News

DevOps App Security Expert: 'Use Microservices'

• By David Ramel
• 09/22/2021

"If you can get away with it, use microservices as your preferred architecture," advises DevOps application security expert Carlos Rivas.

Rivas, who in his day job is a senior solutions architect at InterVision Systems, was speaking to an audience of hundreds who attended an online webcast summit produced last week by Virtualization & Cloud Review and is now available on demand. His presentation was titled "DevOps and Architecture Best Practices for Implementing Application Security," which was one of three presentations in the "Application Security & DevSecOps Summit."

Rivas was trained traditionally in software development and then shifted into DevOps and the cloud space, so he was speaking in the context of a software developer. As such, he informed the audience about the usual popular topics of dependency management, user authentication, managing credentials, vulnerability scanning, encryption, containers, load balancing and firewalls, auto scaling and more.

But it was the entreaty to adopt microservices architecture -- a cloud-native approach in which an application is arranged as a collection of loosely coupled services -- with which he led off, perhaps surprising the audience.

"Microservices is a great technology to consider when developing these days, and I always bring bring it up, whether it's a conversation about security or not, because having a smaller type of architecture for your overall project is always great, because it allows you to have multiple team members contribute at the same time," he said. "You're not going to have as many collisions, you're going to have less issues with dependencies and all that. So keep that in mind, but it's also great in the sense of a security context, which is why we're here."

He then explained how the microservices approach can benefit organizations in general, especially in terms of security, and in the specific context of application development.

DevSecOps Benefits of Microservices in General
"Let's say that we have a mobile client or a web visitor that comes to your web site. And they go in through an authorization server. The authorization server is nothing more than an application there to capture users and passwords, perhaps multi-factor authentication or something like that, that can overall generally just get them to certify that they are who they say they are."

For example, such a web visitor would typically get an access token to use an application, proving that they are who they say they are.

"And then your software can use this access token to go to the authorization server to say, 'Hey, you know, is this valid is this person actually logged in?' and that software is going to get a yes or no in that particular context. Now, when this happens, the authorization server is going to return a JSON web token. And of course, I'm just using a standard here, it could be very different, your situation. But let's say that we get this JSON web token. And this is your security credential to access your entire application. This token is going to be very different if you're an admin of your application, because then you're going to have access to things like accounting and the back end and the back office-type of access into your application. But if you're just a consumer trying to use this web application, you are going to have the same token. It's just going to be with a much more reduced security footprint. So you may be able to place an order, but not be able to modify an order, for example.

"And you know, this, to me, this is like the ideal scenario. So if you're using something like AWS API gateway, or something similar on Azure or Google Cloud, this will be the ideal scenario to have, right. Because now from this point forward, I'm going now into the actual microservices. All you need to worry about is does this person have an approved token. And does the token provide the necessary permissions to access this function or not. And that said, you don't need to worry about is this user logged in as this user or not -- you don't need to worry about any of that stuff, because [with] this architecture using just that token, you know that whoever is using your application has already been approved, authenticated, and the session is live and everything, so it's all well and good. So this is why I recommend microservices in general."

DevSecOps Benefits of Microservices in Application Development
"Now chances are if you're developing an application, you're going to have a ton of dependencies that you need to manage," Rivas continued. "The problem with dependencies is that they're going to introduce possibly dependencies that are vulnerable to security issues, right? And if you're creating a large complex application, chances are you might end up with dozens or even more of these dependencies -- such as JavaScript libraries, or anything like that -- that may be out there helping you create your software. In this particular case, well, you may say, 'Well, I'm just going to download this version, I'll download the latest, and everything is fine.'

"But you have to understand that the people creating this software libraries, they're also software developers just just like we are. So they're bound to create software that's going to have security holes that may be dangerous for your application. So if there's a library that's broken, and it has a potential security breach just waiting to happen, and you happen to use that same exact library, that's also going to make your software potentially vulnerable to the same issue. So keeping your dependencies up to date, and keeping track of vulnerabilities is an issue, right?"

That served as a segue into dependency management and the other topics mentioned above before his closing, which once again turned to microservices.

"So if you can get away with it, use microservices as your preferred architecture," said Rivas, who described as a type of service-oriented architecture (SOA). "So use that to your advantage, whenever possible."

Security in general is a focal point of Virtualization & Cloud Review online summits, as you can see from the schedule of live events coming in the next few weeks:

• Best Practices for Cloud Storage, Backup & Recovery Summit
• AWS Cloud Security Summit
• Cloud Data Attacks & Prevention Summit
• Microsoft 365 Security, Backup & Recovery Summit