Abstract
The decomposition of an application into independent microservices increases the attack surface, and makes it difficult to monitor each microservice in order to secure and control their network traffic. The adoption of microservices, together with new trends in software development that aim to quickly deliver software in short software development iterations often leaves software engineers with little time to give attention to the security of such applications. Consequently, it is not uncommon for many software development teams to release software without performing full-scale security testing. Although various tools and techniques are available to assist software engineers with the development of secure microservices throughout their life cycle, there is limited guidance on how these tools and techniques can be integrated into the software engineer’s daily software development tasks. The aim of this paper is to identify and review tools and techniques that software engineers can use as part of security-focused activities incorporated into the software development process, so that security is given early attention during the development of microservices.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Pahl, C., Jamshidi, P.: Microservices: A Systematic Mapping Study. In: CLOSER (1), pp. 137–146 (2016)
Newman, S.: Building Microservices: Designing Fine-Grained Systems. O’Reilly Media Inc., Newton (2015)
Dragoni, N., et al.: Microservices: yesterday, today, and tomorrow. Present and Ulterior Software Engineering, pp. 195–216. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67425-4_12
Nadareishvili, I., Mitra, R., McLarty, M., Amundsen, M.: Microservice Architecture: Aligning Principles, Practices, and Culture. O’Reilly Media Inc, Newton (2016)
Bossert, O.: A two-speed architecture for the digital enterprise. In: El-Sheikh, E., Zimmermann, A., Jain, Lakhmi C. (eds.) Emerging Trends in the Evolution of Service-Oriented and Enterprise Architectures. ISRL, vol. 111, pp. 139–150. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40564-3_8
Schmidt, C.: Agile Software Development. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-26057-0
Ravichandran, A., Taylor, K., Waterhouse, P.: DevOps foundations. In: DevOps for Digital Leaders, pp. 27–47. Apress (2016)
Oyetoyan, T.D., Cruzes, D.S., Jaatun, M.G.: An empirical study on the relationship between software security skills, usage and training needs in agile settings. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 548–555. IEEE (2016)
Heinrich, R., et al.: Performance engineering for microservices: research challenges and directions. In: Proceedings of the 8th ACM/SPEC on International Conference on Performance Engineering Companion, pp. 223–226. ACM (2017)
Veracode (2017)
AlHogail, A.: Design and validation of information security culture framework. Comput. Human Behav. 49, 567–575 (2015)
Cramer, J., Krueger, A.B.: Disruptive change in the taxi business: The case of Uber. Am. Econ. Rev. 106(5), 177–182 (2016)
Merkel, D.: Docker: lightweight linux containers for consistent development and deployment. Linux J. 2014(239), 2 (2014)
Kissel, R.: Glossary of key information security terms. NIST Interagency Reports NIST IR, 7298(3) (2013)
Nkomo, P., Coetzee, M.: Software development activities for secure microservices. In: Misra, S., et al. (eds.) ICCSA 2019. LNCS, vol. 11623, pp. 573–585. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-24308-1_46
Di Francesco, P., Malavolta, I., Lago, P.: Research on architecting microservices: trends, focus, and potential for industrial adoption. In: 2017 IEEE International Conference on Software Architecture (ICSA), pp. 21–30. IEEE (2017)
Petersen, K., Feldt, R., Mujtaba, S., Mattsson, M.: Systematic mapping studies in software engineering. In: EASE, vol. 8, pp. 68–77 (2008)
Kitchenham, B., Charters, S.: guidelines for performing systematic literature reviews in software engineering. Technical Report EBSE 2007- 001, Keele University and Durham University Joint Report (2007)
ISO I.: 7498-2. information processing systems open systems interconnection basic reference model-part 2: Security architecture. ISO Geneva, Switzerland (1989)
Satoh, F., Tokuda, T.: Security policy composition for composite web services. IEEE Trans. Serv. Comput. 4(4), 314–327 (2011)
Gummaraju, J., Desikan, T., Turner, Y.: Over 30% of official images in docker hub contain high priority security vulnerabilities, pp. 1–6 (2015). https://banyanops.com
Nacer, H., Djebari, N., Slimani, H., Aissani, D.: A distributed authentication model for composite Web services. Comput. Secur. 70, 144–178 (2017)
Dell’Amico, M., Serme, G., Idrees, M.S., De Oliveira, A.S., Roudier, Y.: Hipolds: a hierarchical security policy language for distributed systems. Inf. Secur. Tech. Rep. 17(3), 81–92 (2013)
