Introduction
The microservice architecture is being increasingly used for designing and implementing application systems in both cloud-based and on-premise infrastructures. There are many security challenges need to be addressed in the application design and implementation phases. In order to address some security challenges it is necessity to collect security-specific information on application architecture. The goal of this article is to provide a concrete proposal of approach to collect microservice-based architecture information to securing application.
Context
During securing applications based on microservices architecture, security architects/engineers usually face with the following questions (mostly referenced in the OWASP Application Security Verification Standard Project under the section V1 "Architecture, Design and Threat Modeling Requirements"):
- Threat modeling and enforcement of the principle of least privilege:
- What scopes or API keys does microservice minimally need to access other microservice APIs?
- What grants does microservice minimally need to access database or message queue?
- Data leakage analysis:
- What storages or message queues do contain sensitive data?
- Does microservice read/write date from/to specific database or message queue?
- What microservices are invoked by dedicated microservice? What data is passed between microservices?
- Attack surface analysis:
- What microservices endpoints need to be tested during security testing?
In most cases, existing application architecture documentation is not suitable to answer those questions. Next sections propose what architecture security-specific information can be collected to answer the questions above.
Objective
The objectives of the cheat sheet are to explain what architecture security-specific information can be collected to answer the questions above and provide concrete proposal of approach to collect microservice-based architecture information to securing application.
Proposition
Collect information on the building blocks
Identify and describe application-functionality services
Application-functionality services implement one or several business process or functionality (e.g., storing customer details, storing and displaying product catalog). Collect information on the parameters listed below related to each application-functionality service.
Identify and describe infrastructure services
Infrastructure services including remote services may implement authentication, authorization, service registration and discovery, security monitoring, logging etc. Collect information on the parameters listed below related to each infrastructure service.
Identify and describe data storages
Collect information on the parameters listed below related to each data storage.
Identify and describe message queues
Messaging systems (e.g., RabbitMQ or Apache Kafka) are used to implement asynchronous microservices communication mechanism. Collect information on the parameters listed below related to each message queue.
Identify and describe data assets
Identify and describe data assets that processed by system microservices/services. It is advisable firstly to identify assets, which are valuable from a security perspective (e.g., "User information", "Payment"). Collect information on the parameters listed below related to each asset.
Collect information on relations between building blocks
Identify "service-to-storage" relations
Collect information on the parameters listed below related to each "service-to-storage" relation.
Identify "service-to-service" synchronous communications
Collect information on the parameters listed below related to each "service-to-service" synchronous communication.
Identify "service-to-service" asynchronous communications
Collect information on the parameters listed below related to each "service-to-service" asynchronous communication.
Identify "asset-to-storage" relations
Collect information on the parameters listed below related to each "asset-to-storage" relation.
Create a graphical presentation of application architecture
It is advisable to create graphical presentation of application architecture (building blocks and relations defined above) in form of services call graph or data flow diagram. In order to do that one can use special software tools (e.g. Enterprise Architect) or DOT language. See example of using DOT language here.
Use collected information in secure software development practices
Collected information may be useful for doing application security practices, e.g. during defining security requirements, threat modeling or security testing. Sections below contains examples of activities related to securing application architecture (as well as its mapping to OWASP projects) and tips for their implementation using information collected above.
Attack surface analysis
Implementation tips
To enumerate microservices endpoints that need to be tested during security testing and analyzed during threat modeling analyze data collected under the following sections:
- Identify and describe application-functionality services (parameter "API definition")
- Identify and describe infrastructure services (parameter "Link to the service documentation")
Mapping to OWASP projects
- OWASP ASVS, V1 "Architecture, Design and Threat Modeling Requirements", #1.1.2
- OWASP Attack Surface Analysis Cheat Sheet
Data leakage analysis
Implementation tips
To analyze possible data leakage analyze data collected under the following sections:
- Identify and describe data assets
- Identify "service-to-storage" relations
- Identify "service-to-service" synchronous communications
- Identify "service-to-service" asynchronous communications
- Identify "asset-to-storage" relations
Mapping to OWASP projects
- OWASP ASVS, V1 "Architecture, Design and Threat Modeling Requirements", #1.1.2
- OWASP Top 10-2017 A3-Sensitive Data Exposure
Application's trust boundaries, components, and significant data flows justification
Implementation tips
To verify documentation and justification of all the application's trust boundaries, components, and significant data flows analyze data collected under the following sections:
- Identify and describe application-functionality services
- Identify and describe infrastructure services
- Identify and describe data storages
- Identify and describe message queues
- Identify "service-to-storage" relations
- Identify "service-to-service" synchronous communications
- Identify "service-to-service" asynchronous communications
Mapping to OWASP projects
Analysis of the application's high-level architecture
Implementation tips
To verify definition and security analysis of the application's high-level architecture and all connected remote services analyze data collected under the following sections:
- Identify and describe application-functionality services
- Identify and describe infrastructure services
- Identify and describe data storages
- Identify and describe message queues
Mapping to OWASP projects
Implementation of centralized security controls verification
Implementation tips
To verify implementation of centralized, simple (economy of design), vetted, secure, and reusable security controls to avoid duplicate, missing, ineffective, or insecure controls analyze data collected under the section "Identify and describe infrastructure services".
Mapping to OWASP projects
Enforcement of the principle of least privilege
Implementation tips
To define minimally needed microservice permissions analyze data collected under the following sections:
- Identify and describe application-functionality services (parameter "API definition")
- Identify "service-to-storage" relations
- Identify "service-to-service" synchronous communications
- Identify "service-to-service" asynchronous communications
Mapping to OWASP projects
Sensitive data identification and classification
Implementation tips
To verify that all sensitive data is identified and classified into protection levels analyze data collected under the following sections:
- Identify and describe data assets
- Identify "asset-to-storage" relations
Mapping to OWASP projects
Application components business/security functions verification
Implementation tips
To verify the definition and documentation of all application components in terms of the business or security functions they provide analyze data collected under the following sections (parameter "Short description"):
- Identify and describe application-functionality services
- Identify and describe infrastructure services