Crashtest Security Blog

Microservice Security - What you need to know

Aug 14, 2020 1:46:19 PM / by Hitesh Raja

A microservice architecture, often referred simply as microservices, is a set of services that are grouped in order to implement an application. Lately,  development teams prefer microservices, as it facilitates continuous delivery for large applications and adapts easily to the organisation’s needs as its technology evolves and scales up with very minimal effort.

New Project (5)

Monolithic applications are a single tier structure, which makes them easier to stand up quickly and  they integrate reliably with well-known integrated development environments (IDEs), frameworks, and tools. However, as Monolithic applications get old their shortcomings begin to show.

As engineers adapt to modern applications, they take with them intimate knowledge of the interdependencies of applications. This makes it very difficult to move the development forward at the pace required by the organisation.

By segmenting the application’s functions in a microservice architecture, engineers can easily understand the structure and enhance the speed, meaning they can move quickly to continue development.

Security within an API gateway calls for more scalable methods than centralized session management. Ensuring that a user is who they claim to be and that they are allowed access to a service, these gateways typically handle authorization and authentication for the microservices. To keep their efficiency, security teams need to restructure the security models to keep the security of an adversary in front of the API gateway in mind without forgetting attackers that target a single microservice.

With security being a constant complex challenge for organizations switching to microservices, a cultural shift and a new mindset are necessary foundations for a functioning security strategy. Security, operations, and development personnel need to cooperate across functions in a DevSecOps arrangement that prevents security from getting laid back to the development of new capabilities. Teams can use security principles within the development of their code and have their code peer reviewed for security concerns prior to deployment.

 

Microservices Architecture Growth Chart

 

The Microservices Architecture market continues to grow year on year (Market Research Future)

 

Of course, there are also a number of architectural considerations for deploying a secure microservices model, which is explained below:

Securing Access Points With OAUTH2 and OpenID Connect

Many security analysts do not prefer starting from scratch and recommend using OAuth2 and OpenID Connect to delegate authorization management to a third party or a single (internal) authentication service. Using libraries and functions can shorten the development time and make it easier. By the same token, several solutions for improving the security level of your OAuth-based authorization service have already been built by some of the biggest companies and smartest engineers around.

Use Defence in depth: 

"Defense in depth" is defined as "an information assurance concept in which multiple layers of security controls (defense) are placed throughout an information technology system."

You need to identify your most sensitive services, and manually apply a number of different layers of security to them, so that it gets harder for a potential attacker who is able to exploit one of your security layers.

Microservices makes it easier to adopt this strategy in a very microscopic and strategic way—by focusing your security efforts and resources on specific microservices. The architecture diversifies the layers of security you wish to adopt on each microservice. By this, an attacker who is able to exploit one of your services may not necessarily be able to figure out how to exploit the second one.

Don’t write your own crypto code

It is advised that, when it comes to security you shouldn't try to roll your own new solutions and algorithms unless you've got strong and specific reasons to, and you've got people skilled enough to create something nearly as good as the open source tools already available 

Get your containers out of the public network

An API gateway establishes a single entry point for all requests coming from all clients. It subsequently knows how to provide an interface for all of your microservices.

By using this technique you can secure all of your microservices behind a firewall, allowing the API gateway to handle external requests and then talk to the microservices behind the firewall.

Use security scanners for your microservices

With our automated testing suite, it can include periodic vulnerability and security scanning for your containers. We could prove a comparatively better scan depth on the client’s systems. You can check out our product and its features here and try out a free 14 day trial here

Continuous Security

The best solution for Microservices Security is continuous security that is as flexible and agile as your development. The Crashtest Security Suite can already facilitate vulnerability scans for Microservice projects with our API scanner. However, in the coming weeks we will release a new Microservice Scan Target in order to give you even more control by providing a vulnerability scanning solutions specifically for Microservices.

Subscribe to our newsletter below to be the first to know about new product features and upcoming news on Microservice Security.

 

 

Topics: SecurityManagement

Hitesh Raja

Written by Hitesh Raja

For more information on all topics around continuous security, visit our continuous security page:

Continuous Security Topics