Skip to main content
Springer Nature Link
Log in

Avoiding Excessive Data Exposure Through Microservice APIs

  • Conference paper
  • First Online:
Software Architecture (ECSA 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13444))

Included in the following conference series:

Abstract

Data transfer and exchange of information through APIs are essential for each microservice architecture. Since these transfers often include private or sensitive data, potential data leaks, either accidentally or through malicious attacks, provide a high-security risk. While there are different techniques, like using data encryption or authentication protocols to secure the data exchange, only a few strategies are known to reduce the damage when an actual data breach happens. Our work presents a novel approach to identifying the optimal amount of data attributes that need to be exchanged between APIs and minimizes the damage in case of a potential breach. Our method relies only on static source code analysis and easy-to-calculate architectural metrics, making it well suited to be used in continuous integration and deployment processes. We further verified and validated the feasibility of our approach by conducting two case studies on open-source microservice systems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    For supporting reproducability, we offer the whole source code and data of our study in a data set published on the long term archive Zenodo: https://zenodo.org/record/6700021#.YrRJYHVByA0.

  2. 2.

    https://uit.stanford.edu/guide/riskclassifications#risk-classifications.

  3. 3.

    https://github.com/Microservice-API-Patterns/LakesideMutual/tree/spring-term-2020.

  4. 4.

    https://github.com/dotnet-architecture/eShopOnContainers, commit 59805331cd225fc876b9fc6eef3b0d82fda6bda1.

References

  1. Nadareishvili, I., Mitra, R., McLarty, M., Amundsen, M.: Microservice Architecture: Aligning Principles, Practices, And Culture. O’Reilly Media, Inc., Sebastopol (2016)

    Google Scholar 

  2. Miller, L., Mérindol, P., Gallais, A., Pelsser, C.: Towards secure and leak-free workflows using microservice isolation. In: 2021 IEEE 22nd International Conference on High Performance Switching and Routing (HPSR), pp. 1–5. IEEE (2021)

    Google Scholar 

  3. Yu, D., Jin, Y., Zhang, Y., Zheng, X.: A survey on security issues in services communication of Microservices-enabled fog applications. Concurr. Comput. Pract. Exp. 31(22) (2019)

    Google Scholar 

  4. Hannousse, A., Yahiouche, S.: Securing microservices and microservice architectures: a systematic mapping study. Comput. Sci. Rev. 41 (2021)

    Google Scholar 

  5. Dias, W.K.A.N., Siriwardena, P.: Microservices Security in Action. Simon and Schuster (2020)

    Google Scholar 

  6. Laigner, R., Zhou, Y., Salles, M.A.V., Liu, Y., Kalinowski, M.: Data management in microservices: state of the practice, challenges, and research directions. arXiv preprint arXiv:2103.00170 (2021)

  7. Sill, A.: The design and architecture of microservices. IEEE Cloud Comput. 3(5), 76–80 (2016)

    Google Scholar 

  8. Newman, S.: Building Microservices. O’Reilly Media, Inc. Sebastopol (2021)

    Google Scholar 

  9. Yarygina, T., BaggeA. H.: Overcoming security challenges in Microservice architectures. In: 2018 IEEE Symposium on Service-Oriented System Engineering (SOSE). Bamberg, pp. 11–20. IEEE (2018)

    Google Scholar 

  10. Ntentos, E., Zdun, U., Plakidas, K., Schall, D., Li, F., Meixner, S.: Supporting architectural decision making on data management in microservice architectures. In: Bures, T., Duchien, L., Inverardi, P. (eds.) ECSA 2019. LNCS, vol. 11681, pp. 20–36. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29983-5_2

  11. Bogner, J., Fritzsch, J., Wagner, S., Zimmermann, A.: Microservices in industry: insights into technologies, characteristics, and software quality. In: IEEE International Conference on Software Architecture Companion (ICSA-C), pp. 87–195. IEEE (2019)

    Google Scholar 

  12. Singjai, A., Zdun, U., Zimmermann, O., Pautasso, C.: Patterns on deriving APIs and their endpoints from domain models. In: 26th European Conference on Pattern Languages of Programs, pp. 1–15 (2021)

    Google Scholar 

  13. Genfer, P., Zdun, U.: Identifying domain-based cyclic dependencies in microservice APIs using source code detectors. In: Biffl, S., Navarro, E., Löwe, W., Sirjani, M., Mirandola, R., Weyns, D. (eds.) ECSA 2021. LNCS, vol. 12857, pp. 207–222. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-86044-8_15

  14. Shu, X., Yao, D., Bertino, E.: Privacy-preserving detection of sensitive data exposure. IEEE Trans. Inf. Foren. Secur. 10(5), 1092–1103 (2015)

    Google Scholar 

  15. Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: Taj: effective taint analysis of web applications. ACM Sigplan Notices 44(6), 87–97 (2009)

