Microservices Architectures - Non Functional Requirements - Security


350,000 Learners are learning everyday with our Best Selling Courses : Microservices, Spring, Spring Boot, Web Services, Hibernate, Full Stack React, Full Stack Angular, Python, Spring Interview Guide, Java Interview, Java Functional Programming, AWS, Docker, Kubernetes, PCF, AWS Fargate and Azure

In this article, we explore the important non functional requirement called Security.

What you will learn

  • What Is Security?
  • Why is Security important?
  • How do you improve Security of your system?

Free Courses - Learn in 10 Steps

Non Functional Requirements and Microservices

This is the second article in a series of articles on Non Functional Requirements:

What Is Security?

Security in general means one or more of the following intentions:

  • Protect the system from unintended use
  • Protect the application service from denial-of-service attacks
  • Protect the system from unauthorized access by external users
  • Restrict the authorized users to access only those modules of the application that they are allowed to. Other modules must be protected from the user.

Security is all about:

  • Authentication - Is it the right user?
  • Authorization - Does the user have the rights to do an action?

Applying Security Principles

There are a few important principles that are the cornerstone for application security.

Assign Least Privileges

The architects, designers and developers must start the design of the system with security requirements in mind. Security must feature as an important project requirement from the initial stages itself. There has to be clear picture of the roles of various users, and the accesses that they need. The idea is to have as few accesses to each role as possible.

This applies not just to the application, but also to the infrastructure. This includes the application database, the servers where the system is deployed, and other similar things. The concept of minimized mapping of access to roles for each user, is equally relevant here.

Have Complete Mediation

How were King’s forts protected in medieval times? By having one entrance that everyone has to pass through and making sure that the entrance is extremely secure.

Do the same thing for securing your application.

For every request, apply a well-implemented security filter. Test the role and access of the user for each and every request.

Have Defence In Depth

This concept boils down to having multiple levels of security. You would need to have security built into your architecture at application, network, hardware and operating system levels.

Trust Nothing

Make sure that you validate every piece of data or information that comes into the system .

Sanitize all data that comes from external sources.

Have Economy Of Mechanism

This says that we need to keep the architecture of the system, simple. Simple systems are easier to protect.

Ensure Openness Of Design

Avoid trying to implement system security by making the design obscure. If that were the case, a hacker might identify a flaw and compromise the system.

This principle is the opposite of the misplaced idea of “Security Through Obscurity”.

The more open a design, the easier it is to identify and address security flaws.

Handling Application Security

There are three important aspects of managing security threats to an application.

Prevention

The best approach is to prevent security incidents from happening by following the principles discussed early.

Detection

It is important to have mechanisms in place that detect security violations. When such a violation does happen, detecting it fairly early is worth its weight in gold.

Reaction

After you detect a security violation, the step that follows is the reaction.

A major drawback when handling security violations is that more often than not, organizations are slow in both detecting, and reacting to them.

Make sure you have clear policies on how to react to security violations.

Best Practices In Application Security

Lets look at some of best practices in building secure systems.

Think Security From Day One

The business development, software development, QA and operations teams - all of them need to make security a high priority right from the initial stages. They need to be well educated about the various threats, and ways to prevent, detect and react to them as needed.

Be Aware Of OWASP

It is important that there is proper awareness of OWASP and their recommendations. They regularly release a “top 10” list about current security threats for applications, as well as tips on how to prevent them.

Use Analysis Tools

Use static analysis tools such as checkmarks regularly, to identify potential security vulnerabilities in the code.

Friendly Hacking

Frequently have external security testers hack into your application software. This gives you a different perspective on security testing, and also find potential flaws earlier.

Avoid Outdated Standards And Frameworks

AN OWASP standard recommends that outdated software standards and frameworks having known vulnerabilities need to be eliminated from your architecture.

Only make use of an approved library/framework/platform that is certified by a security team.

Use the latest versions of these software.

Safeguard Your Infrastructure

Make sure proper protection mechanisms are in place to secure your app server, web server, OS and hardware.

