Design Review for Security Engineering

Amazon
fancyPanda

Go to company page Amazon

fancyPanda
Mar 30 19 Comments

Authentication and Authorization from Client to Server.

Think about ways you can do this in a stateful vs stateless way.
- Cookies (StateFul)
- Tokens

Understand the Pros and Cons of both approaches.
Good starting point is this https://hacks.mozilla.org/2012/12/using-secure-client-side-sessions-to-build-simple-and-scalable-node-js-applications-a-node-js-holiday-season-part-3/

Authentication and Authorization between service to service communication
- Network Boundary( not recommended)
- mTLS
- JWT or similar Tokens

Understand the pros and cons of mTLS and JWT. Understand who will create JWT tokens, validate them, will have key material to validate the tokens.
This link has good overview https://livebook.manning.com/book/microservices-security-in-action/chapter-1/v-4/109

Authorization Server

In most cases creating an authorization server will solve problems of who can generate Tokens. You should recommend a solution with Authorization server. Authorization server will also have an endpoint which validates JWT or similar tokens for other services.

Read More https://livebook.manning.com/book/api-security-in-action

API Gateway

Using API Gateway or a similar construct can help you in validating tokens, adding throttling limits, validate input parameters. Read more about API Gateway and see how you can integrate a similar solution in your architecture.
Read More https://www.alexdebrie.com/posts/api-gateway-elements/

On top of components above, think about security design principles and how you can apply those in your system.
- Least Privilege
- Separation of duties
- Defense in depth
- Auditing (alerting and monitoring)
- Minimize blast radius
Read about case studies from Googles book https://static.googleusercontent.com/media/sre.google/en//static/pdf/building_secure_and_reliable_systems.pdf

In the comments ask me any clarification and I am happy to help. If most of you struggle on a specific topic I will try to make a dedicated blog post on that topic.

Best of luck everyone.

#cybersecurity #interview #security

comments

Want to comment? LOG IN or SIGN UP
TOP 19 Comments