Unlike traditional enterprise applications, Microservices applications are collections of independent components that function as a system. Securing the messages, queues, and API endpoints requires new approaches to security both in the infrastructure and the code. Microservices Security in Action teaches you how …
Unlike traditional enterprise applications, Microservices applications are collections of independent components that function as a system. Securing the messages, queues, and API endpoints requires new approaches to security both in the infrastructure and the code. Microservices Security in Action teaches you how to address microservices-specific security challenges throughout the system. This practical guide includes plentiful hands-on exercises using industry-leading open-source tools and examples using Java and Spring Boot.
Integrating independent services into a single system presents special security challenges in a microservices deployment. With proper planning, however, you can build in security from the start. Learn to create secure services and protect application data throughout development and deployment. As microservices continue to change enterprise application systems, developers and architects must learn to integrate security into their design and implementation. Because microservices are created as a system of independent components, each a possible point of failure, they can multiply the security risk. With proper planning, design, and implementation, you can reap the benefits of microservices while keeping your application data—and your company's reputation—safe!
Microservices Security in Action is filled with solutions, teaching best practices for throttling and monitoring, access control, and microservice-to-microservice communications. Detailed code samples, exercises, and real-world use cases help you put what you've learned into production. Along the way, authors and software security experts Prabath Siriwardena and Nuwan Dias shine a light on important concepts like throttling, analytics gathering, access control at the API gateway, and microservice-to-microservice communication. You'll also discover how to securely deploy microservices using state-of-the-art technologies including Kubernetes, Docker, and the Istio service mesh. Lots of hands-on exercises secure your learning as you go, and this straightforward guide wraps up with a security process review and best practices. When you're finished reading, you'll be planning, designing, and implementing microservices applications with the priceless confidence that comes with knowing they're secure!
For experienced microservices developers with intermediate Java skills.
Prabath Siriwardena is the vice president of security architecture at WSO2. Nuwan Dias is the director of API architecture at WSO2. They have designed secure systems for many Fortune 500 companies.
An indispensable roadmap... Touches on all the right topics in an order that makes sense.Part 1. Overview
Chapter 1. Microservices security landscape
Chapter 1 Challenges of securing microservices
Chapter 1 Immutability of containers challenges how you maintain service credentials and access-control policies
Chapter 1 Key security fundamentals
Chapter 1 Confidentiality protects your systems from unintended information disclosure
Chapter 1 Edge security
Chapter 1 Securing service-to-service communication
Chapter 1 Service-level authorization
Chapter 1 Crossing trust boundaries
Chapter 2 First steps in securing microservices
Chapter 2 Accessing the Order Processing microservice
Chapter 2 Setting up an OAuth 2.0 server
Chapter 2 Getting an access token from the OAuth 2.0 authorization server
Chapter 2 Securing a microservice with OAuth 2.0
Chapter 2 Invoking a secured microservice from a client application
Part 2. Edge security
Chapter 3 Securing north/south traffic with an API gateway
Chapter 3 Decoupling security from the microservice
Chapter 3 Security at the edge
Chapter 3 Why not basic authentication to secure APIs?
Chapter 3 Setting up an API gateway with Zuul
Chapter 3 Enforcing OAuth 2.0-based security at the Zuul gateway Pt 1
Chapter 3 Enforcing OAuth 2.0-based security at the Zuul gateway Pt 2
Chapter 3 Securing communication between Zuul and the microservice
Chapter 4 Accessing a secured microservice via a single-page application
Chapter 4 Looking behind the scenes of a single-page application
Chapter 4 Setting up cross-origin resource sharing
Chapter 4 Inspecting the source that allows cross-origin requests
Chapter 4 Securing a SPA with OpenID Connect
Chapter 4 Inspecting the code of the applications
Chapter 4 Using federated authentication
Chapter 5 Engaging throttling, monitoring, and access control
Chapter 5 Fair usage policy for users
Chapter 5 Maximum handling capacity of a microservice
Chapter 5 Monitoring and analytics with Prometheus and Grafana
Chapter 5 Enforcing access-control policies at the API gateway with Open Policy Agent
Chapter 5 Evaluating OPA policies
Part 3. Service-to-service communications
Chapter 6 Securing east/west traffic with certificates
Chapter 6 Creating certificates to secure access to microservices