Do check out our video on this:

image info

Summary

In this article, we talked about what application security is all about. Essentially, security revolves round two things - authentication, and authorization.

We then looked at principles that help make your application more secure. These include assigning minimum privileges, having complete mediation, trusting nothing, have an economy of mechanism and keeping an open design. We then looked at several best practices when it comes to improving application security.

What to Learn Next?

350,000 Learners are learning everyday with our Best Selling Courses : Microservices, Spring, Spring Boot, Web Services, Hibernate, Full Stack React, Full Stack Angular, Python, Spring Interview Guide, Java Interview, Java Functional Programming, AWS, Docker, Kubernetes, PCF, AWS Fargate and Azure


85,000 Subscribers are learning from our Free Videos on YouTube : JSP Servlets, Spring, Spring Boot, Spring MVC, Hibernate, Eclipse, Maven, JUnit, Mockito, Full Stack - React, Full Stack - Angular, Docker, Kubernetes, AWS, AWS Fargate, PCF and Azure


Here are the recommend articles to read next : Spring Interview Questions, Spring Boot Interview Questions, Microservices, Hibernate, Spring Security, REST API with Spring Boot, Full Stack with React, SOAP Web Services, Exception Handling, Embedded Servers, Spring Data Rest, Spring vs Spring MVC vs Spring Boot, Building Web Application and Spring Data JPA. You can checkout all our 100+ articles here - All Articles.


Do not know where to start your learning journey? Check out our amazing learning paths: Learning Path 01 - Spring and Spring Boot Web Applications and API Developer, Learning Path 02 - Full Stack Developer with Spring Boot, React & Angular, Learning Path 03 - Cloud Microservices Developer with Docker and Kubernetes, Learning Path 04 - Learn Cloud with Spring Boot, AWS, Azure and PCF and Learning Path 05 - Learn AWS with Microservices, Docker and Kubernetes


Related Posts

Deploy Java Spring Boot Applications to AWS, Azure, GCP with Docker and Kubernetes

In this article, we focus our attention on the cloud. How to learn the cloud and deploy Java Spring Boot Applications to AWS, Azure, GCP with Docker and Kubernetes?

Software Design - Single Responsibility Principle - with examples

For me, Single Responsibility Principle is the most important design principle. What is Single Responsibility Principle? How do you use it? How does it help with making your software better? Let's get started.

Spring Boot Tutorials for Beginners

At in28Minutes, we are creating a number of tutorials with videos, articles & courses on Spring Boot for Beginners and Experienced Developers. This resources will help you learn and gain expertise at Spring Boot.

Microservices with Spring Boot and Java - Part 1 - Getting Started

Let's learn the basics of microservices and microservices architectures. We will also start looking at a basic implementation of a microservice with Spring Boot. We will create a couple of microservices and get them to talk to each other using Eureka Naming Server and Ribbon for Client Side Load Balancing. In part 1 of this series, lets get introduced to the concept of microservices and understand how to create great microservices with Spring Boot and Spring Cloud.

20+ Spring Boot Projects with Code Examples

At in28Minutes, we have created more than 20 projects with code examples on Github. We have 50+ articles explaining these projects. These code examples will you learn and gain expertise at Spring Boot.

REST API Best Practices - With Design Examples from Java and Spring Web Services

Designing Great REST API is important to have great microservices. How do you design your REST API? What are the best practices?

Index - 500+ Videos

At in28Minutes, we are creating a number of tutorials with videos, articles & courses on Spring Boot for Beginners and Experienced Developers. Here's a list of video tutorials and courses for you

Creating Spring Boot and React Java Full Stack Application with Maven

This guide helps you create a Java full stack application with all the CRUD (Create, Read, Update and Delete) features using React as Frontend framework and Spring Boot as the backend REST API. We use Maven as the build tool.

Creating a SOAP Web Service with Spring Boot Starter Web Services

Let's learn how to create a SOAP Web Service with Spring Boot Starter Web Services. We will take a Contract First approach by definining an XSD and exposing a WSDL from it.