Microservices Security in Action
Prabath Siriwardena and Nuwan Dias
  • MEAP began March 2019
  • Publication in Spring 2020 (estimated)
  • ISBN 9781617295959
  • 450 pages (estimated)
  • printed in black & white

An incredible piece of theorethical knowledge about security.

Gustavo Gomes
Unlike traditional enterprise applications, Microservices applications are collections of independent components that function as a system. Securing the messages, queues, and API endpoints requires new approaches to security both in the infrastructure and the code. Microservices Security in Action teaches you how to address microservices-specific security challenges throughout the system. This practical guide includes plentiful hands-on exercises using industry-leading open-source tools and examples using Java and Spring Boot.
Table of Contents detailed table of contents

Part 1: Overview

1 Welcome to microservices security

1.1 How security works in a monolithic application

1.2 Challenges of securing microservices

1.2.1 The broader the attack surface, the higher the risk of attack

1.2.2 Distributed security screening may result in poor performance

1.2.3 Deployment complexities make bootstrapping trust among microservices a nightmare

1.2.4 Requests which span across multiple microservices are harder to trace

1.2.5 Immutability of containers challenges how you maintain service credentials and access-control policies

1.2.6 The distributed nature of microservices makes sharing user context harder

1.2.7 Polyglot architecture demands more security expertise on each development team

1.3 Key security fundamentals

1.3.1 Authentication protects your system against spoofing

1.3.2 Integrity protects your system from data tampering

1.3.3 Nonrepudiation: Do it once, and you own it forever

1.3.4 Confidentiality protects your systems from unintended information disclosure

1.3.5 Availability: Keep the system running, no matter what

1.3.6 Authorization: Nothing more than you’re supposed to do

1.4 Edge security

1.4.1 The role of an API gateway in a microservices deployment

1.4.2 Authentication at the edge

1.4.3 Authorization at the edge

1.4.4 Passing client/end-user context to downstream microservices

1.5 Securing service-to-service communication

1.5.1 Service-to-service authentication

1.5.2 Service-level authorization

1.5.3 Propagating user context between microservices

1.5.4 Crossing trust boundaries

1.6 Summary

2 Hello World microservices security

2.1 Your first microservice

2.1.1 Downloading and installing the required software

2.1.2 Clone samples repository

2.1.3 Compiling the Order Processing microservice

2.1.4 Accessing the Order Processing microservice

2.1.5 What is inside the source code directory?

2.1.6 Understanding the source code of the microservice

2.2 Setting up an OAuth 2.0 server

2.2.1 Understanding the actors in OAuth 2.0

2.2.2 The interactions with an authorization server

2.2.3 Running the OAuth2.0 authorization server

2.2.4 Getting an access token from the OAuth2.0 authorization server

2.2.5 Understanding the access token response

2.3 Securing a microservice with OAuth2.0

2.3.1 Security based on OAuth2.0

2.3.2 Running the sample

2.4 Invoking a secured microservice from a client application

2.5 Authorization of requests based on OAuth2.0 scopes

2.5.1 The level of privileges in an application

2.5.2 Privileges enforced on the resource server

2.6 Summary

Part 2: Edge Security

3 Deploying a microservice behind an API gateway

3.1 The need for an API gateway in a microservices architecture

3.1.1 Decoupling security from the microservice

3.1.2 The inherent complexities of microservice deployments make them harder to consume

3.1.3 The rawness of the microservices does not make them ideal for external exposure

3.2 Security at the edge

3.2.1 Understanding the consumer landscape of your microservices

3.2.2 Delegating access

3.2.3 Why not basic authentication?

3.2.4 Why not Mutual TLS?

3.2.5 Why OAuth 2.0?

3.3 How to pick the correct OAuth 2.0 grant type?

3.3.1 Client credentials grant type

3.3.2 Resource owner password grant type

3.3.3 Refresh token grant type

3.3.4 Authorization code grant type

3.3.5 Implicit grant type

3.4 Setting up an API gateway with Zuul

3.4.1 Compiling and running the Order Processing microservice

3.4.2 Compiling and running the Zuul proxy

3.4.3 Enabling OAuth2.0-based security at the Zuul gateway