Chapter 6 Securing microservices with TLS
Chapter 6 Engaging mTLS
Chapter 6 Certificate revocation Pt 1
Chapter 6 Certificate revocation Pt 2
Chapter 6 Key rotation
Chapter 7 Securing east/west traffic with JWT
Chapter 7 Sharing user context with a new JWT for each service-to-service interaction
Chapter 7 Self-issued JWTs
Chapter 7 Setting up an STS to issue a JWT
Chapter 7 Using JWT as a data source for access control
Chapter 7 Exchanging a JWT for a new one with a new audience
Chapter 8 Securing east/west traffic over gRPC
Chapter 8 Securing gRPC service-to-service communications with mTLS
Chapter 8 Securing gRPC service-to-service communications with JWT
Chapter 9 Securing reactive microservices
Chapter 9 Setting up Kafka as a message broker
Chapter 9 Developing a microservice to push events to a Kafka topic
Chapter 9 Using TLS to protect data in transit
Chapter 9 Configuring TLS on the microservices
Chapter 9 Using mTLS for authentication
Chapter 9 Controlling access to Kafka topics with ACLs
Chapter 9 Setting up NATS as a message broker
Part 4. Secure deployment
Chapter 10 Conquering container security with Docker
Chapter 10 Managing secrets in a Docker container
Chapter 10 Using Docker Content Trust to sign and verify Docker images
Chapter 10 Signature verification with DCT
Chapter 10 Running the Order Processing microservice on Docker
Chapter 10 Running containers with limited privileges
Chapter 10 Running Docker Bench for security
Chapter 10 Enabling mTLS at the NGINX server to secure access to Docker APIs Pt 1
Chapter 10 Enabling mTLS at the NGINX server to secure access to Docker APIs Pt 2
Chapter 11 Securing microservices on Kubernetes
Chapter 11 Managing secrets in a Kubernetes environment
Chapter 11 Defining a ConfigMap for keystore credentials
Chapter 11 Using Kubernetes Secrets
Chapter 11 Running the Order Processing microservice in Kubernetes
Chapter 11 Running the Inventory microservice in Kubernetes
Chapter 11 Using role-based access control in Kubernetes
Chapter 12 Securing microservices with Istio service mesh
Chapter 12 Clean up any previous work
Chapter 12 Enabling TLS termination at the Istio Ingress gateway
Chapter 12 Deploying VirtualServices
Chapter 12 Securing service-to-service communications with mTLS
Chapter 12 Peer authentication and request authentication
Chapter 12 Enforcing authorization
Chapter 12 Testing end-to-end flow with RBAC
Chapter 12 Managing keys in Istio
Chapter 12 Key provisioning and rotation with SDS
Part 5. Secure development
Chapter 13 Secure coding practices and automation
Chapter 13 Broken authentication
Chapter 13 Lack of resources and rate limiting
Chapter 13 Security misconfiguration
Chapter 13 Running static code analysis
Chapter 13 Integrating security testing with Jenkins
Chapter 13 Setting up a build pipeline with Jenkins
Chapter 13 Running dynamic analysis with OWASP ZAP
Appendix A OAuth 2.0 and OpenID Connect
Appendix A Actors of an OAuth 2.0 flow
Appendix A Grant types
Appendix A Resource owner password grant type
Appendix A Authorization code grant type
Appendix A Implicit grant type
Appendix A Scopes bind capabilities to an OAuth 2.0 access token
Appendix B JSON Web Token
Appendix B What does a JWT look like?
Appendix B JSON Web Signature
Appendix C Single-page application architecture
Appendix D Observability in a microservices deployment
Appendix D The importance of tracing in observability
Appendix E Docker Swarm
Appendix E Docker fundamentals
Appendix E Docker adding value to Linux containers
Appendix E Installing Docker
Appendix E Containerizing an application
Appendix E Container name and container ID
Appendix E Image name and image ID
Appendix E Image layers
Appendix E Deleting an image
Appendix E Docker internal architecture
Appendix E What is happening behind the scenes of docker run?
Appendix F Open Policy Agent
Appendix F Deploying OPA as a Docker container
Appendix F External data
Appendix F JSON Web Token
Appendix F OPA integrations
Appendix G Creating a certificate authority and related keys with OpenSSL
Appendix H Secure Production Identity Framework for Everyone
Appendix H The inspiration behind SPIFFE
Appendix H How SPIRE works
Appendix H SPIFFE Verifiable Identity Document
Appendix I gRPC fundamentals
Appendix I Understanding HTTP/2 and its benefits over HTTP/1.x
Appendix I The different types of RPC available in gRPC
Appendix J Kubernetes fundamentals
Appendix J A Service: an abstraction over Kubernetes Pods
Appendix J Getting started with Minikube and Docker Desktop
Appendix J Creating a Kubernetes Deployment
Appendix J Behind the scenes of a Service
Appendix J Exploring the Kubernetes API server
Appendix J Kubernetes internal communication
Appendix J Managing configurations
Appendix K Service mesh and Istio fundamentals
Appendix K The Service Mesh architecture
Appendix K Istio architecture
Appendix K Istio data plane
Appendix K Setting up Istio service mesh on Kubernetes
Appendix K What Istio brings to a Kubernetes cluster
Appendix K Setting up the Kubernetes deployment
Appendix K Updating the Order Processing microservice with Istio configurations