Threat Modeling for APIs in microservices architectures: A practical framework
1 Department of Computer Science Engineering, Kent State University, Kent, Ohio, USA.
2 Department of Computer Engineering, Purdue University, Indianapolis, Indiana, USA.
Review Article
World Journal of Advanced Research and Reviews, 2022, 14(03), 853-856
Publication history:
Received on 16 April 2022; revised on 26 June 2022; accepted on 29 June 2022
Abstract:
The rapid evolution of microservices and cloud-native architectures has made Application Programming Interfaces (APIs) a critical backbone for modern software systems. However, this shift also introduces complex security risks due to decentralized ownership, ephemeral service interactions, and increased external exposure. Threat modeling provides a structured and proactive approach to identifying and mitigating these risks before they manifest. This paper proposes a practical and adaptable framework for conducting API-centric threat modeling within microservices environments. It synthesizes established methodologies such as STRIDE and data flow diagrams (DFDs), integrates them with modern DevSecOps and Zero Trust principles, and aligns the framework with agile delivery processes. A real-world case study illustrates the application of this methodology to a Kubernetes-based retail platform, highlighting common risks and corresponding mitigations. The paper concludes with a call for continuous threat modeling, emphasizing its role as a living activity essential to securing distributed systems in 2022 and beyond.
Keywords:
Threat Modeling; API Security; Microservices; Cloud-Native; STRIDE; OWASP; Zero Trust; Security Architecture; DevSecOps; Kubernetes
Full text article in PDF:
Copyright information:
Copyright © 2022 Author(s) retain the copyright of this article. This article is published under the terms of the Creative Commons Attribution Liscense 4.0