As modern application development trends go, distributed microservices architecture has been one of the most popular and successful in recent memory. The reason is simple. Breaking up the design of an application into smaller pieces and building it as a set of modular components makes it easier to build and maintain than a traditional, monolithic application developed as a single entity. In addition, unlike monolithic applications, individual components can be inserted seamlessly into continuous delivery pipelines.
As a result, microservices has become an almost standard approach for modern application development, particularly when it comes to large enterprise applications built by geographically diverse development teams.
But like most development innovations, microservices present some real challenges. While microservices architectures increase the agility of applications, they also add a lot of moving pieces to an application. And like just about anything else one can build, having more moving pieces only increases the potential for problems. In this case, those problems come in the form of security vulnerabilities.
According to the 2018 WhiteHat Application Security Statistics Report, microservices create more insecurities on average than traditional applications – and not just by a little bit.
For every 100,000 lines of code, a monolithic application has an average of 39 vulnerabilities. By contrast, a microservice application will have an average of 180. In other words, the fact that enterprise applications have transitioned from a monolithic design to one based on microservices architectures has led to an increase in the overall average of total vulnerabilities.
However, despite a propensity for vulnerabilities, applications built on microservices architecture have a higher remediation rate. In addition, the time to fix for vulnerabilities in microservices applications is 50 percent lower than in traditional, monolithic apps. This is due to the fact that one breach in a monolithic application can impact all components, whereas in a microservices app, vulnerabilities can be segregated and contained within the affected component.
Overall, microservices represent a double-edged sword. While vulnerabilities can be fixed more easily in microservice apps, their use of third-party unpatched libraries complicates security protocols and increases risk. Development and security teams must always have this in the back of their mind and use application security best practices to combat these issues. Learn more: https://www.whitehatsec.com/blog/securing-apis-microservices/.