Abstract
The microservice architectural style is widespread in enterprise IT, making the securing of microservices a crucial issue. Many bad practices in securing microservices have been identified by researchers and practitioners, along with security good practices that, if adopted, allow to avoid the corresponding security issues. However, this knowledge is scattered across multiple pieces of white and grey literature, making its consulting complex and time consuming. We present here the results of a multivocal literature review that analyzes 44 primary studies discussing bad and good practices for microservice security. We were able to identify four bad and six good practices, and to associate each bad practice with specific bad smell(s) that signal it and with good practice(s) that avoid incurring in it. The resulting mapping between bad and good practices for microservice security can help practitioners and researchers to explore the systematic securing of microservice-based applications.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
To encourage repeating our review process, a replication package (containing the sheets we used to run our review) has been released at https://docs.google.com/spreadsheets/d/1fY4lq3cdFjWCf7ZqaT5itnR7rw5vse-e/edit.
References
Abasi, F.: Securing modern API- and microservices-based apps by design. IBM Developer (2019). https://ibm.co/3y8XS0n
Basit, T.: Manual or electronic? The role of coding in qualitative data analysis. Educ. Res. 45(2), 143–154 (2003). https://doi.org/10.1080/0013188032000133548
Behrens, S., Payne, B.: Starting the avalanche: Application DDoS in microservice architectures. The Netflix Tech Blog (2017). https://bit.ly/3N80u2H
Berardi, D., Giallorenzo, S., Mauro, J., Melis, A., Montesi, F., Prandini, M.: Microservice security: a systematic literature review. PeerJ Comput. Sci. 8, e779 (2022). https://doi.org/10.7717/peerj-cs.779
Boersma, E.: Top 10 security traps to avoid when migrating from a monolith to microservices. Sqreen (2019). https://bit.ly/3QBqlD1
Budko, R.: Five things you need to know about API security. The New Stack (2018). https://bit.ly/3NdfRXA
Carrasco, A., Bladel, B.v., Demeyer, S.: Migrating towards microservices: migration and architecture smells. In: Proceedings of the 2nd International Workshop on Refactoring. IWoR 2018, p. 1–6. ACM (2018). https://doi.org/10.1145/3242163.3242164
Chandramouli, R.: Security strategies for microservices-based application systems. NIST SP 800-204 (2019). https://doi.org/10.6028/NIST.SP.800-204
da Silva, R.: Best practices to protect your microservices architecture. Medium (2019). https://bit.ly/3HUrxO9x
Edureka: microservices security: best practices to secure microservicess (2019). https://youtu.be/wpA0N7kHaDo
Esposito, C., Castiglione, A., Choo, K.: Challenges in delivering software in the cloud as microservices. IEEE Cloud Comput. 3(5), 10–14 (2016). https://doi.org/10.1109/MCC.2016.105
Garousi, V., Felderer, M., Mantyla, M.V.: Guidelines for including grey literature and conducting multivocal literature reviews in software engineering. Inf. Softw. Technol. 106, 101–121 (2019). https://doi.org/10.1016/j.infsof.2018.09.006
Gupta, N.: Security strategies for DevOps, APIs, containers and microservices. Imperva (2018). https://bit.ly/3y8lBO5
Hofmann, M., Schnabel, E., Stanley, K.: Microservices Best Practices for Java. IBM Redbooks, New York (2016)
IETF OAuth Working Group: Open Authorization (OAuth), version 2.0 (2012). https://oauth.net/2/
Indrasiri, K., Siriwardena, P.: Microservices security fundamentals. In: Microservices for the Enterprise, pp. 313–345. Apress, Berkeley, CA (2018). https://doi.org/10.1007/978-1-4842-3858-5_11