3.5 Securing communication between Zuul and the microservice

3.5.1 Preventing access through the firewall

3.5.2 Securing the communication between the API gateway and microservices by using mutual TLS

3.6 Summary

4 Building a single-page application to talk to microservices

4.1 Building a single-page application

4.1.1 Building a single-page application with AngularJS

4.1.2 Benefits of a SPA over an MPA

4.1.3 Drawbacks of a SPA compared with an MPA

4.2 Introducing an API gateway, and setting up cross-origin resource sharing (CORS)

4.2.1 Running the sample

4.2.2 The same-origin policy

4.2.3 Cross-origin resource sharing (CORS)

4.2.4 Inspecting the source that allows cross-origin requests

4.2.5 Proxying the resource server with an API gateway

4.3 Securing a SPA with OpenID Connect

4.3.1 OpenID Connect

4.3.2 Obtaining an ID token

4.3.3 OpenID Connect in practice

4.3.4 Where does OpenID Connect fit in?

4.4 Federated authentication

4.4.1 Multiple trust domains

4.4.2 Building trust between domains

4.5 Summary

5 Engaging throttling, monitoring, and access control

5.1 Throttling at the API Gateway with Zuul

5.1.1 Quota based throttling for applications

5.1.2 Fair usage policy for users

5.1.3 Running the sample

5.1.4 Maximum handling capacity for microservices

5.1.5 Operation level throttling

5.1.6 Throttling the OAuth2 token and authorize endpoints

5.1.7 Privilege based throttling

5.2 Monitoring and Analytics with Prometheus and Grafana

5.2.1 Monitoring the Spring Boot Microservice

5.2.2 The need for observability

5.2.3 Observability

5.2.4 Using Prometheus to monitor our microservices

5.3 Enforcing access control policies at the API gateway with Open Policy Agent

5.3.1 Open Policy Agent

5.3.2 Running the OPA sample to query an OPA engine for authorization

5.3.3 Summary

Part 3: Service-to-Service Communication

6 Securing service-to-service communication with certificates

6.1 Why use mTLS?

6.1.1 Trusted certificate authority

6.1.2 Mutual TLS

6.1.3 HTTPS versus TLS

6.2 Creating certificates

6.2.1 Creating a CA

6.2.2 Generating keys for the order processing microservice

6.2.3 Generating keys for the inventory microservice

6.3 Securing microservices with TLS

6.3.1 Running the Order Processing microservice over TLS

6.3.2 Running the Inventory microservice over TLS

6.3.3 Communication between two microservices over TLS

6.4 Engaging mTLS

6.5 Challenges in key management

6.5.1 Key provisioning and trust bootstrap

6.5.2 Certificate revocation

6.6 Key rotation

6.7 Monitoring key use

6.8 SPIFFE

6.8.1 How SPIFFE/SPIRE works

6.8.2 What’s new in SPIFFE

6.9 Summary

7 Securing service-to-service communication with JWT

7.1 Use cases for securing microservices with JWT

7.1.1 Securing service-to-service communications and sharing user context between microservices (with the same JWT)

7.1.2 Securing service-to-service communication and sharing user context with a new JWT for each service to service interaction

7.1.3 Cross-domain authentication and sharing user context between microservices in different trust domains

7.1.4 Self-issued JWTs

7.1.5 Nested JWTs

7.2 Setting up an STS to issue JWTs

7.3 Securing microservices with JWT

7.4 Using JWT as a data source to do access control

7.5 Securing service-to-service communication with JWT

7.6 Exchanging a JWT for a new one with a new audience

7.7 Summary

8 Securing service-to-service communication over gRPC

8.1 Service to Service Communication over gRPC

8.2 Securing gRPC service-to-service communication with mTLS

8.2.1 Running the example with mTLS

8.3 Securing gRPC service-to service communications with JWT

8.3.1 Knowing the actual consumer of the microservice

8.3.2 Limiting the operations that can be performed by the client

8.3.3 Using JWTs over gRPC to secure the communication

8.4 Summary

9 Securing event-driven microservices

Part 4: Secure Deployment

10 Conquering container security with Docker

11 Securing microservices on Kubernetes

12 Securing microservices with Istio service mesh

Part 5: Secure Development

13 Secure coding

Appendixes

Appendix A: Docker fundamental

A.1 Docker overview

A.1.1 Containers prior to Docker

A.1.2 Docker adding value to Linux containers (LXC)

A.1.3 Virtual machines vs. containers

A.1.4 Running Docker on non-Linux operating systems

A.2 Installing Docker

A.3 Docker high-level architecture

A.4 Containerizing an application

A.4.1 What is a Docker image?

