Forrester Report: Why to automate AppSec now.

Continuous Security Testing for Microservices

Being a part of today’s tech-industry, you probably notice all winds blowing towards the implementation of DevOps and CI\CD methodologies, and rightfully so. Today’s software developers face an ever growing need for speedy development-to-production cycles with uncompromising security and reliability. One way of facing the speed versus quality challenge is the introduction of microservices.



Unlike the classic monolithic approach to developing an application, microservices break the application down to its various components with each component behaving as full a stack as possible. Imagine many mini-apps that together make one unified application. Those mini-apps often revolve around a specific business capability and must be able to communicate and scale seamlessly.


Expectedly, there are pros and cons to the adoption of microservices and though we won’t go through them all, there are some worth mentioning:


Modularity – Breaking down a large and complex application to its components improves modularity and makes each component easier to understand, develop, modify and test.


Independency – One microservice failing doesn’t mean the entire system is affected. Similarly, there is no need to upgrade and test the entire system for just one component.


Fast Paced Environments – Microservices’ structure enables a decentralized approach to data management and more importantly, it enables continuous delivery and deployment bringing us back to the first paragraph and the need for speed.


That said, microservices are not a one-size-fits-all solution.

Consistency  – It is harder to maintain consistency throughout the system.


System Dependencies and Development Roadblocks – Microservices create an increased number of system dependencies and while parallelizing development they also create parallel development roadblocks.


Testing – Microservices can create a challenge when it comes to testing as it is hard to get one flow through the entire system.


On that last note, microservices present security testing challenges as well:


Application security testing (AST) solutions that aim to fit a microservices development method need to offer incremental testing. Solutions that are only able to scan all related binaries at once are not suitable. Such solutions are bound to impose delays on the continuous integration process and present false positives\negatives as they don’t take into consideration each service’s specific logic. When dealing with microservices, it is particularly important to use an AST solution capable of scanning independent segments of code, i.e independent microservices.


Shifting security left in the SDLC is ever more valuable when dealing with microservices. Implementing Static Code Analysis (or SAST) for each microservice complements the fast development environment they aim to achieve. Scanning a microservice’s uncompiled code before it is linked to other microservices, is key to pinpointing and remediating vulnerabilities.  That said, the ideal AST solution should also offer Interactive AST (IAST) which will ensure end-to-end security testing – IAST provides high scenario coverage and can detect vulnerabilities that can only be detected on running applications.


Microservices present a need for customization. Being the independent units that they are, microservices allow broad technological and design flexibility. Their independency also means each microservice will often require its own set of security tests. AST solutions supporting microservices should allow developers to easily create their own security queries or modify existing ones to better fit the needs of each microservice. This will ensure each service is accurately and thoroughly tested for vulnerabilities.


To summarize the above, AST solutions need to keep up with microservices’ modular, flexible and independent nature in order to provide the most accurate vulnerability scanning. They need to ensure developers can easily modify them to better suit their needs, they have to be able to scan independent services and should offer rapid and complete SDLC coverage, from initial coding to the running application.


There are many considerations to keep in mind when deciding to shift to microservices. If you wish to learn more about the pros and cons as well as testing implementations, take a look at Checkmarx’s joint whitepaper with Tricentis and Insight Venture Partners.


For more information on security testing and microservices, click here for our recent whitepaper on the subject.


Jump to Category