Service Mesh Security: Shifting Focus to the Application Layer

Name: Service Mesh Security: Shifting Focus to the Application Layer
Duration: 45 min
Description: After years of failed attempts to bolt security onto Yelp's service mesh at the infrastructure layer, security group tech lead Daniel Popescu and his team pivoted to the application layer — using JWTs, Open Policy Agent, and shared middleware libraries to achieve robust service-to-service authentication and authorization with under 5 milliseconds of added latency at the 95th percentile. ---

Daniel Popescu

BSidesSF 2025 — Here Be Dragons · Day 1 · Main

After years of failed attempts to bolt security onto Yelp's service mesh at the infrastructure layer, security group tech lead Daniel Popescu and his team pivoted to the application layer — using JWTs, Open Policy Agent, and shared middleware libraries to achieve robust service-to-service authentication and authorization with under 5 milliseconds of added latency at the 95th percentile. ---

AI review

Nine years of failed infrastructure-layer security attempts at Yelp, finally resolved by abandoning the elegant solution and shipping the pragmatic one. The JWT + OPA + YAML abstraction layer that achieves under 5ms p95 overhead across hundreds of microservices is a real engineering accomplishment, and the talk traces the failure path honestly enough to be genuinely educational.

Watch on YouTube