Microservices and security

Common security patterns used in most API architectures

For prospective students on the course “Microservice Architecture” prepared a traditional translation of the material.

We also invite everyone to an open webinar on the topic “Distributed message queues on the example of kafka.”


What are microservices?

A microservice is a structural unit in which all data and functions related to any one specific business goal are combined into one service.

Well, this is a fairly general understanding of a microservice, but what do we really mean by it?

For example, we can take the Lego constructor, yes, you heard right, Lego.

You may remember that when we play with Lego, we start assembling the structure with one single Lego brick.

In the same way that every Lego brick is separate from the others, each microservice is independent, but it is a building block from which something more is created.

Here we can draw a visual parallel between a microservice and a Lego brick.

Separate microservice
Separate microservice
Complete application (containing several loosely coupled microservices)
The finished application (containing several loosely coupled microservices)

Benefits of using a microservice architecture

  • Isolation

  • Scalability

  • Performance

  • Flexibility

  • Faster project development

  • Evolutionary

There are many more benefits and possibilities of microservices, but we will postpone these for the next time. In this article, we will discuss microservices security patterns.

Microservices security templates

Layered Defense

In the world of microservices, the term API-led architecture is widely used. API-led architecture implies that we split our entire application into different API levels depending on their area of ​​functionality.

This is how we arrive at the concept multilevel protection… By introducing different levels into the application, we also introduce API gateways (API gateways) for each level.

The presence of multiple API gateways makes it difficult for a potential hacker to penetrate deep into the system due to the different set AuthN and AuthZ policies for each level.

Using Access and Identity Tokens

An access token is an object that encapsulates the security identity of a process or thread.

It contains the security credentials for the logon session and identifies the user, user groups, user privileges, and, in some cases, a specific application.

OAuth and OpenID – specific implementations of this concept.

Most widely used tokens

SAML (Security Assertion Markup Language)

SAML is an open standard that allows identity providers to pass authorization credentials to service providers. With SAML, you can use one set of credentials to log in to many different sites. Managing one login for each user is much easier than managing separate logins for each account you have.

JWT (JSON Web Token) and JOSE Family of Standards

JWT Is an open standard that defines a compact and autonomous way to securely transfer information between parties in the form JSON object… This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public / private key pair using RSA.

PASETO (Platform Agnostic SEcurity TOken – platform independent security token)

PASETO Is a cryptographically secure, compact, and URL-secure representation of declared values, designed for space-constrained environments such as HTTP cookies, HTTP authorization headers, and URI request parameters. PASETO encodes the declared values ​​to be passed in a JSON object and are either encrypted symmetrically or signed using a public key.

The key difference between PASETO and the JOSE Standards Family is that JOSE allows developers and users to combine and combine their own choice of cryptographic algorithms (indicated by the “alg” heading in the JWT), whereas PASETO has well-defined protocol versions for preventing the possibility of choosing unsafe configurations.

Security with code

Here we will discuss the basic style / standards for writing API coding. Each API code should be written in such a way as to automatically avoid all possible vulnerabilities. If it is not possible to avoid vulnerabilities, then your API should at least avoid the 10 main vulnerabilities presented by OWASP

Dependency Scan

Since most modern APIs use a containerized approach to package and deploy APIs in the cloud, it is very important to scan for any dependencies that will be used to support API operations.

Vulnerabilities discovered in Docker Hub images:

Using HTTPS

SSL is a protocol for secure traffic connections. By using SSL, HTTPS prevents attackers and eavesdroppers from accessing web application services. HTTPS is essentially HTTP over SSL. SSL establishes an encrypted connection using an SSL certificate, also known as a digital certificate.


Learn more about the course “Microservice Architecture”.

Watch an open webinar on the topic “Distributed message queues on the example of kafka.”

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *