When designing and implementing micro-services, security is a crucial aspect that cannot be overlooked. Here are key security considerations to keep in mind:
1. Authentication
Ensure that users or services are who they claim to be.
- JWT (JSON Web Tokens)
- OAuth
- SAML (Security Assertion Markup Language)
2. Authorization
Verify that authenticated entities have the right permissions to perform specific actions.
- RBAC (Role-Based Access Control)
- JWT
- SAML
- mTLS
3. Confidentiality
Ensure that data is only accessible to those it's intended for.
- Encryption (for data in flight and at rest)
- ACLs (Access Control Lists)
4. Integrity
Prevent unauthorized tampering of data.
- Signing
5. Non-Repudiation
Ensure that actions cannot be denied by the entity that performed them.
- Audit logs
- Digital signatures
6. DDoS Protection
Maintain service availability by protecting against Distributed Denial of Service attacks.
- WAF (Web Application Firewall)
- Throttling
7. Securing Deployments -- Container/K8s/Cloud
Ensure that your infrastructure is properly secured.
For comprehensive checklists and guidelines, refer to: CIS Security Benchmarks
8. Secure coding
Ensure mis-configurations, sensitive information leakage via logs, API response etc. Up to date library and OS versions.
Tools and Practices - Sonar Cube, BlackDuck, Burpe-suite, VA-PT