Security is often seen as an abstract concept, a separate concern to everyday development. However with a shift in architecture and the increasing adoption of microservices, it is essential to factor it in to your development iterations. At Voxxed Days Bristol, Kate Stanley is giving a practical example of how to secure microservices. She will look at how to utilise industry-wide standards such as OAuth2 and OpenID Connect. We asked Kate what the special concerns are with microservices.
How has the threat landscaped changed as stacks shift from applications on in-house servers to microservice applications in the cloud?
As developers move their applications from running on in-house servers to the cloud the number of interactions increases and the security of those interactions becomes a concern. In the past interactions between different parts of an app wouldn’t even leave the server the app was running on. Now not only are requests being made from server to server, the endpoints are now public. Every single endpoint you expose, whether you expect it to be used externally or not, must be secured.
What are the unique challenges in the process of securing microservices, compared to monoliths?
A microservice architecture has more moving parts that a monolithic application, resulting in more requests and a higher likelihood of change. Every request between services must be validated to prevent unauthorized access to services and to prevent malicious attacks. More than anything this requires a change in mindset for developers. Security isn’t just a DevOps concern, it must be built into your application design.
Is it possible to take a TDD- approach to securing microservices?
A TDD approach to securing microservices is definitely possible, in fact I would go further and say it is essential. It should be something that you start to consider as soon as you begin discussions about the architecture of your application, before even writing any code. This is much easier than trying to build security in around your existing app. It also reduces the chance of you missing something and leaving a security hole.
How do you go about testing your group of microservices for vulnerabilities? What kind of vulnerabilities do you look for?
The majority of the vulnerabilities in a microservice system occur on the APIs between microservices. You still need to look at the public endpoints of your application. However the majority of traffic will probably be between services. When services are communicating, consider how you can both verify that you trust the service making the request and that the request hasn’t been changed in-transit. In addition to running tests against your code consider running tests against your production system to see how it handles invalid requests.
For more, see Kate’s talk at Voxxed Days Bristol.