June 6, 2023

Last Updated on January 16, 2024

How Do Microservices Change Software Security?

How does leveraging a microservice architecture change the way you secure an application? Are traditional tools and approaches like deploying web application firewalls or aligning with the OWASP Application Security Verification Standard (OWASP ASVS) still viable in a microservices realm?

Fortunately, many proven security controls still apply with microservices. You can still use the OWASP ASVS across your software development lifecycle (SDLC), for example.

Dispersing the attack surface

According to Laura Bell Main, CEO at SafeStack. “The biggest change is where your external exposed borders are.”

With traditional, “monolithic” applications it’s comparatively straightforward to identify all the entry and exit points in the system where you need to put controls.

“It was just in one big box,” Laura explains. “It was on one or more servers, but there was a boundary. And this goes back to our old-school thinking … where all our defenses were planned around a single static border that we understood.”

But when we started to decompose applications into separate components like microservices, we’ve began spreading those components around various cloud platforms and hosting them from different locations. Instead of a box with a few doors and windows, many software architectures are now more like a mesh or web, with lots of components connecting to each other and sending data back and forth.

More trust zones

Within a microservices architecture, you can’t just put one big defense around the perimeter. Planning where to put security controls involves looking at “trust zones” within a complex, essentially unbounded network. Development and security teams often lack even a common language to talk about where to start.

“I think one of the things that we do poorly in application security is bringing the reference points closer to things that we’ve already seen before or are experiencing elsewhere in security,” relates Laura. “Security in applications is not unique. It is part of software quality. And it shares many [commonalities] with other bits of security. We just have to kind of speak each other’s language a bit so that we can understand where those challenges are.”

What about Zero Trust?

Speaking of which, how valuable are Zero Trust principles when it comes to security microservice-based applications?

Laura’s view is this: “We’re trying to put our guardrails in place in our applications such that we don’t just implicitly trust and that we verify everything. And that verification is just built into how we do our connections. … We also don’t want to expect that if traffic is coming from inside the network, then it must be fine and trusted.”

It’s about making sure every single request between every single service has the right checks on it, such as authentication or authorization.

What’s next?

For more guidance on this topic, listen to Episode 119 of The Virtual CISO Podcast with guest Laura Bell Main, CEO at SafeStack.