Ahmadvand, M., Ibrahim, A.: Requirements reconciliation for scalable and secure microservice (de) composition. In: IEEE International on Requirements Engineering Conference Workshops (REW), pp. 68–73. IEEE (2016)
Howard, M., Lipner, S.: The Security Development Lifecycle (SDL): A Process for Developing Demonstrably More Secure Software. Microsoft Press (2006)
Kadam, S.P., Joshi, S.: Secure by design approach to improve the security of object-oriented software. In: 2015 2nd International Conference on Computing for Sustainable Global Development (INDIACom), pp. 24–30. IEEE (2015)
Sahu, D.R., Tomar, D.S.: Analysis of web application code vulnerabilities using secure coding standards. Arab. J. Sci. Eng. 42(2), 885–895 (2017)
White, G.K.: Secure coding practices, tools, and processes (No. LLNL-CONF-671591). Lawrence Livermore National Laboratory (LLNL), Livermore, CA (2015)
Neumann, P.G.: Fundamental trustworthiness principles. New Solutions for Cybersecurity (2018)
Gkioulos, V., Wolthusen, S.D.: Security requirements for the deployment of services across tactical SOA. In: Rak, J., Bay, J., Kotenko, I., Popyack, L., Skormin, V., Szczypiorski, K. (eds.) MMM-ACNS 2017. LNCS, vol. 10446, pp. 115–127. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-65127-9_10
Bertolino, A., Busch, M., Daoudagh, S., Lonetti, F., Marchetti, E.: A toolchain for designing and testing access control policies. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds.) Engineering Secure Future Internet Services and Systems. LNCS, vol. 8431, pp. 266–286. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07452-8_11
Bass, L., Weber, I., Zhu, L.: DevOps: A Software Architect’s Perspective. Addison-Wesley Professional, Boston (2015)
Paul, M.: Official (ISC) 2 Guide to the CSSLP. CRC Press, Boca Raton (2016)
Tian-yang, G., Yin-Sheng, S., You-yuan, F.: Research on software security testing. World Acad. Sci. Eng. Technol. 21(70), 647–651 (2010)
Kaur, H.: Automating Static Code Analysis for Risk Assessment and Quality Assurance of Medical Record Software (2017)
Le Ru, Y., Aron, M., Gerval, J.-P., Napoleon, T.: Tests generation oriented web-based automatic assessment of programming assignments. In: Uskov, Vladimir L., Howlett, Robert J., Jain, Lakhmi C. (eds.) Smart Education and Smart e-Learning. SIST, vol. 41, pp. 117–127. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-19875-0_11
de Andrade Gomes, P.H., Garcia, R.E., Spadon, G., Eler, D.M., Olivete, C., Correia, R.C.M.: Teaching software quality via source code inspection tool. In: 2017 IEEE Frontiers in Education Conference (FIE), pp. 1–8. IEEE (2017)
Kuusela, J.: Security testing in continuous integration processes (2017)
Peischl, B., Felderer, M., Beer, A.: Testing security requirements with non-experts: approaches and empirical investigations. In: 2016 IEEE International Conference on Software Quality, Reliability and Security (QRS), pp. 254–261. IEEE (2016)
Cruzes, D.S., Felderer, M., Oyetoyan, T.D., Gander, M., Pekaric, I.: How is security testing done in agile teams? A cross-case analysis of four software teams. In: Baumeister, H., Lichter, H., Riebisch, M. (eds.) XP 2017. LNBIP, vol. 283, pp. 201–216. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-57633-6_13
Campbell, G., Papapetrou, P.P.: SonarQube in Action. Manning Publications Co., New York (2013)
Hochstein, L., Moser, R.: Ansible: Up and Running: Automating Configuration Management and Deployment the Easy Way. O’Reilly Media Inc., Newton (2017)
Taylor, M., Vargo, S.: Learning Chef: A Guide to Configuration Management and Automation. O’Reilly Media Inc., Newton (2014)
Loope, J.: Managing Infrastructure with Puppet: Configuration Management at Scale. O’Reilly Media Inc., Newton (2011)
Hall, D.: Ansible configuration management. Packt Publishing Ltd., Birmingham (2013)
CloudWatch: Amazon cloudwatch (2014)
Cloudmonix: CloudMonix (2018). http://www.cloudmonix.com/. Accessed 9 May 2018
Willnecker, F., Brunnert, A., Gottesheim, W., Krcmar, H.: Using dynatrace monitoring data for generating performance models of java ee applications. In: Proceedings of the 6th ACM/SPEC International Conference on Performance Engineering, pp. 103–104. ACM (2015)
Zabbix, S.I.A.: Zabbix. The Enterprise-class Monitoring Solution for Everyone (2014)
AppDynamics, A.I.P.: AppDynamics Pro Documentation
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Nkomo, P., Coetzee, M. (2019). Development Activities, Tools and Techniques of Secure Microservices Compositions. In: Heng, SH., Lopez, J. (eds) Information Security Practice and Experience. ISPEC 2019. Lecture Notes in Computer Science(), vol 11879. Springer, Cham. https://doi.org/10.1007/978-3-030-34339-2_24
Download citation
DOI: https://doi.org/10.1007/978-3-030-34339-2_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-34338-5
Online ISBN: 978-3-030-34339-2
eBook Packages: Computer ScienceComputer Science (R0)