Introduction of Security of Microservices
Micro-Service is a very small or even micro-independent process that communicates and return message through mechanisms like Thrift, HTTPS, and REST API. Basically, micro-services architecture is the combination of lots of small processes which combine and form an application. In micro-services architecture, each process is represented by multiple containers. Each individual service is designed for a specific function and all services together build an application.
Now let’s discuss the actual point of security in micro-service architecture, nowadays many applications use external services to build their application and with the greater demand, there is a need for quality software development and architecture design. Systems administrators, database administrators, cloud solution providers, and API gateway these are the basic services used by the application. Security of micro-services mainly focuses on designing secure communication between all the services which are implemented by the application.
How To Secure Micro-services :
(1) Password Complexity :
Password complexity is a very important part as a security feature is a concern. The mechanism implemented by the developer must be able to enforce the user to create a strong password during the creation of an account. All the password characters must be checked to avoid the combination of weak passwords containing only strings or numbers.
(2) Authentication Mechanism :
Sometimes authentication is not considered a high priority during the implementation of security features. It’s important to lock users’ accounts after a few numbers of fail login attempts. On login there must be rate-limiting is implemented to avoid the brute force attack. if the application is using any external service all APIs must be implemented with an authentication token to avoid interfering with the user in API endpoint communication. Use multi-factor authentication in micro-services to avoid username enumeration during login and password reset.
(3) Authentication Between Two Services :
The man-in-the-middle attack is may happen during encounters during the service-to-service communication. Always use HTTPS instead of HTTP, HTTPS always ensures the data encryption between two services and also provides additional protection against penetration of external entities on the traffic between client-server.
It is difficult to manage SSL certificates on servers in multi-machine scenarios, and it is very complex to issue certificates on every device. There is a secure solution HMAC is available over HTTPS. HMAC consists of a hash-based messaging code to sign the request.
(4) Securing Rest Data :
It is very important to secure the data which not currently in use. If the environment is secure, the network is secure then we think that attackers can not reach stored data, but this is not case there are many examples of data breaches in the protected system only due to weak protection mechanisms on data security. All the endpoints of where data is stored must be non-public. Also, during development take care of the API key. All the API keys must be secret leakage of private API also leads to exposure of sensitive data in public. Don’t expose any sensitive data, or endpoints in the source code.
(5) Penetration Testing :
It is always good practice to consider security features in the software development life cycle itself. but in general, this is not always true, considering this problem is always important to do penetration testing on the application after the final release. There are some important attack vectors released by OWASP always try these attacks during the penetrating testing of the application. Some of the important attack vectors are mentioned below.
- SQL Injection.
- Cross-Site Scripting (XSS).
- Sensitive Information Disclosure.
- Broken Authentication and Authorization.
- Broken Access Control.