October 7, 2015 By Rick M Robinson 2 min read

Microservices are small, containerized application services that perform a single task or a small group of related tasks — unlike traditional, monolithic applications that handle a broad range of tasks. And they are transforming the business application world in ways that are almost entirely positive.

For developers, these tools speed up development and deployment. For end users, they offer performance and flexibility; a microservice can be updated or even replaced by a new one with minimal impact on the rest of the application functionality that it supports.

But this speed, power and flexibility comes with security complications that are transforming the application security landscape. Security managers for both developers and end users need to be aware of these complications and plan for them in advance to ensure secure applications and services.

More Surface Area to Attack

As Serdar Yegulalp pointed out at InfoWorld, microservices transform the application security landscape in two fundamental and related ways. First, they communicate via application programming interfaces (APIs) that are independent of machine architecture and even programming language. As a result, they have much more exposed surface than traditional subroutines or functionalities of a large application, which only interacted with other parts of the same application. Therefore, they are exposed to more potential attacks.

DevOps Comes to Security

Moreover, microservices are transforming the development process — accelerating the trend toward DevOps, the blending of application development and operations. Because they are microscaled, they can be built or modified quickly, which is one of the keys to their flexibility. Gone are the days when a new or upgraded application went through months or even years of successive alpha and beta testing before being released to the world.

But the end result is that their security features are not subject to prolonged development testing. To prevent this from becoming a problem, microservices security needs to be ensured throughout the development process.

Application Security Following the Path of Network Security

In the big picture, the impact of microservices on application security has much in common with the transformation of network security in the last decade. Formerly, local networks had only a few connections to the outside world, and securing those endpoints was sufficient; today, with networks having a multitude of entry points, endpoint protection is only the starting point of network security, not the be-all and end-all.

In the same way, applications that are built out of microservices cannot be protected simply by securing their explicit input and output functionalities. These remain crucial, but the security microservices and their APIs must also be ensured. This can be a challenge.

Building in Security From the Start

The good news is that microservices and DevOps simply emphasize a basic and longstanding principle of good security design: Security needs to be built in from the outset, not simply bolted on as an afterthought. The best development teams have always taken security into account as integral to the architecture, and this best practice is now even more of a necessity.

Likewise, end users of services or applications built from microservices cannot regard security as one more line to check off. It needs to be part of the lens through which users view every tool they consider using. Developers and end users that keep these basic principles of application security in mind will benefit from the speed and flexibility of microservices without discovering hidden security flaws the hard way.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today