    Google Scholar 

  16. Arzt, S., et al.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM SIGPLAN Notices 49(6), 259–269 (2014)

    Google Scholar 

  17. Soldani, J., Muntoni, G., Neri, D., Brogi, A.: The \(\mu \)tosca toolchain: mining, analyzing, and refactoring microservice-based architectures. Pract. Exp. Softw. 51 (2021)

    Google Scholar 

  18. Fowkes, J., Sutton, C.: Parameter-free probabilistic API mining across GitHUB. In: Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 254–265 (2016)

    Google Scholar 

  19. Bogner, J., Wagner, S., Zimmermann, A.: Automatically measuring the maintainability of service-and microservice-based systems: a literature review. In: Proceedings of the 27th International Workshop on Software Measurement and 12th International Conference on Software Process and Product Measurement, pp. 107–115 (2017)

    Google Scholar 

  20. Saidani, I., Ouni, A., Mkaouer, M.W., Saied, A.: Towards automated microservices extraction using Muti-objective evolutionary search. In: Yangui, S., Bouassida Rodriguez, I., Drira, K., Tari, Z. (eds.) ICSOC 2019. LNCS, vol. 11895, pp. 58–63. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-33702-5_5

  21. Zimmermann, O., Lübke, D., Zdun, U., Pautasso, C., Stocker, M.: Interface responsibility patterns: processing resources and operation responsibilities. In: Proceedings of the European Conference on Pattern Languages of Programs, pp. 1–24 (2020)

    Google Scholar 

  22. Walker, A., Das, D., Cerny, T.: Automated code-smell detection in microservices through static analysis: a case study. Appl. Sci. 10(21), 7800 (2020)

    Google Scholar 

  23. Ntentos, E., Zdun, U., Plakidas, K., Genfer, P., Geiger, S., Meixner, S., Hasselbring, W.: Detector-based component model abstraction for microservice-based systems. Computing 103(11), 2521–2551 (2021). https://doi.org/10.1007/s00607-021-01002-z

  24. Fan, L., Wang, Y., Cheng, X., Jin, S.: Quantitative analysis for privacy leak software with privacy petri net. In: Proceedings of the ACM SIGKDD Workshop on Intelligence and Security Informatics, pp. 1–9 (2012)

    Google Scholar 

  25. Rademacher, F., Sachweh, S., Zündorf, A.: A Modeling method for systematic architecture reconstruction of microservice-based software systems. In: Nurcan, S., Reinhartz-Berger, I., Soffer, P., Zdravkovic, J. (eds.) BPMDS/EMMSAD -2020. LNBIP, vol. 387, pp. 311–326. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-49418-6_21

  26. Vural, H., Koyuncu, M.: Does domain-driven design lead to finding the optimal modularity of a microservice? IEEE Access 9, 3 2721–3 2733 (2021)

    Google Scholar 

  27. El Malki, A., Zdun, U.: Evaluation of API request bundling and its impact on performance of microservice architectures. In: 2021 IEEE International Conference on Services Computing (SCC), pp. 419–424. IEEE (2021)

    Google Scholar 

  28. Mashkoor, A., Fernandes, J.M.: Deriving software architectures for crud applications: the FPL tower interface case study. In: International Conference on Software Engineering Advances (ICSEA 2007), pp. 25–25. IEEE (2007)

    Google Scholar 

  29. Yin, R.K.: Case Study Research and Applications. Sage, Thousand Oaks (2018)

    Google Scholar 

Download references

Acknowledgments

This work was supported by: FWF (Austrian Science Fund) projects API-ACE: I 4268 and IAC\(^2\): I 4731-N. Our work has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 952647 (AssureMOSS project).

Author information

Authors and Affiliations

  1. Research Group Software Architecture, Faculty of Computer Science, University of Vienna, Vienna, Austria

    Patric Genfer & Uwe Zdun

Authors
  1. Patric Genfer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Uwe Zdun
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Patric Genfer .

Editor information

Editors and Affiliations

  1. Vrije Universiteit Amsterdam, Amsterdam, The Netherlands

    Ilias Gerostathopoulos

  2. Carnegie Mellon Software Engineering Institute, Pittsburgh, PA, USA

    Grace Lewis

  3. Universidade Federal do Rio Grande do Norte, Natal, Rio Grande do Norte, Brazil

    Thais Batista

  4. Charles University, Prague, Czech Republic

    Tomáš Bureš

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Genfer, P., Zdun, U. (2022). Avoiding Excessive Data Exposure Through Microservice APIs. In: Gerostathopoulos, I., Lewis, G., Batista, T., Bureš, T. (eds) Software Architecture. ECSA 2022. Lecture Notes in Computer Science, vol 13444. Springer, Cham. https://doi.org/10.1007/978-3-031-16697-6_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-16697-6_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-16696-9

  • Online ISBN: 978-3-031-16697-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics