You are here

App security in the microservices age: 4 best practices

public://pictures/Robert-Lemos-Technology-Journalist-Lemos-Associates.jpg
Robert Lemos, Freelance writer

In striving to develop applications more quickly — and to simplify service management and deployment—companies are increasingly adopting continuous integration and continuous delivery (CI/CD) models.

More than three-quarters of organizations are adopting DevOps to gain the ability to quickly develop and deploy software, for example. And more than 40 percent of companies are focused on a cloud-first strategy, according to RightScale's 2017 State of the Cloud Report.

Such development efforts naturally lead to turning application components into so-called microservices—manageable, cloud-based software services that can be developed and deployed by a handful of developers. Microservices allow smaller development teams to take full responsibility for the creation, deployment and maintenance of each service.

But microservices typically have a larger attack surface area than do applications based on monolithic platforms, and the speed at which they are developed can lead to more vulnerabilities. If you don't take these development challenges into account, microservices can be quite insecure.

"[There are] a lot more ways to get into a distributed microservice application," said Owen Garrett, head of product for NGINX. 

"With such an attack surface, the developer has to think a lot more broadly—there are a lot more components that need to be secured and there are a lot more ways for unexpected inputs to come in."
Owen Garrett

When adopting microservices, companies should follow four guiding principles.

[ Is it time to rethink your release management strategy? Learn why Adaptive Release Governance is essential to DevOps success (Gartner). ]

1. Use isolation to enhance security

Design microservices to have minimal attack surface areas by creating a limited application programming interface (API) for each service that is secure and exposes only necessary functionality. Developers should strive to use isolation and API security measures—such as transport layer security (TLS) encryption and strong API keys—to create secure communication and authentication among services.

Developers who do not focus on minimizing the attack surface area will find that their infrastructure inevitably gets more complicated, which could give attackers more opportunities to find application weaknesses, said David Syer, a Spring engineer at agile cloud software provider Pivotal.

"But remember that all challenges are also opportunities. The fact that you have split things up gives you opportunities to isolate things in different ways."
David Syer

2. Track your open-source components

The most popular platforms for cloud-based services are based on open-source components and third-party libraries. Developers who use these stacks need to assiduously update and maintain each microservice. On the plus side, updating microservices is generally more straightforward, because each service is simpler and involves fewer libraries and components. On the other hand, the interplay among microservices can lead to vulnerabilities, especially if the developers do not clearly communicate the impact of updates.

Overall, it's a lot more fragile when you consider the possibility of exploits or flaws creeping in as a part of the stack or the third-party components that you are using, Garrett said.

"The technology stack and the resulting dependencies are vastly multiplied in a microservice environment compared to a monolithic environment."
—Garrett

[ Get Report: The Top 20 Continuous Application Performance Management Companies ]

3. Build security in from the beginning

While the ad-hoc deployment of microservices can quickly become complex and hard to secure, a bit of forethought and design consideration can help create a more secure platform. It's important to simplify microservices to reduce code complexity and increase—one would hope—the quality of code.

In addition, developers should not try to create the fundamental security building blocks—such as communications encryption, authentication or API security. Instead, use TLS, manage application secrets and encrypt important data at rest.

"Think about threats, and in particular what you would do to recover from a breach."
—Syer

4. Automation is key

Security also has to move as quickly as the agile development process, which means that it is absolutely critical that security processes are integrated into the CI/CD pipeline. Developers cannot afford to have any manual processes for checking and validating security, because changes are deployed so frequently, said Garrett.

"You should add automated scanners to your process to check, as often as possible, if there are any regressions or unexpected behaviors," he said. "You need a global view to understand the architecture of the applications, and what vulnerabilities need to be fixed."

Moving to microservices does have a lot of pitfalls, but—if done right—the rewards are faster updates and feature deployments, more manageable infrastructure and more security, Garrett said. Developers should work with security to design the architecture, make measurable metrics—such as time to push out new features and fix problems—and start a pilot program.

"It's a journey. From a high level, it is absolutely critical to map out the journey with steps that are achievable."
—Garrett

Microservices: Key to digital transformation

Syer said microservices are important to organizational transformation. "You do it to keep team boundaries where you want them, and to allow features to be developed independently and quickly," he said.

Done right, microservices can allow companies to create reusable cloud-based services that can be quickly deployed and updated. Each development team can use its preferred platform without negatively affecting the overall microservices architecture, and the infrastructure can scale quickly.

Two more advantages of microservices: Smaller development teams—"two-pizza teams," which are small enough to be fed by two pizzas—and simpler codebases, said Garrett. "If the right practices are followed correctly, then you get two security benefits," he explained. "Because the traffic is more API-like, you can more easily use automated scanning, and because of the separation of concerns, you generally can have a more secure architecture." 

[ Get Report: Buyer’s Guide to Software Test Automation Tools ]