A.4.2 Building the application

A.4.3 Creating a Dockerfile

A.4.4 Building a Docker image

A.4.5 Running a container from a Docker image

A.5 Container name and container id

A.6 Docker registry

A.6.1 Docker Hub

A.6.2 Harbor

A.6.3 Other Docker registries

A.7 Publishing to Docker Hub

A.8 Image name and image id

A.8.1 Docker images with no tags (or the latest tag)

A.8.2 Docker images with a tag

A.8.3 Working with 3rd party Docker registries

A.8.4 Docker Hub official and unofficial images

A.8.5 Image id

A.8.6 Pulling an image with the image id

A.9 Image layers

A.10 Container lifecycle

A.10.1 Create a container from an image

A.10.2 Start a container

A.10.3 Pause a running container

A.10.4 Stop a running container

A.10.5 Kill a container

A.10.6 Destroy a container

A.11 Deleting an image

A.12 Docker volumes

A.13 Docker internal architecture

A.13.1 Containerd

A.13.2 Containerd-Shim

A.13.3 Runc

A.13.4 Linux namespaces

A.13.5 Linux cgroups

A.14 What is happening behind the scenes of docker run?

A.15 Inspecting traffic between Docker client and host

A.16 Docker compose

A.17 Docker swarm

A.18 Docker networking

A.18.1 Bridge networking

A.18.2 Host networking

A.18.3 No networking

A.18.4 Networking in a Docker production deployment

A.19 Moby project

Appendix B: Kubernetes fundamentals

B.1 Kubernetes overview

B.2 Kubernetes high-level architecture

B.2.1 Master node

B.2.2 Worker node

B.3 Basic constructs

B.3.1 Pods

B.3.2 Nodes

B.3.3 Services

B.3.4 Deployments

B.3.5 Ingress

B.3.6 Namespaces

B.4 Getting started with Minikube

B.5 Kubernetes as a service

B.6 Getting started with Google Kubernetes Engine (GKE)

B.6.1 Installing gcloud

B.6.2 Installing kubectl

B.6.3 Setting up default setting for gcloud

B.6.4 Creating a Kubernetes cluster

B.6.5 Deleting a Kubernetes cluster

B.7 Creating a Kubernetes deployment

B.8 Behind the scenes of a deployment

B.9 Creating a Kubernetes service

B.10 Behind the scenes of a service

B.11 Scaling a Kubernetes deployment

B.12 Creating a Kubernetes namespace

B.13 Switching Kubernetes namespaces

B.14 Kubernetes objects

B.14.1 Managing Kubernetes objects

B.15 Exploring Kubernetes API server

B.16 Kubernetes resources

B.17 Kubernetes controllers

B.18 Kubernetes internal communication

B.18.1 How kubectl run works?

B.18.2 How Kubernetes routes a request from an external client to a pod?

Appendix C: C Service mesh and Istio fundamentals

Appendix D: OAuth 2.0 and OpenID Connect

D.1 What is OAuth 2.0?

D.2 The access delegation problem

D.3 How does OAuth 2.0 fix the access delegation problem?

D.4 Actors of an OAuth 2.0 flow

D.4.1 The role of the resource server

D.4.2 The role of the client application

D.4.3 Who is the resource owner?

D.4.4 The role of the authorization server (AS)

D.5 Grant types

D.5.1 Client credentials grant type

D.5.2 Resource owner password grant type

D.5.3 Refresh token grant type

D.5.4 Authorization code grant type

D.5.5 Implicit grant type

D.6 Scopes

D.7 Self-contained access tokens

D.8 What is OpenID Connect?

Appendix E: Single-page application (SPA) architecture

E.1 What is single-page application (SPA) architecture?

E.2 Benefits of a SPA over an MPA

E.3 Drawbacks of a SPA compared with an MPA

Appendix F: Observability in a microservices deployment

F.1 The need for observability

F.2 The four pillars of Observability

F.2.1 The importance of metrics in observability

F.2.2 The importance of tracing in observability

Appendix G: Access control patterns

Appendix H: JSON Web Token (JWT)

H.1 What is a JSON Web Token?

