By Prabath Siriwardena and Nuwan Dias
- How security works in a monolithic application
- Challenges of securing microservices
- Key security funamentals
- Edge security
- Securing service-to-service communication
- Security in DevOps
- Security code development lifecycle (SCDL)
- Summary
- Your first microservice
- Setting up an OAuth 2.0 server
- Securing a microservice with OAuth 2.0
- Invoking a secured microservice with a client application
- Authorization of requests based on OAuth 2.0 scopes
- Summary
- The need for an API gateway in a microservices architecture?
- Security at the edge
- How to pick the correct OAuth 2.0 grant type?
- Setting up an API gateway with Zuul
- Deploying a microservice behind Zuul
- Securing communication between Zuul and the microservice
- Summary
- Building a single-page app
- Introducing an API gateway, and setting up cross-origin resource sharing (CORS)
- Securing a SPA with OpenID Connect
- Federated authentication
- Summary
- Engaging throttling at the API gateway with Zuul
- Monitoring & analytics with Prometheus and Grafana
- Enforce access control policies at the API gateway with Zuul and Open Policy Agent (OPA)
- Summary
- Why use mTLS?
- Creating certificates
- Securing microservices with TLS
- Engaging mTLS
- Challenges in key management
- Key rotation
- Monitoring key use
- SPIFFE
- Summary
- What is a JSON Web Token (JWT)?
- What does a JWT look like?
- JSON Web Signature (JWS)
- JSON Web Encryption (JWE)
- Use cases for securing microservices with JWT
- Setting up an STS to issue JWTs
- Securing microservices with JWT
- Using JWT as a data source to do access control
- Securing service-to-service communication with JWT
- Exchanging a JWT for a new one with a new audience
- Summary
- Understanding gRPC
- Service-to-service communications over gRPC
- Securing gRPC service-to-service communications with mTLS
- Securing gRPC service-to-service communications with JWT
- Summary
- Why event-driven microservices?
- Setting up Kafka as a message broker in a microservices deployment
- Developing a microservice to push events to a topic in Kafka
- Developing a microservice to read events from a Kafka topic
- Using Transport Layer Security (TLS) to protect data in transit
- Using mutual Transport Layer Security (mTLS) for authentication
- Controlling access to Kafka topics with ACLs
- Controlling access to Kafka topics with OPA
- Summary
- Docker security principles
- Deploying a microservice on Docker
- Securing the host
- Running Docker Bench for security
- Running Docker in Swarm mode
- Challenges in container security
- Summary
- Setting up a Docker cluster with Kubernetes
- Kubernetes built in security features
- Setting up Kubernetes security policies
- Using Kubernetes network policies
- Securing applications with Calico
- Implementing security as a sidecar
- Summary
- Setting up Istio on Kubernetes
- Istio authentication architecture
- Securing service-to-service communication with mTLS
- Securing service-to-service communication with JWT
- Istio authorization architecture
- Enabling authorization
- Summary
- OWASP API security top 10
- Static code analysis vs. dynamic analysis
- Running static code analysis
- Running dependency checks
- Running dynamic analysis with OWASP ZAP
- Integrating security testing with Jenkins
- Summary