Book description
Unlike traditional enterprise applications, Microservices applications are collections of independent components that function as a system. Securing the messages, queues, and API endpoints requires new approaches to security both in the infrastructure and the code. Microservices Security in Action teaches you how to address microservices-specific security challenges throughout the system. This practical guide includes plentiful hands-on exercises using industry-leading open-source tools and examples using Java and Spring Boot.About the Technology
Integrating independent services into a single system presents special security challenges in a microservices deployment. With proper planning, however, you can build in security from the start. Learn to create secure services and protect application data throughout development and deployment. As microservices continue to change enterprise application systems, developers and architects must learn to integrate security into their design and implementation. Because microservices are created as a system of independent components, each a possible point of failure, they can multiply the security risk. With proper planning, design, and implementation, you can reap the benefits of microservices while keeping your application data—and your company's reputation—safe!
About the Book
Microservices Security in Action is filled with solutions, teaching best practices for throttling and monitoring, access control, and microservice-to-microservice communications. Detailed code samples, exercises, and real-world use cases help you put what you've learned into production. Along the way, authors and software security experts Prabath Siriwardena and Nuwan Dias shine a light on important concepts like throttling, analytics gathering, access control at the API gateway, and microservice-to-microservice communication. You'll also discover how to securely deploy microservices using state-of-the-art technologies including Kubernetes, Docker, and the Istio service mesh. Lots of hands-on exercises secure your learning as you go, and this straightforward guide wraps up with a security process review and best practices. When you're finished reading, you'll be planning, designing, and implementing microservices applications with the priceless confidence that comes with knowing they're secure!
What's Inside
- Microservice security concepts
- Edge services with an API gateway
- Deployments with Docker, Kubernetes, and Istio
- Security testing at the code level
- Communications with HTTP, gRPC, and Kafka
About the Reader
For experienced microservices developers with intermediate Java skills.
About the Authors
Prabath Siriwardena is the vice president of security architecture at WSO2. Nuwan Dias is the director of API architecture at WSO2. They have designed secure systems for many Fortune 500 companies.
Quotes
A complete guide to the challenges and solutions in securing microservices architectures.
- Massimo Siani, FinDynamic
An indispensable roadmap... Touches on all the right topics in an order that makes sense.
- Andrew Bovill, Next Century
Full of code examples and detailed explanations regarding security that can help anyone secure services connected to the internet.
- Gustavo Gomes, Brightcove
A book that should adorn the desk of every developer and architect developing software using the microservices architectural pattern.
- Srihari Sridharan, athenahealth
Table of contents
- Microservices Security in Action
- Copyright
- dedication
- brief contents
- contents
- front matter
- Part 1. Overview
-
1 Microservices security landscape
- 1.1 How security works in a monolithic application
-
1.2 Challenges of securing microservices
- 1.2.1 The broader the attack surface, the higher the risk of attack
- 1.2.2 Distributed security screening may result in poor performance
- 1.2.3 Deployment complexities make bootstrapping trust among microservices a nightmare
- 1.2.4 Requests spanning multiple microservices are harder to trace
- 1.2.5 Immutability of containers challenges how you maintain service credentials and access-control policies
- 1.2.6 The distributed nature of microservices makes sharing user context harder
- 1.2.7 Polyglot architecture demands more security expertise on each development team
-
1.3 Key security fundamentals
- 1.3.1 Authentication protects your system against spoofing
- 1.3.2 Integrity protects your system from data tampering
- 1.3.3 Nonrepudiation: Do it once, and you own it forever
- 1.3.4 Confidentiality protects your systems from unintended information disclosure
- 1.3.5 Availability: Keep the system running, no matter what
- 1.3.6 Authorization: Nothing more than you’re supposed to do
- 1.4 Edge security
- 1.5 Securing service-to-service communication
- Summary
- 2 First steps in securing microservices
- Part 2. Edge security
- 3 Securing north/south traffic with an API gateway
- 4 Accessing a secured microservice via a single-page application
-
5 Engaging throttling, monitoring, and access control
-
5.1 Throttling at the API gateway with Zuul
- 5.1.1 Quota-based throttling for applications
- 5.1.2 Fair usage policy for users
- 5.1.3 Applying quota-based throttling to the Order Processing microservice
- 5.1.4 Maximum handling capacity of a microservice
- 5.1.5 Operation-level throttling
- 5.1.6 Throttling the OAuth 2.0 token and authorize endpoints
- 5.1.7 Privilege-based throttling
- 5.2 Monitoring and analytics with Prometheus and Grafana
- 5.3 Enforcing access-control policies at the API gateway with Open Policy Agent
- Summary
-
5.1 Throttling at the API gateway with Zuul
- Part 3. Service-to-service communications
- 6 Securing east/west traffic with certificates
- 7 Securing east/west traffic with JWT
- 8 Securing east/west traffic over gRPC
-
9 Securing reactive microservices
- 9.1 Why reactive microservices?
