DevOps application security expert: “Using microservices”
“If you can get by, use microservices as your preferred architecture,” advises Carlos Rivas, DevOps application security expert.
Rivas, who in his day job is a senior solutions architect at InterVision Systems, addressed an audience of hundreds who attended an online webcast summit produced last week by Virtualization and Cloud Review and is now available on request. His presentation was titled “DevOps and Architecture Best Practices for Implementing Application Security”, which was one of three presentations at the “Application Security & DevSecOps Summit”.
Rivas was traditionally trained in software development, then moved on to DevOps and the cloud space. So he was speaking in the context of a software developer. As such, he educated the public on the usual popular topics of Dependency Management, User Authentication, Credential Management, Vulnerability Scan, Encryption, Containers, load balancing and firewalls, autoscaling, etc.
but it was the supplication to adopt a microservices architecture – a cloud-native approach in which an application is organized as a loosely coupled set of services – that he started with, perhaps surprising the public.
“You’re not going to have that many crashes, you’re going to have less issues with addictions and all that. So keep that in mind, but it’s also great in the sense of a security context, that ‘ is why we are here. ”
Carlos Rivas, Senior Solutions Architect, InterVision Systems
“Microservices are a great technology to consider in development these days, and I always talk about it, whether it’s a security conversation or not, because having a smaller type of architecture for your overall project is always great because it allows you to have multiple team members contributing at the same time, ”he said. “You’re not going to have that many crashes, you’re going to have less issues with addictions and all that. So keep that in mind, but it’s also great in the sense of a security context, that ‘ is why we are here. ”
He then explained how the microservices approach can benefit organizations in general, especially in terms of security, and in the specific context of application development.
DevSecOps Benefits of microservices in general
“Let’s say we have a mobile client or a web visitor that comes to your website. And they enter through an authorization server. The authorization server is nothing more than an app for capturing users and passwords, maybe multi-factor authentication or something like that, it can usually cause them to certify that they are indeed it. that they claim to be. ”
For example, such a web visitor would typically get an access token for using an app, proving that he is who he claims to be.
“And then your software can use that access token to go to the authorization server and say, ‘Hey, you know, is this person actually logged in? And this software is going to get a yes or a no in that particular context. Now when this happens the authorization server will return a JSON web token. And of course I am just using a standard here, it could be very different your situation. But let’s say we get this JSON web token. And these are your security credentials to access your entire app. This token is going to be very different if you are an administrator of your application, because then you “You are going to have access to things like accounting, back-end, and the type of back-office access to your application. But if you are just a consumer trying to use this web application, you will have the same token. It will just be with a much smaller security footprint. So you may be able to place an order, but not be able to modify an order, for example.
“And you know, to me, that’s like the ideal scenario. So if you are using something like the AWS API Gateway, or something similar on Azure or Google Cloud, that will be the ideal scenario, isn’t- This not. Because from now on, I’m going to cover the actual microservices next. All you need to worry about is whether this person has an approved token. And does the token provide the permissions needed to access it. this function or not. And that said, you don’t have to worry about whether this user is logged in as a user or not – you don’t have to worry about all of that, because [with] this architecture using just that token, you know whoever is using your app has already been approved, authenticated, and the session is live and everything, so it’s okay. That’s why I recommend microservices in general. ”
DevSecOps Benefits of microservices in application development
“But you have to understand that the people who create these software libraries are also software developers just like us. there is a library that is broken, and there is a potential security hole just waiting to occur, and you are using the exact same library, this is also going to make your software potentially vulnerable to the same problem, so keep your dependencies up to date, and tracking vulnerabilities is a problem, isn’t it? ”
This served as a flow for dependency management and the other topics mentioned above before it closed, which again turned to microservices.
“So if you can get away with it, use microservices as your preferred architecture,” said Rivas, who described it as a type of service-oriented architecture (SOA). “So use this to your advantage, if possible.”
Safety in general is a central point of Virtualization and Cloud Review Summits online, as you can see on the schedule of live events coming up in the coming weeks: