With the proliferation of microservices, the challenges of managing security for these services becomes a challenge. Some of the questions that need to be answered, besides the Open Web Application Security Project (OWASP) top ten web vulnerabilities, are as follows:
- Does the service require the client to authenticate before service invocation (such as OAuth)?
- Can a client call any service or only the service for which it is authorized?
- Does the service know the identity of the client from where the request originated and does it get passed down to the downstream services? Do the downstream services have a mechanism to verify the authorization of their invocation?
- Is the traffic between service to service invocation secured (HTTPS)?
- How do we verify that a request received from an authenticated user hasn't been tampered with?
- How do we detect and reject a replay of a request?
In the distributed microservice model, we need to control and limit the privileges the calling party...