Consider security requirements when designing web applications | by Mohammad Nuruzzaman | October 2022

what is certain today may not be so tomorrow

In 2021, a research report shows a 31% increase in the average number of cyberattacks compared to the previous year. On September 22, 2022, Optus was the victim of a cyberattack which led to the disclosure of personal information of 9.8 million customers such as passport and license numbers, emails, home addresses, date of birth and telephone numbers. Nearly 4 million Australians still don’t know how much of their data has been compromised due to a data breach at Medibank. At EnergyAustralia, over 323 residential and small business customer accounts were viewed. Woolworths says the data of 2.2 million customers from its MyDeal website was exposed.

The government is working to minimize the impact of the data breach and continues to actively pursue all possible solutions to protect itself. The government is set to introduce new legislation that would charge companies $50 million for multiple breaches of the Privacy Act, i.e. if the company is hit by multiple serious breaches of data. The penalties could be even greater depending on the company’s turnover and the estimated value of the stolen data. Therefore, it is important not to treat application security as an afterthought.

Compared to monolithic applications, which house all code in a single system. The type of data collected by monolithic application services and the huge possibility of data exposure risks. Microservices are small self-contained units that deal with individual functions and work with others to meet specific business needs. This makes it a good choice for developers who need to deliver large and complex applications quickly, frequently, and reliably. Working with these distributed components brings several advantages, but also its own unique set of security requirements. There are three sides to implementing security:

  1. Application level security
  2. Container level security
  3. Data center

As each microservice is independent in its functionality, a security issue in one of them can only affect the subsection it is connected to, not the entire application. On the contrary, a monolithic architecture affected the entire application. I believe that security practices should be applied not only DevOps, but also at the heart of the active software development lifecycle. The following steps could be implemented or considered to build more secure data-driven microservices applications:

  1. Input validation, complex and encrypted password. Reject unexpected/illegal content. Track the Processing of XML External Entities (XXE)
  2. Use protocols like JWT OAuth2.0 to login with 2Factor-Auth. Don’t use JWT for session.
  3. Similarly, OpenID Connect, Keycloak can be used, which is an identity layer built on top of JWT OAuth 2.0 to authenticate users.
  4. Instead of JWT, work with JWS (signed) or JWE (encrypted).
  5. Implement biometric authentication with microservice (important nowadays according to Optus data breach)
  6. Enable SSL, CROS, CSRF, XSS features.
  7. Implement security at each microservice level (Open Policy Agent) and time-based security/encryption keys for each request.
  8. If a microservice makes a request to another in the same environment (inter-service communication), each must verify that the request is valid. This can be managed using a service mesh through Transport Layer Security (TLS). TLS will encrypt traffic between microservices to secure communication between them.
  9. Transport layer security with message layer security using authentication and authorization that defines which microservices can access which other microservices.
  10. Regression testing to ensure that bugs that have been fixed do not reappear in future software releases.
  11. When the data passes through the communication channel, it must be encrypted. In addition. all sensitive data in the database must be encrypted.
  12. Enable audit logging. Do not forward technical details to FE.
  13. Enable role-based access control (RBAC) with least privilege, disable ABAC.
  14. Implement Vault and keep configuration data encrypted.
  15. Enable rate limiting on the API Gateway to protect against DoS attacks.

Beyond development, security is also an integral part of production and post-production processes such as the focus on networks, the data center (where microservices are deployed, and access control in microservices The following steps could be considered:

  1. Avoid exposing all terminals, ports, management console through the internet.
  2. Develop a policy on how you prioritize vulnerabilities and plan to be transparent and that low priority vulnerabilities can be safely ignored. Set up automated vulnerability scanning for all your GitHub repositories and Docker images.
  3. Keep track of library versions used by all services and ensure they are up to date. DevOps teams need to automate testing and security processes and integrate them into the application development pipeline.
  4. Run containers as a non-root user (no-root mode)
  5. Securing the API Gateway behind a firewall and HTTPS.
  6. Set up a [email protected] email address and slack messages that allow real-time notification (alert) about system vulnerability.

Security is a continuous process. While it’s important for developers to build security considerations into their processes, they cannot replace other risk assessment strategies. For services in production, professional penetration testing and the use of bug bounty programs can significantly improve ongoing security controls. A penetration test simulates a cyberattack on software to reveal bugs and weaknesses, as well as to note strengths in the microservices ecosystem.