Introduction of Security of Microservices
Micro-Service is a very small or even micro independent process that communicate and return message through mechanisms like Thrift, HTTPS, REST API. Basically micro-services architecture is the combination of lots of small processes which combine and form an application. In micro-services architecture each process is represented by multiple containers. Each individual service is designed for specific function and all services together build an application.
Now let’s discuss the actual point of security in micro-service architecture, in now days many application use the external services to build their application and with the greater demand there is need of quality software development and architecture design. Systems administrators, database administrators, cloud solution providers and API gateway these are the basic services used by the application. Security of micro-services mainly focus on the designing secure communication between all the services which are implemented by the application.
How To Secure Micro-services :
(1) Password Complexity :
Password complexity is very important part as per security feature is concern. Mechanism implemented by the developer must be able to enforce user to create a strong password during creation of account. All the password character must be checked to avoid combination of weak password containing only string or numbers.
(2) Authentication Mechanism :
Sometime authentication is not consider as high priority during implementation of security feature.It’s important to lock user’s accounts after a few number of fail login attempt. On login there must be rate limiting is implemented to avoid the brute force attack.if application is using any external service all API must be implemented with authentication token to avoid interfering of user in API endpoint communication. Use multi-factor authentication in micro-services to avoid username enumeration during login and password reset.
(3) Authentication Between Two Services :
Man-in-the-middle attack is may happen during encounter during the service to service communication.Always use the HTTPS instead of HTTP, HTTPS always insure the data encryption between two services and also provide additional protection against penetration of external entities on the traffic between client-server.
It is difficult to manage SSL certificate on server in multi-machine scenario, and it is very complex to issue certificate on every device.There is secure solution HMAC is available over HTTPS. HMAC consist in hash-based messaging code to sign the request.
(4) Securing Rest Data :
It is very important to securing the data which not currently in use. If the environment is secure, network is secure then we think that attacker can not reach at stored data, but this not case there are many examples of data breaches in protected system only due to weak protection mechanism on data security. All the endpoints of where data is stored must non-public. Also, during development take care of API key keys.All the API key must be secrete leakage of private API also leads to exposure of sensitive data in public. Don’t expose any sensitive data, endpoints in source code.
(5) Penetration Testing :
It always good practice to consider security feature in software development life cycle itself.but in general this is not always true, by considering this problem it always important to do penetration testing on application after the final release.There are some important attack vectors release by OWASP always try these attack during the penetrating testing of application.Some of the important attack vectors are mentioned below.
- SQL Injection.
- Cross Site Scripting (XSS).
- Sensitive Information Disclosure.
- Broken Authentication and Authorization.
- Broken Access Control.
Attention reader! Don’t stop learning now. Get hold of all the important CS Theory concepts for SDE interviews with the CS Theory Course at a student-friendly price and become industry ready.