastructure as code in GKE or locally using K3d.