H.2 What does a JWT look like?

H.2.1 JWT expiration and issued time

H.2.2 An issuer of a JWT

H.2.3 The audience of a JWT

H.3 JSON Web Signature (JWS)

H.3.1 Creating a JWS with Nimbus

H.4 JSON Web Encryption (JWE)

H.4.1 Creating a JWE with Nimbus

Appendix I: Secure Production Identity Framework For Everyone (SPIFFE)

I.1 What is SPIFFE?

I.2 How SPIFFE/SPIRE works?

I.3 What’s new in SPIFFE

Appendix J: gRPC fundamentals

J.1 What is gRPC?

J.2 Understanding Protocol Buffers

J.3 Understanding HTTP/2 and its benefits over HTTP/1.x

J.3.1 Request Response Multiplexing and its performance benefits

J.3.2 Understanding Binary Framing and Streams in HTTP/2

J.4 The different types of RPC available in gRPC

J.4.1 Understanding Channels

J.4.2 Understanding Request Metadata

J.4.3 What is Unary RPC?

J.4.4 What is Server Streaming RPC?

J.4.5 What is Client Streaming RPC?

J.4.6 What is Bidirectional Streaming RPC?

K.1 Creating a certificate authority

K.2 Generating keys for an application

About the Technology

In 2018, security breaches at Facebook, Saks Fifth Avenue, Panera, Orbitz, and numerous other organizations affected millions of customer records, surpassing the already staggering number of commercial security breaches in 2017. For the companies involved, these security failures stained their reputations, costing both money and priceless customer confidence.

As microservices continue to change enterprise application systems, developers and architects must learn to integrate security into their design and implementation. Because microservices are created as a system of independent components, each a possible point of failure, they can multiply the security risk. With proper planning, design, and implementation, you can reap the benefits of microservices while keeping your application data—and your company’s reputation—safe!

About the book

Microservices Security in Action teaches you how to secure your microservices applications code and infrastructure. After a straightforward introduction to the challenges of microservices security, you’ll learn fundamentals to secure both the application perimeter and service-to-service communication. Following a hands-on example, you’ll explore how to deploy and secure microservices behind an API gateway as well as how to access microservices accessed by a single-page application (SPA).

Along the way, authors and software security experts Prabath Siriwardena and Nuwan Dias shine a light on important concepts like throttling, analytics gathering, access control at the API gateway, and microservice-to-microservice communication. You’ll also discover how to securely deploy microservices using state-of-the-art technologies including Kubernetes, Docker, and the Istio service mesh. Lots of hands-on exercises secure your learning as you go, and this straightforward guide wraps up with a security process review and best practices. When you’re finished reading, you’ll be planning, designing, and implementing microservices applications with the priceless confidence that comes with knowing they’re secure!

What's inside

  • Key microservices security fundamentals
  • Securing service-to-service communication with mTLS and JWT
  • Deploying and securing microservices with Docker
  • Using Kubernetes security
  • Securing event-driven microservices
  • Using the Istio Service Mesh
  • Applying access control policies with OPA
  • Microservices security best practices
  • Building a single-page application to talk to microservices
  • Static code analysis, dynamic testing, and automatic security testing

About the reader

For developers well-versed in microservices design principles who have a basic familiarity with Java.

About the authors

Prabath Siriwardena is the vice president of security architecture at WSO2, a company that produces open source software, and has more than 12 years of experience in the identity management and security domain. Nuwan Dias is the director of API architecture at WSO2 and has worked in the software industry for more than 7 years, most of which he spent focusing on the API management domain. Both have helped build security designs for Fortune 500 companies including Boeing, Verizon, Nissan, HP, and GE.

Manning Early Access Program (MEAP) Read chapters as they are written, get the finished eBook as soon as it’s ready, and receive the pBook long before it's in bookstores.
MEAP combo $59.99 pBook + eBook + liveBook
MEAP eBook $47.99 pdf + ePub + kindle + liveBook
Prices displayed in rupees will be charged in USD when you check out.

placing your order...

Don't refresh or navigate away from the page.

FREE domestic shipping on three or more pBooks