Securing Microservices and APIs with NGINX and Signal Sciences
A shift is happening in the industry. Monolithic web applications are being decomposed into microservices. By breaking up applications into small, decoupled services, developers are able to independently change components of their application.
This architectural approach can have a ripple effect that drastically shrinks the total time to deliver changes and simultaneously reduces risk.
Generally, the move to microservices is paired with the cultural shift to Agile and DevOps. These cultural movements have filtered through many organizations, breaking down silos that once impaired delivery.
Microservices pulls apart once-dependent systems and allows teams to move faster in all stages, from development to runtime operations. The move to microservices impacts development, performance, monitoring and — as we will see — security.
The move to microservices also spells good things for the Web, as the majority of microservices implementations are being delivered over HTTP/HTTPS. While there may be more suitable protocols than HTTP, there’s no denying that, as an industry, we know how to optimize and deliver using this protocol better than any other.
For the best experience delivering over HTTP, the open source NGINX software and NGINX Plus are the web server of choice, and it’s easy to see why.
NGINX for Microservices
It’s easy to love NGINX for microservices. One of the reasons NGINX has been much-loved by web operations engineers is its straightforward configuration. For microservices, it’s no different, because you can get NGINX up and running quickly as a web server for your API gateway with just a simple configuration.
Another reason NGINX is the preferred web server for microservices and API gateways is its speed. It’s fast and performs well under web-scale load. NGINX is asynchronous by design and uses non-blocking threads, which means that as traffic increases, things won’t slow down.
Operations engineers generally appreciate the flexibility of NGINX to operate either as a web server, a reverse proxy server, or a load balancer. This means NGINX can be used interchangeably throughout an architecture.
NGINX also delivers rock-solid HTTPS performance, but securing this new landscape needs more than just a secure protocol.
Security Concerns for Microservices
On the one hand, security is measurably better in microservices, just by the very nature of the architecture pattern. By decoupling services, you’re not only adding resiliency, but adding new boundaries between portions of the system. Each API can have its own throttling and limits built-in to detect error conditions or attempts to overwhelm or abuse the system.
On the other hand, while the microservices architecture pattern tends to be more secure, the move to microservices can also create new attack vectors. Microservices architectures add in a new attack surface as once-internal calls for an application (inside the monolith) are now delivered across the network, and sometimes across the Internet to other services.
In this context, application security is one of the largest gaps of microservices. Now that microservices apps are being delivered over HTTP, the security concerns of traditional application security translate directly to microservices.
Data injection attacks, cross-site scripting, privilege escalation, and command execution are all still relevant. Additionally, if the microservices app doesn’t have sufficient monitoring in place or defenses built in, it could be possible for business logic attacks to go undetected.
Signal Sciences with NGINX Defends Microservices
Signal Sciences provides a web protection platform that runs as a module in all the major web servers and most prominently in NGINX. Signal Sciences takes a unique approach to web application security. The platform identifies common web application attack vectors like XSS, SQLi, and other OWASP Top Ten attacks.
It doesn’t stop there, however. Using Signal Sciences’ custom signals, users can detect business logic flaws and user account takeovers, or monitor any application flow that they desire. Whatever you need to watch more closely, you can easily do it with Signal Sciences.
Signal Sciences spans the breadth of your applications to pinpoint application logic flaws and problems based on your unique business logic. One of our customers, Jon Oberheide, co-founder and CTO of Duo Security, says, “The Signal Sciences approach gives us situational awareness about where and how our applications are attacked so that we can best protect ourselves and our customers.”
Currently, Signal Sciences evaluates two to three billion requests per day that flow through NGINX and the Signal Sciences NGINX module. Like NGINX, Signal Sciences is extremely lightweight and fast. Some of the largest web-scale companies trust Signal Sciences and run our web protection platform on their production traffic. This includes web and API traffic.
Many of our customers are using a microservices architecture pattern, including household names such as Adobe, Etsy, and Vimeo.
If you’re delivering microservices via NGINX, and security and performance are important to you, contact us to explore how Signal Sciences can be the right fit for you.
The post Securing Microservices and APIs with NGINX and Signal Sciences appeared first on NGINX.
Source: Securing Microservices and APIs with NGINX and Signal Sciences
Leave a Reply