Jackson, N.: Building Microservices with Go. Packt Publishing, Birmingham (2017)
Jain, C.: Top 10 security best practices to secure your microservices. AppSecUSA 2017, OWASP (2018). https://youtu.be/VtUQINsYXDM
Kamaruzzaman, M.: Microservice architecture and its 10 most important design patterns. Towards Data Science (2020). https://bit.ly/3n5Lsjo
Kanjilal, J.: 4 fundamental microservices security best practices. SearchAppArchitecture (2020). https://bit.ly/39DloJc
Kitchenham, B., Charters, S.: Guidelines for performing systematic literature reviews in software engineering. Technical Report EBSE-2007-01 (2007)
Krippendorff, K.: Content Analysis: An Introduction to its Methodology, 2nd edn. Sage Publications, Thousand Oaks (2004)
Krishnamurthy, T.: Transition to microservice architecture - challenges. BeingTechie (2018). https://bit.ly/3N9SiPB
Lea, G.: Microservices security: all the questions you should be asking (2015). https://bit.ly/3HEGbbQ
Lemos, R.: App security in the microservices age: 4 best practices. TechBeacon (2019). https://bit.ly/3HIu9i0
Mao, R., et al.: Preliminary findings about DevSecOps from grey literature. In: 2020 IEEE 20th International Conference on Software Quality, Reliability and Security (QRS), pp. 450–457. IEEE (2020). https://doi.org/10.1109/QRS51102.2020.00064
Mateus-Coelho, N., Cruz-Cunha, M., Ferreira, L.G.: Security in microservices architectures. In: CENTERIS/ProjMAN/HCist, Procedia Computer Science, pp. 1–12. Elsevier (2020). https://doi.org/10.1016/j.procs.2021.01.320
Matteson, S.: 10 tips for securing microservice architecture. TechRepublic (2017). https://tek.io/3xL16pa
Matteson, S.: How to establish strong microservices security using SSL, TLS, and API gateways. TechRepublic (2017). https://tek.io/3nnr9hH
McLarty, M., Wilson, R., Morrison, S.: Securing Microservices APIs. O’Reilly, Springfield (2018)
Mody, V.: From zero to zero trust. Teleport (2020). https://bit.ly/3N8PVwl
Nehme, A., Jesus, V., Mahbub, K., Abdallah, A.: Securing microservices. IT Prof. 21(1), 42–49 (2019). https://doi.org/10.1109/MITP.2018.2876987
Neri, D., Soldani, J., Zimmermann, O., Brogi, A.: Design principles, architectural smells and refactorings for microservices: a multivocal review. SICS Softw.-Intensiv. Cyber-Phys. Syst. 35(1), 3–15 (2020). https://doi.org/10.1007/s00450-019-00407-8
Newman, S.: Building Microservices. O’Reilly, Springfield (2015)
O’Neill, L.: Microservice security - what you need to know. CrashTest Security (2020). https://bit.ly/3tPXUaK
OpenID: Openid connect (2014). https://openid.net/connect/
Parecki, A.: OAuth: When things go wrong. Okta Developer (2019). https://www.youtube.com/watch?v=H6MxsFMAoP8
Pereira-Vale, A., Fernandez, E.B., Monge, R., Astudillo, H., Márquez, G.: Security in microservice-based systems: a multivocal literature review. Comput. Secur. 103, 102200 (2021). https://doi.org/10.1016/j.cose.2021.102200
Poddar, N.: Simplifying microservices security with a service mesh. Cloud Native Computing Foundation, Webinar (2019). https://youtu.be/Ai8HlkI7Mm4
Ponce, F., Soldani, J., Astudillo, H., Brogi, A.: Should microservice security smells stay or be refactored? towards a trade-off analysis. In: Gerostathopoulos, I., Lewis, G., Batista, T., Bureš, T. (eds.) Software Architecture. ECSA 2022. Lecture Notes in Computer Science, vol. 13444, pp. 131–139. Springer International Publishing, Cham (2022). https://doi.org/10.1007/978-3-031-16697-6_9
Ponce, F., Soldani, J., Astudillo, H., Brogi, A.: Smells and refactorings for microservices security: a multivocal literature review. J. Syst. Softw. 192, 111393 (2022). https://doi.org/10.1016/j.jss.2022.111393
Radware: microservice architectures challenge traditional security practices (2020). https://bit.ly/3n4N393
