Many significant concerns arise while developing modern-day applications in the cloud, including uptime, geographic distribution and scalability. Adopting application architectures based on event-driven microservices helps resolve these concerns and enables us to scale different services independently. However, event-based microservices present significant challenges, including communication between these services.
Imagine that, for instance, one microservice must send a request or data to another service, but the other service is busy. Waiting for the other service to respond can result in reduced efficiency in the microservices architecture.
The best possible solution to this problem is a message queue. Read on for more about that solution. .
What is a message queue?
A message queue is a software component that facilitates communication between applications present in microservices and serverless infrastructures. An asynchronous communication protocol transmits and receives queued messages that don't require an immediate response from the recipient.
Importance of message queues
Message queues are essential for several reasons, as they provide communication and coordination between distributed applications. Moreover, they can significantly simplify the coding of decoupled applications while enhancing reliability, performance and scalability.
Businesses can use message queues for multiple purposes, including but not limited to,
- Email communication
- Performing large computations and tasks across a network of servers
- Updating the status of files
- Sending real-time data to other services and programs
- Payments
- Multiple task queries
- Communicating to multiple destinations, application programming interfaces (APIs), etc.
What are the use cases of message queues?
Message queues are not for real-time communications. You can't use them when you want an immediate response: for instance, in an HTTP request where the end user shouldn’t wait for the response. In reality, message queues are suitable for processes that aren't crucial.
You may need a message queue when:
- Getting timeout errors due to too many simultaneous requests.
- Needing a decoupled way to communicate between applications.
- Needing to scale down or up during peak hours.
Two real-world use cases of message queues are given below.
Email communication
We all use emails for several purposes, including marketing campaigns, password resets, account verification, etc. Many of these use cases don't need immediate processing, meaning delays in their dispatch are acceptable. Delays in email dispatching do not affect the functionality of applications using emails for less critical use cases. Message queues can help where applications need to process both urgent and non-urgent emails simultaneously.
You can see an email queue as a buffer where the emails are stored before they hit the endpoint. At the same time, the sender does not need to send each message separately. The communication between the sender and the recipient is asynchronous. Once the emails have been queued, they’re delivered step by step. Usually, the Simple Mail Transfer Protocol (SMTP) server starts from the beginning of the queue and goes forward.
Data post-processing
The second use case for message queues is data post-processing. Here’s an example that can illustrate how message queues can help: Let’s say you have a blog application that has to process image data from the images uploaded by users. Since users can't offer web-optimized or suitable-sized images, adding a post-process and resizing image function won't affect the application functionality much. This isn't a critical operation and doesn’t require immediate action. A service is employed in the application architecture that can optimize images uploaded by the application. In this scenario, a message queue can help to transmit messages between the application and service, facilitating image optimization.
Vulnerabilities in message queues
While message queues are vital for communications between modern-day applications, particular vulnerabilities in the message queue can expose the applications to security incidents. Here is a list of vulnerabilities that affect real-world message queue software:
- MS07-065: This vulnerability in Message Queuing Service (MSMQ) could allow remote code execution (RCE).
- CVE-2021-38875: A year ago, this vulnerability exposed IBM MQ to an issue that could allow an attacker to execute denial-of-service (DoS) attacks against the queue manager.
- CVE-2010-4438: This unspecified vulnerability in Oracle GlassFish and Java System Message Queue allowed local users to impede confidentiality and integrity related to Java Message Service.
How can Contrast Assess help?
Contrast Assess can help detect vulnerabilities in message queues and supports queuing platforms such as JMS, JMS Spec 2.0, IBM MQ and Spring JMS. Our agent recognizes MQ messages as entry points and will follow data flow and check for vulnerabilities in the exercised pathways (routes). You can customize trust boundaries in our Contrast UI. Moreover, Contrast analyzes all the libraries and dependencies the web application uses to provide accurate results of vulnerabilities.
Find and fix real-time vulnerabilities with Contrast Assess. Get in touch to book a demo or get our free trial today.