Microservices Architectures - Non Functional Requirements - Security


Image


In this article, we explore the important non functional requirement called Security.

What you will learn

  • What Is Security?
  • Why is Security important?
  • How do you improve Security of your system?

Free Courses - Learn in 10 Steps

Non Functional Requirements and Microservices

This is the second article in a series of articles on Non Functional Requirements:

What Is Security?

Security in general means one or more of the following intentions:

  • Protect the system from unintended use
  • Protect the application service from denial-of-service attacks
  • Protect the system from unauthorized access by external users
  • Restrict the authorized users to access only those modules of the application that they are allowed to. Other modules must be protected from the user.

Security is all about:

  • Authentication - Is it the right user?
  • Authorization - Does the user have the rights to do an action?

Applying Security Principles

There are a few important principles that are the cornerstone for application security.

Assign Least Privileges

The architects, designers and developers must start the design of the system with security requirements in mind. Security must feature as an important project requirement from the initial stages itself. There has to be clear picture of the roles of various users, and the accesses that they need. The idea is to have as few accesses to each role as possible.

This applies not just to the application, but also to the infrastructure. This includes the application database, the servers where the system is deployed, and other similar things. The concept of minimized mapping of access to roles for each user, is equally relevant here.

Have Complete Mediation

How were King’s forts protected in medieval times? By having one entrance that everyone has to pass through and making sure that the entrance is extremely secure.

Do the same thing for securing your application.

For every request, apply a well-implemented security filter. Test the role and access of the user for each and every request.

Have Defence In Depth

This concept boils down to having multiple levels of security. You would need to have security built into your architecture at application, network, hardware and operating system levels.

Trust Nothing

Make sure that you validate every piece of data or information that comes into the system .

Sanitize all data that comes from external sources.

Have Economy Of Mechanism

This says that we need to keep the architecture of the system, simple. Simple systems are easier to protect.

Ensure Openness Of Design

Avoid trying to implement system security by making the design obscure. If that were the case, a hacker might identify a flaw and compromise the system.

This principle is the opposite of the misplaced idea of “Security Through Obscurity”.

The more open a design, the easier it is to identify and address security flaws.

Handling Application Security

There are three important aspects of managing security threats to an application.

Prevention

The best approach is to prevent security incidents from happening by following the principles discussed early.

Detection

It is important to have mechanisms in place that detect security violations. When such a violation does happen, detecting it fairly early is worth its weight in gold.

Reaction

After you detect a security violation, the step that follows is the reaction.

A major drawback when handling security violations is that more often than not, organizations are slow in both detecting, and reacting to them.

Make sure you have clear policies on how to react to security violations.

Best Practices In Application Security

Lets look at some of best practices in building secure systems.

Think Security From Day One

The business development, software development, QA and operations teams - all of them need to make security a high priority right from the initial stages. They need to be well educated about the various threats, and ways to prevent, detect and react to them as needed.

Be Aware Of OWASP

It is important that there is proper awareness of OWASP and their recommendations. They regularly release a “top 10” list about current security threats for applications, as well as tips on how to prevent them.

Use Analysis Tools

Use static analysis tools such as checkmarks regularly, to identify potential security vulnerabilities in the code.

Friendly Hacking

Frequently have external security testers hack into your application software. This gives you a different perspective on security testing, and also find potential flaws earlier.

Avoid Outdated Standards And Frameworks

AN OWASP standard recommends that outdated software standards and frameworks having known vulnerabilities need to be eliminated from your architecture.

Only make use of an approved library/framework/platform that is certified by a security team.

Use the latest versions of these software.

Safeguard Your Infrastructure

Make sure proper protection mechanisms are in place to secure your app server, web server, OS and hardware.

Do check out our video on this:

image info

Summary

In this article, we talked about what application security is all about. Essentially, security revolves round two things - authentication, and authorization.

We then looked at principles that help make your application more secure. These include assigning minimum privileges, having complete mediation, trusting nothing, have an economy of mechanism and keeping an open design. We then looked at several best practices when it comes to improving application security.

Best Selling Udemy Courses

Image
Image Image Image Image Image Image Image Image Image

Join 450,000 Learners and 30+ Amazing Courses

350,000 Learners are learning everyday with our Best Selling Courses : Spring Boot Microservices, Spring, Spring Boot, Web Services, Hibernate, Full Stack React, Full Stack Angular, Python, Spring Interview Guide, Java Interview, Java Functional Programming, AWS, Docker, Kubernetes, PCF, AWS Fargate and Azure


Do not know where to start your learning journey? Check out our amazing learning paths:
Learning Path 01 - Spring and Spring Boot Web Applications and API Developer,
Learning Path 02 - Full Stack Developer with Spring Boot, React & Angular,
Learning Path 03 - Cloud Microservices Developer with Docker and Kubernetes,
Learning Path 04 - Learn Cloud with Spring Boot, AWS, Azure and PCF and
Learning Path 05 - Learn AWS with Microservices, Docker and Kubernetes


Subscribe

FREE COURSES



Related Posts

Writing Integration Tests for Rest Services with Spring Boot

Setting up a basic REST Service with Spring Boot is a cake walk. We will go one step further and add great integration tests!

Integrating Spring Boot and Spring JDBC with H2 and Starter JDBC

Learn using Spring Boot Starter JDBC to connect Spring Boot to H2 (in memory database) using Spring JDBC. You will create a simple project with Spring Boot. You will add code to the project to connect to a database using Spring JDBC. You will learn to implement the basic CRUD methods.

JUnit Tutorial for Beginners in 5 Steps

JUnit Tutorial for Beginners in 5 Steps. Setting up a basic JUnit example and understanding the basics of junit.

JPA and Hibernate Tutorial For Beginners - 10 Steps with Spring Boot and H2

JPA and Hibernate in 10 Steps with H2 - Setting up a basic project example with Spring Boot and in memory database H2. Its a cake walk.

Spring Boot Tutorial For Beginners in 10 Steps

Introduction to Spring Boot in 10 Steps. Learn the basics of Spring Boot setting up a basic project example with Spring Boot.

Spring Framework Tutorial for Beginners - Your First 10 Steps

Learn the basics of Spring Framework setting up a very simple example.

JPA and Hibernate Tutorial using Spring Boot Data JPA

Complete journey starting from JDBC to JPA to Spring Data JPA using an example with Spring Boot Data JPA starter project. We use Hibernate as the JPA Implementation.

Creating a Web Application with Spring Boot with JSP

Setting up a basic web application with Spring Boot is a cake walk. We will create a simple web application using Spring Initializr and add JSP features to it.

What is Spring Boot Auto Configuration?

Auto Configuration is the most important feature in Spring Boot. In this tutorial, we will learn important concepts about Auto Configuration with a couple of examples.

Unit Testing Rest Services with Spring Boot and JUnit

Setting up a Basic REST Service with Spring Boot is a cake walk. We will go one step further and add great unit tests to our RESTful Service.


Search