Raible, M.: 11 patterns to secure microservice architectures. DZone (2020). https://bit.ly/3tPQoNf
Raible, M.: Security patterns for microservice architectures. Okta Developer (2020). https://bit.ly/3tLMc0D
Sahni, V.: Best practices for building a microservice architecture. Vinay Sahni (2019). https://bit.ly/2UTHLNS
Sass, R.: Security in the world of microservices. ITProPortal (2017). https://bit.ly/3HIbFhe
Siriwardena, P.: Mutual authentication with TLS, pp. 47–58. Apress (2014). https://doi.org/10.1007/978-1-4302-6817-8_4
Siriwardena, P.: Microservices security landscape. WSO2 Integration Summit 2019 (2019). https://youtu.be/6jGePTpbgtI
Siriwardena, P.: Challenges of securing microservices. Medium (2020). https://bit.ly/3tRyF7T
Siriwardena, P., Dias, N.: Microservices security in action. Manning (2020)
Smith, T.: How to secure APIs. DZone (2019). https://bit.ly/3QyusQh
Soldani, J., Tamburri, D.A., Van Den Heuvel, W.J.: The pains and gains of microservices: a systematic grey literature review. J. Syst. Softw. 146, 215–232 (2018). https://doi.org/10.1016/j.jss.2018.09.082
SumoLogic: improving security in your microservices architecture (2019). https://bit.ly/3zSSXls
Taibi, D., Lenarduzzi, V.: On the definition of microservice bad smells. IEEE Softw. 35(3), 56–62 (2018). https://doi.org/10.1109/MS.2018.2141031
Taibi, D., Lenarduzzi, V., Pahl, C.: Architectural patterns for microservices: a systematic mapping study. In: Proceedings of the 8th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER, pp. 221–232. SciTePress (2018). https://doi.org/10.5220/0006798302210232
Torkura, K.A., Sukmana, M.I., Kayem, A.V., Cheng, F., Meinel, C.: A cyber risk based moving target defense mechanism for microservice architectures. In: 2018 IEEE ISPA/IUCC/BDCloud/SocialCom/SustainCom, pp. 932–939. IEEE (2018). https://doi.org/10.1109/BDCloud.2018.00137
Troisi, M.: 8 best practices for microservices app sec. TechBeacon (2017). https://bit.ly/3HDgDvZ
Wallarm: A CISO’s guide to cloud application security (2019). https://bit.ly/3QAQKB6
Wallarm: moving to microservices with security in mind (2019). https://bit.ly/3HItMnC
Wichers, D., Williams, J.: Owasp top-10 2017. OWASP Foundation (2017)
Wohlin, C., Runeson, P., Höst, M., Ohlsson, M.C., Regnell, B., Wesslén, A.: Experimentation in Software Engineering: An Introduction. Kluwer Academic Publishers, Alphen aan den Rijn (2000)
Wolff, E.: Microservices: Flexible Software Architecture. O’Reilly, Springfield (2016)
Yarygina, T., Bagge, A.: Overcoming security challenges in microservice architectures. In: 2018 IEEE Symposium on Service-Oriented System Engineering (SOSE), pp. 11–20. IEEE (2018). https://doi.org/10.1109/SOSE.2018.00011
Ziade, T.: Python Microservices Development. Packt Publishing, Birmingham (2017)
Acknowledgements
This work was partially supported by ANID PIA/APOYO AFB180002 (CCTVal), Instituto de tecnología para la innovación en salud y bienestar, facultad de ingeniería (Universidad Andrés Bello, Chile), and by the project hOlistic Sustainable Management of distributed softWARE systems (OSMWARE, UNIPI PRA_2022_64), funded by the University of Pisa, Italy.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Ponce, F., Soldani, J., Astudillo, H., Brogi, A. (2023). Microservices Security: Bad vs. Good Practices. In: Batista, T., Bureš, T., Raibulet, C., Muccini, H. (eds) Software Architecture. ECSA 2022 Tracks and Workshops. ECSA 2022. Lecture Notes in Computer Science, vol 13928. Springer, Cham. https://doi.org/10.1007/978-3-031-36889-9_23
Download citation
DOI: https://doi.org/10.1007/978-3-031-36889-9_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-36888-2
Online ISBN: 978-3-031-36889-9
eBook Packages: Computer ScienceComputer Science (R0)