Microservices are small, containerized application services that perform a single task or a small group of related tasks — unlike traditional, monolithic applications that handle a broad range of tasks. And they are transforming the business application world in ways that are almost entirely positive.

For developers, these tools speed up development and deployment. For end users, they offer performance and flexibility; a microservice can be updated or even replaced by a new one with minimal impact on the rest of the application functionality that it supports.

But this speed, power and flexibility comes with security complications that are transforming the application security landscape. Security managers for both developers and end users need to be aware of these complications and plan for them in advance to ensure secure applications and services.

More Surface Area to Attack

As Serdar Yegulalp pointed out at InfoWorld, microservices transform the application security landscape in two fundamental and related ways. First, they communicate via application programming interfaces (APIs) that are independent of machine architecture and even programming language. As a result, they have much more exposed surface than traditional subroutines or functionalities of a large application, which only interacted with other parts of the same application. Therefore, they are exposed to more potential attacks.

DevOps Comes to Security

Moreover, microservices are transforming the development process — accelerating the trend toward DevOps, the blending of application development and operations. Because they are microscaled, they can be built or modified quickly, which is one of the keys to their flexibility. Gone are the days when a new or upgraded application went through months or even years of successive alpha and beta testing before being released to the world.

But the end result is that their security features are not subject to prolonged development testing. To prevent this from becoming a problem, microservices security needs to be ensured throughout the development process.

Application Security Following the Path of Network Security

In the big picture, the impact of microservices on application security has much in common with the transformation of network security in the last decade. Formerly, local networks had only a few connections to the outside world, and securing those endpoints was sufficient; today, with networks having a multitude of entry points, endpoint protection is only the starting point of network security, not the be-all and end-all.

In the same way, applications that are built out of microservices cannot be protected simply by securing their explicit input and output functionalities. These remain crucial, but the security microservices and their APIs must also be ensured. This can be a challenge.

Building in Security From the Start

The good news is that microservices and DevOps simply emphasize a basic and longstanding principle of good security design: Security needs to be built in from the outset, not simply bolted on as an afterthought. The best development teams have always taken security into account as integral to the architecture, and this best practice is now even more of a necessity.

Likewise, end users of services or applications built from microservices cannot regard security as one more line to check off. It needs to be part of the lens through which users view every tool they consider using. Developers and end users that keep these basic principles of application security in mind will benefit from the speed and flexibility of microservices without discovering hidden security flaws the hard way.

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…