Authentication and Authorization from Client to Server.
Think about ways you can do this in a stateful vs stateless way.
- Cookies (StateFul)
- Tokens
Understand the Pros and Cons of both approaches.
Good starting point is this https://hacks.mozilla.org/2012/12/using-secure-client-side-sessions-to-build-simple-and-scalable-node-js-applications-a-node-js-holiday-season-part-3/
Authentication and Authorization between service to service communication
- Network Boundary( not recommended)
- mTLS
- JWT or similar Tokens
Understand the pros and cons of mTLS and JWT. Understand who will create JWT tokens, validate them, will have key material to validate the tokens.
This link has good overview https://livebook.manning.com/book/microservices-security-in-action/chapter-1/v-4/109
Authorization Server
In most cases creating an authorization server will solve problems of who can generate Tokens. You should recommend a solution with Authorization server. Authorization server will also have an endpoint which validates JWT or similar tokens for other services.
Read More https://livebook.manning.com/book/api-security-in-action
API Gateway
Using API Gateway or a similar construct can help you in validating tokens, adding throttling limits, validate input parameters. Read more about API Gateway and see how you can integrate a similar solution in your architecture.
Read More https://www.alexdebrie.com/posts/api-gateway-elements/
On top of components above, think about security design principles and how you can apply those in your system.
- Least Privilege
- Separation of duties
- Defense in depth
- Auditing (alerting and monitoring)
- Minimize blast radius
Read about case studies from Googles book https://static.googleusercontent.com/media/sre.google/en//static/pdf/building_secure_and_reliable_systems.pdf
In the comments ask me any clarification and I am happy to help. If most of you struggle on a specific topic I will try to make a dedicated blog post on that topic.
Best of luck everyone.
#cybersecurity #interview #security
Want to see the real deal?
More inside scoop? View in App
More inside scoop? View in App
blind
SUPPORT
FOLLOW US
DOWNLOAD THE APP:
FOLLOWING
Industries
Job Groups
- Software Engineering
- Product Management
- Information Technology
- Data Science & Analytics
- Management Consulting
- Hardware Engineering
- Design
- Sales
- Security
- Investment Banking & Sell Side
- Marketing
- Private Equity & Buy Side
- Corporate Finance
- Supply Chain
- Business Development
- Human Resources
- Operations
- Legal
- Admin
- Customer Service
- Communications
Return to Office
Work From Home
COVID-19
Layoffs
Investments & Money
Work Visa
Housing
Referrals
Job Openings
Startups
Office Life
Mental Health
HR Issues
Blockchain & Crypto
Fitness & Nutrition
Health Care & Insurance
Travel
Tax
Hobbies & Entertainment
Working Parents
Food & Dining
IPO
Side Jobs
Show more
SUPPORT
FOLLOW US
DOWNLOAD THE APP:
1 Welcome to microservices security · Microservices Security in Action
1 What is API security? · API Security in Action epub
Using secure client-side sessions to build simple and scalable Node.JS applications – A Node.JS Holiday Season, part 3 – Mozilla Hacks - the Web developer blog
A Detailed Overview of AWS API Gateway
comments
fail
you’re making an assumption that a cookie is bound to some server side state but that’s orthogonal
you’re kind of getting into appsec or even swe territory here though. still, imho every security engineer should understand SOP, cookies, JWT, and maybe CORS. these things are pretty fundamental for the world we live in