Few Steps To Make Microservice Code More Secure.

In the new era of the microservice systems, developers are using many open source projects, developers tend to rely on open-source projects without checking if the open-source project they are using is maintained or have any critical vulnerability that can put our company in a dangerous position. In this article, I will cover what can be done to improve our software code to be much more secure.

Manually check One good practice is to manually check how well is the open-source project we are planning to use.

• Is it maintained?

• How many stars this project has?

• How many contributors?

• When was the last commit was made?

• Is this open-source project popular at the developer’s community?

Using Git hook We can configure Git hooks that will check and alert the develops before pushing code into the Git repository in order to check if the developers introduce a new open-source dependency to our software. Using the latest version Another way is to use the latest version of the open-source package when compiling the project, this approach (continuously using the latest version) also can be a security risk since maybe the newer version has flaws and vulnerabilities that yet to be discovered So using this approach without using static code analysis software can be very risky.

SCA — static code analysis Using an SCA — static code analysis framework must be part of the CI/CD pipeline in order to detect vulnerabilities in the 3rd party’s open-source projects. There are several static code analysis systems available, some support languages like C# and Java and other support Go, some are free others are not. Each organization should perform a comprehensive analysis to check which SCA (static code analysis) system is the best fit for the project. One of the latest examples of a critical vulnerability found in Event-Stream 3.3.6, It has a backdoor that a dependency of flat-map that what inserted to the event-Stream open source by the new maintainer.

In conclusion When choosing to build a microservice system, We will probably need to depend on many open source projects or other 3rd parties libraries that can increase our attack surface and as a result, could cause our business risks. Using open-source projects have many advantages and we should find a way to use and also contribute to those projects. Today the microservice echo system has many tools and frameworks that could help to secure our code. steps-to-make-microservice-code-more-secure/

In the links below you can find Free Open Source Software (OSS) Security Tools: 1. OWASP free open source tool OWASP Dependency Check. 2. GitHub: Security alerts for vulnerable dependencies - https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/ A native GitHub feature that reports known vulnerable dependencies in your GitHub projects. Supports: Java, .NET, JavaScript, Ruby, and Python. Your GitHub projects are automatically signed up for this service