- 9.2 Setting up Kafka as a message broker
- 9.3 Developing a microservice to push events to a Kafka topic
- 9.4 Developing a microservice to read events from a Kafka topic
- 9.5 Using TLS to protect data in transit
- 9.6 Using mTLS for authentication
- 9.7 Controlling access to Kafka topics with ACLs
- 9.8 Setting up NATS as a message broker
- Summary
- Part 4. Secure deployment
-
10 Conquering container security with Docker
- 10.1 Running the security token service on Docker
- 10.2 Managing secrets in a Docker container
- 10.3 Using Docker Content Trust to sign and verify Docker images
- 10.4 Running the Order Processing microservice on Docker
- 10.5 Running containers with limited privileges
- 10.6 Running Docker Bench for security
- 10.7 Securing access to the Docker host
- 10.8 Considering security beyond containers
- Summary
-
11 Securing microservices on Kubernetes
- 11.1 Running an STS on Kubernetes
-
11.2 Managing secrets in a Kubernetes environment
- 11.2.1 Using ConfigMap to externalize configurations in Kubernetes
- 11.2.2 Defining a ConfigMap for application.properties file
- 11.2.3 Defining ConfigMaps for keystore.jks and jwt.jks files
- 11.2.4 Defining a ConfigMap for keystore credentials
- 11.2.5 Creating ConfigMaps by using the kubectl client
- 11.2.6 Consuming ConfigMaps from a Kubernetes Deployment
- 11.2.7 Loading keystores with an init container
- 11.3 Using Kubernetes Secrets
- 11.4 Running the Order Processing microservice in Kubernetes
- 11.5 Running the Inventory microservice in Kubernetes
- 11.6 Using Kubernetes service accounts
- 11.7 Using role-based access control in Kubernetes
- Summary
- 12 Securing microservices with Istio service mesh
- Part 5. Secure development
-
13 Secure coding practices and automation
-
13.1 OWASP API security top 10
- 13.1.1 Broken object-level authorization
- 13.1.2 Broken authentication
- 13.1.3 Excessive data exposure
- 13.1.4 Lack of resources and rate limiting
- 13.1.5 Broken function-level authorization
- 13.1.6 Mass assignment
- 13.1.7 Security misconfiguration
- 13.1.8 Injection
- 13.1.9 Improper asset management
- 13.1.10 Insufficient logging and monitoring
- 13.2 Running static code analysis
- 13.3 Integrating security testing with Jenkins
- 13.4 Running dynamic analysis with OWASP ZAP
- Summary
-
13.1 OWASP API security top 10
-
Appendix A. OAuth 2.0 and OpenID Connect
- A.1 The access delegation problem
- A.2 How does OAuth 2.0 fix the access delegation problem?
- A.3 Actors of an OAuth 2.0 flow
- A.4 Grant types
- A.5 Scopes bind capabilities to an OAuth 2.0 access token
- A.6 Self-contained access tokens
- A.7 What is OpenID Connect?
- A.8 More information about OpenID Connect and OAuth 2.0
- Appendix B. JSON Web Token
- Appendix C. Single-page application architecture
- Appendix D. Observability in a microservices deployment
-
Appendix E. Docker fundamentals
- E.1 Docker overview
- E.2 Installing Docker
- E.3 Docker high-level architecture
- E.4 Containerizing an application
- E.5 Container name and container ID
- E.6 Docker registry
- E.7 Publishing to Docker Hub
- E.8 Image name and image ID
- E.9 Image layers
- E.10 Container life cycle
- E.11 Deleting an image
- E.12 Persisting runtime data of a container
- E.13 Docker internal architecture
- E.14 What is happening behind the scenes of docker run?
- E.15 Inspecting traffic between Docker client and host
- E.16 Docker Compose
- E.17 Docker Swarm
- E.18 Docker networking
- E.19 Moby project
- Appendix F. Open Policy Agent
- Appendix G. Creating a certificate authority and related keys with OpenSSL
- Appendix H. Secure Production Identity Framework for Everyone
- Appendix I. gRPC fundamentals
-
Appendix J. Kubernetes fundamentals
- J.1 Kubernetes high-level architecture
- J.2 Basic constructs
- J.3 Getting started with Minikube and Docker Desktop
- J.4 Kubernetes as a service
- J.5 Getting started with Google Kubernetes Engine
- J.6 Creating a Kubernetes Deployment
- J.7 Behind the scenes of a Deployment
- J.8 Creating a Kubernetes Service
- J.9 Behind the scenes of a Service
- J.10 Scaling a Kubernetes Deployment
- J.11 Creating a Kubernetes namespace
- J.12 Switching Kubernetes namespaces
- J.13 Using Kubernetes objects
- J.14 Exploring the Kubernetes API server
- J.15 Kubernetes resources
- J.16 Kubernetes controllers
- J.17 Ingress
- J.18 Kubernetes internal communication
- J.19 Managing configurations
-
Appendix K. Service mesh and Istio fundamentals
- K.1 Why a service mesh?
- K.1 The evolution of microservice deployments
- K.3 Istio service mesh
- K.4 Istio architecture
- K.5 Setting up Istio service mesh on Kubernetes
- K.6 What Istio brings to a Kubernetes cluster
- K.7 Setting up the Kubernetes deployment
- K8 Engaging Istio to STS and the Order Processing microservices
- K.9 Running the end-to-end sample
- K.10 Updating the Order Processing microservice with Istio configurations
- index
Product information
- Title: Microservices Security in Action
- Author(s):
- Release date: August 2020
- Publisher(s): Manning Publications
- ISBN: 9781617295959
You might also like
book
Spring Security in Action
While creating secure applications is critically important, it can also be tedious and time-consuming to stitch …
book
API Security in Action
A web API is an efficient way to communicate with an application or service. However, this …
book
Kubernetes in Action
Kubernetes in Action is a comprehensive guide to effectively developing and running applications in a Kubernetes …
book
Building Event-Driven Microservices
Organizations today often struggle to balance business requirements with ever-increasing volumes of data. Additionally, the demand …