Skip to content
master
Go to file
Code
This branch is 339 commits behind microservices-security-in-action:master.

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

README.md

Microservices Security In Action

By Prabath Siriwardena and Nuwan Dias

Part 1 Overview

Chapter 1: Welcome to microservices security

  • How security works in a monolithic application
  • Challenges of securing microservices
  • Key security funamentals
  • Edge security
  • Securing service-to-service communication
  • Security in DevOps
  • Security code development lifecycle (SCDL)
  • Summary

Chapter 2: Hello World microservices security

  • Your first microservice
  • Setting up an OAuth 2.0 server
  • Securing a microservice with OAuth 2.0
  • Invoking a secured microservice with a client application
  • Authorization of requests based on OAuth 2.0 scopes
  • Summary

Part 2 Edge Security

Chapter 3: Deploying a microservice behind an API gateway

  • The need for an API gateway in a microservices architecture?
  • Security at the edge
  • How to pick the correct OAuth 2.0 grant type?
  • Setting up an API gateway with Zuul
  • Deploying a microservice behind Zuul
  • Securing communication between Zuul and the microservice
  • Summary

Chapter 4: Building a single-page application to talk to microservices

  • Building a single-page app
  • Introducing an API gateway, and setting up cross-origin resource sharing (CORS)
  • Securing a SPA with OpenID Connect
  • Federated authentication
  • Summary

Chapter 5: Engaging throttling, monitoring and access control

  • Engaging throttling at the API gateway with Zuul
  • Monitoring & analytics with Prometheus and Grafana
  • Enforce access control policies at the API gateway with Zuul and Open Policy Agent (OPA)
  • Summary

Part 3 Service to Service Communication

Chapter 6: Securing service-to-service communication with certificates

  • Why use mTLS?
  • Creating certificates
  • Securing microservices with TLS
  • Engaging mTLS
  • Challenges in key management
  • Key rotation
  • Monitoring key use
  • SPIFFE
  • Summary

Chapter 7: Securing service-to-service communication with JWT

  • What is a JSON Web Token (JWT)?
  • What does a JWT look like?
  • JSON Web Signature (JWS)
  • JSON Web Encryption (JWE)
  • Use cases for securing microservices with JWT
  • Setting up an STS to issue JWTs
  • Securing microservices with JWT
  • Using JWT as a data source to do access control
  • Securing service-to-service communication with JWT
  • Exchanging a JWT for a new one with a new audience
  • Summary

Chapter 8: Securing service-to-service communication happens over gRPC

  • Understanding gRPC
  • Service-to-service communications over gRPC
  • Securing gRPC service-to-service communications with mTLS
  • Securing gRPC service-to-service communications with JWT
  • Summary

Chapter 9: Securing Event-driven microservices

  • Why event-driven microservices?
  • Setting up Kafka as a message broker in a microservices deployment
  • Developing a microservice to push events to a topic in Kafka
  • Developing a microservice to read events from a Kafka topic
  • Using Transport Layer Security (TLS) to protect data in transit
  • Using mutual Transport Layer Security (mTLS) for authentication
  • Controlling access to Kafka topics with ACLs
  • Controlling access to Kafka topics with OPA
  • Summary

Part 4 Secure Deployment

Chapter 10: Conquering container security with Docker

  • Docker security principles
  • Deploying a microservice on Docker
  • Securing the host
  • Running Docker Bench for security
  • Running Docker in Swarm mode
  • Challenges in container security
  • Summary

Chapter 11: Securing microservices on Kubernetes

  • Setting up a Docker cluster with Kubernetes
  • Kubernetes built in security features
  • Setting up Kubernetes security policies
  • Using Kubernetes network policies
  • Securing applications with Calico
  • Implementing security as a sidecar
  • Summary

Chapter 12: Securing microservices with Istio service mesh

  • Setting up Istio on Kubernetes
  • Istio authentication architecture
  • Securing service-to-service communication with mTLS
  • Securing service-to-service communication with JWT
  • Istio authorization architecture
  • Enabling authorization
  • Summary

Part 5 Secure Development

Chapter 13: Secure coding practices and automation

  • OWASP API security top 10
  • Static code analysis vs. dynamic analysis
  • Running static code analysis
  • Running dependency checks
  • Running dynamic analysis with OWASP ZAP
  • Integrating security testing with Jenkins
  • Summary

About

Microservices Security in Action Book Samples

Resources

Releases

No releases published

Packages

No packages published
You can’t perform that action at this time.