Microservices Architectures - Non Functional Requirements - Security


In this article, we explore the important non functional requirement called Security.

What you will learn

  • What Is Security?
  • Why is Security important?
  • How do you improve Security of your system?

Non Functional Requirements and Microservices

This is the second article in a series of articles on Non Functional Requirements:

What Is Security?

Security in general means one or more of the following intentions:

  • Protect the system from unintended use
  • Protect the application service from denial-of-service attacks
  • Protect the system from unauthorized access by external users
  • Restrict the authorized users to access only those modules of the application that they are allowed to. Other modules must be protected from the user.

Security is all about:

  • Authentication - Is it the right user?
  • Authorization - Does the user have the rights to do an action?

Applying Security Principles

There are a few important principles that are the cornerstone for application security.

Assign Least Privileges

The architects, designers and developers must start the design of the system with security requirements in mind. Security must feature as an important project requirement from the initial stages itself. There has to be clear picture of the roles of various users, and the accesses that they need. The idea is to have as few accesses to each role as possible.

This applies not just to the application, but also to the infrastructure. This includes the application database, the servers where the system is deployed, and other similar things. The concept of minimized mapping of access to roles for each user, is equally relevant here.

Have Complete Mediation

How were King’s forts protected in medieval times? By having one entrance that everyone has to pass through and making sure that the entrance is extremely secure.

Do the same thing for securing your application.

For every request, apply a well-implemented security filter. Test the role and access of the user for each and every request.

Have Defence In Depth

This concept boils down to having multiple levels of security. You would need to have security built into your architecture at application, network, hardware and operating system levels.

Trust Nothing

Make sure that you validate every piece of data or information that comes into the system .

Sanitize all data that comes from external sources.

Have Economy Of Mechanism

This says that we need to keep the architecture of the system, simple. Simple systems are easier to protect.

Ensure Openness Of Design

Avoid trying to implement system security by making the design obscure. If that were the case, a hacker might identify a flaw and compromise the system.

This principle is the opposite of the misplaced idea of “Security Through Obscurity”.

The more open a design, the easier it is to identify and address security flaws.

Handling Application Security

There are three important aspects of managing security threats to an application.

Prevention

The best approach is to prevent security incidents from happening by following the principles discussed early.

Detection

It is important to have mechanisms in place that detect security violations. When such a violation does happen, detecting it fairly early is worth its weight in gold.

Reaction

After you detect a security violation, the step that follows is the reaction.

A major drawback when handling security violations is that more often than not, organizations are slow in both detecting, and reacting to them.

Make sure you have clear policies on how to react to security violations.

Best Practices In Application Security

Lets look at some of best practices in building secure systems.

Think Security From Day One

The business development, software development, QA and operations teams - all of them need to make security a high priority right from the initial stages. They need to be well educated about the various threats, and ways to prevent, detect and react to them as needed.

Be Aware Of OWASP

It is important that there is proper awareness of OWASP and their recommendations. They regularly release a “top 10” list about current security threats for applications, as well as tips on how to prevent them.

Use Analysis Tools

Use static analysis tools such as checkmarks regularly, to identify potential security vulnerabilities in the code.

Friendly Hacking

Frequently have external security testers hack into your application software. This gives you a different perspective on security testing, and also find potential flaws earlier.

Avoid Outdated Standards And Frameworks

AN OWASP standard recommends that outdated software standards and frameworks having known vulnerabilities need to be eliminated from your architecture.

Only make use of an approved library/framework/platform that is certified by a security team.

Use the latest versions of these software.

Safeguard Your Infrastructure

Make sure proper protection mechanisms are in place to secure your app server, web server, OS and hardware.

Do check out our video on this:

image info

Summary

In this article, we talked about what application security is all about. Essentially, security revolves round two things - authentication, and authorization.

We then looked at principles that help make your application more secure. These include assigning minimum privileges, having complete mediation, trusting nothing, have an economy of mechanism and keeping an open design. We then looked at several best practices when it comes to improving application security.

10 Step Reference Courses

Image Image Image Image Image

in28Minutes is helping 300,000 Learners across the world reach their learning goals. Click here for the complete catalogue of 30 Courses.

Related Posts

Spring Boot Tutorials for Beginners

At in28Minutes, we are creating a number of tutorials with videos, articles & courses on Spring Boot for Beginners and Experienced Developers. This resources will help you learn and gain expertise at Spring Boot.

Spring and Spring Boot Video Tutorials for Beginners

At in28Minutes, we are creating a number of tutorials with videos, articles & courses on Spring Boot for Beginners and Experienced Developers. Here's a list of video tutorials and courses for you

Software Design - Separation Of Concerns - with examples

Software architects and programmers love having Seperation of Concerns. What is it? Why is it important? Let's get started.

Object Oriented Software Design - Solid Principles - with examples

Software design is typically complex. Object oriented design takes it to the next level. There are a number of design patterns and other stuff to be aware of. Can we make things simple? What are the goals to aim for when you are doing object oriented design? SOLID Principles is a great starting point for Object Oriented Design.

Software Design - Open Closed Principle - with examples

Open Closed Principle is one of the SOLID Principles. You want your code to be easily extended. How do you achieve it with minimum fuss? Let's get started.

Software Design - What is Dependency Inversion Principle?

Dependency Inversion Principle is one of the important SOLID Principles. Dependency Inversion Principle is implemented by one of the most popular Java frameworks - Spring. What is it all about? How does it help you design good applications?

Introduction to Four Principles Of Simple Design

With agile and extreme programming, the focus is on keeping your design simple. How do you keep your design simple? How do you decide whether your code is good enough?

Software Design - Single Responsibility Principle - with examples

For me, Single Responsibility Principle is the most important design principle. What is Single Responsibility Principle? How do you use it? How does it help with making your software better? Let's get started.

REST API Best Practices - With Design Examples from Java and Spring Web Services

Designing Great REST API is important to have great microservices. How do you design your REST API? What are the best practices?

Designing REST API - What is Code First Approach?

Designing Great REST API is important to have great microservices. Code First approach focuses on generating the contract from code. Is it the best possible approach?