Skip to main content
SpringerLink
Log in

Microservices Security: Bad vs. Good Practices

  • Conference paper
  • First Online:
Software Architecture. ECSA 2022 Tracks and Workshops (ECSA 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13928))

Included in the following conference series:

  • 343 Accesses

Abstract

The microservice architectural style is widespread in enterprise IT, making the securing of microservices a crucial issue. Many bad practices in securing microservices have been identified by researchers and practitioners, along with security good practices that, if adopted, allow to avoid the corresponding security issues. However, this knowledge is scattered across multiple pieces of white and grey literature, making its consulting complex and time consuming. We present here the results of a multivocal literature review that analyzes 44 primary studies discussing bad and good practices for microservice security. We were able to identify four bad and six good practices, and to associate each bad practice with specific bad smell(s) that signal it and with good practice(s) that avoid incurring in it. The resulting mapping between bad and good practices for microservice security can help practitioners and researchers to explore the systematic securing of microservice-based applications.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    To encourage repeating our review process, a replication package (containing the sheets we used to run our review) has been released at https://docs.google.com/spreadsheets/d/1fY4lq3cdFjWCf7ZqaT5itnR7rw5vse-e/edit.

References

  1. Abasi, F.: Securing modern API- and microservices-based apps by design. IBM Developer (2019). https://ibm.co/3y8XS0n

  2. Basit, T.: Manual or electronic? The role of coding in qualitative data analysis. Educ. Res. 45(2), 143–154 (2003). https://doi.org/10.1080/0013188032000133548

    Article  Google Scholar 

  3. Behrens, S., Payne, B.: Starting the avalanche: Application DDoS in microservice architectures. The Netflix Tech Blog (2017). https://bit.ly/3N80u2H

  4. Berardi, D., Giallorenzo, S., Mauro, J., Melis, A., Montesi, F., Prandini, M.: Microservice security: a systematic literature review. PeerJ Comput. Sci. 8, e779 (2022). https://doi.org/10.7717/peerj-cs.779

    Article  Google Scholar 

  5. Boersma, E.: Top 10 security traps to avoid when migrating from a monolith to microservices. Sqreen (2019). https://bit.ly/3QBqlD1

  6. Budko, R.: Five things you need to know about API security. The New Stack (2018). https://bit.ly/3NdfRXA

  7. Carrasco, A., Bladel, B.v., Demeyer, S.: Migrating towards microservices: migration and architecture smells. In: Proceedings of the 2nd International Workshop on Refactoring. IWoR 2018, p. 1–6. ACM (2018). https://doi.org/10.1145/3242163.3242164

  8. Chandramouli, R.: Security strategies for microservices-based application systems. NIST SP 800-204 (2019). https://doi.org/10.6028/NIST.SP.800-204

  9. da Silva, R.: Best practices to protect your microservices architecture. Medium (2019). https://bit.ly/3HUrxO9x

  10. Edureka: microservices security: best practices to secure microservicess (2019). https://youtu.be/wpA0N7kHaDo

  11. Esposito, C., Castiglione, A., Choo, K.: Challenges in delivering software in the cloud as microservices. IEEE Cloud Comput. 3(5), 10–14 (2016). https://doi.org/10.1109/MCC.2016.105

    Article  Google Scholar 

  12. Garousi, V., Felderer, M., Mantyla, M.V.: Guidelines for including grey literature and conducting multivocal literature reviews in software engineering. Inf. Softw. Technol. 106, 101–121 (2019). https://doi.org/10.1016/j.infsof.2018.09.006

    Article  Google Scholar 

  13. Gupta, N.: Security strategies for DevOps, APIs, containers and microservices. Imperva (2018). https://bit.ly/3y8lBO5

  14. Hofmann, M., Schnabel, E., Stanley, K.: Microservices Best Practices for Java. IBM Redbooks, New York (2016)

    Google Scholar 

  15. IETF OAuth Working Group: Open Authorization (OAuth), version 2.0 (2012). https://oauth.net/2/

  16. Indrasiri, K., Siriwardena, P.: Microservices security fundamentals. In: Microservices for the Enterprise, pp. 313–345. Apress, Berkeley, CA (2018). https://doi.org/10.1007/978-1-4842-3858-5_11

    Chapter  Google Scholar 

  17. Jackson, N.: Building Microservices with Go. Packt Publishing, Birmingham (2017)

    Google Scholar 

  18. Jain, C.: Top 10 security best practices to secure your microservices. AppSecUSA 2017, OWASP (2018). https://youtu.be/VtUQINsYXDM

  19. Kamaruzzaman, M.: Microservice architecture and its 10 most important design patterns. Towards Data Science (2020). https://bit.ly/3n5Lsjo

  20. Kanjilal, J.: 4 fundamental microservices security best practices. SearchAppArchitecture (2020). https://bit.ly/39DloJc

  21. Kitchenham, B., Charters, S.: Guidelines for performing systematic literature reviews in software engineering. Technical Report EBSE-2007-01 (2007)

    Google Scholar 

  22. Krippendorff, K.: Content Analysis: An Introduction to its Methodology, 2nd edn. Sage Publications, Thousand Oaks (2004)

    Google Scholar 

  23. Krishnamurthy, T.: Transition to microservice architecture - challenges. BeingTechie (2018). https://bit.ly/3N9SiPB

  24. Lea, G.: Microservices security: all the questions you should be asking (2015). https://bit.ly/3HEGbbQ

  25. Lemos, R.: App security in the microservices age: 4 best practices. TechBeacon (2019). https://bit.ly/3HIu9i0

  26. Mao, R., et al.: Preliminary findings about DevSecOps from grey literature. In: 2020 IEEE 20th International Conference on Software Quality, Reliability and Security (QRS), pp. 450–457. IEEE (2020). https://doi.org/10.1109/QRS51102.2020.00064

  27. Mateus-Coelho, N., Cruz-Cunha, M., Ferreira, L.G.: Security in microservices architectures. In: CENTERIS/ProjMAN/HCist, Procedia Computer Science, pp. 1–12. Elsevier (2020). https://doi.org/10.1016/j.procs.2021.01.320

  28. Matteson, S.: 10 tips for securing microservice architecture. TechRepublic (2017). https://tek.io/3xL16pa

  29. Matteson, S.: How to establish strong microservices security using SSL, TLS, and API gateways. TechRepublic (2017). https://tek.io/3nnr9hH

  30. McLarty, M., Wilson, R., Morrison, S.: Securing Microservices APIs. O’Reilly, Springfield (2018)

    Google Scholar 

  31. Mody, V.: From zero to zero trust. Teleport (2020). https://bit.ly/3N8PVwl

  32. Nehme, A., Jesus, V., Mahbub, K., Abdallah, A.: Securing microservices. IT Prof. 21(1), 42–49 (2019). https://doi.org/10.1109/MITP.2018.2876987

    Article  Google Scholar 

  33. Neri, D., Soldani, J., Zimmermann, O., Brogi, A.: Design principles, architectural smells and refactorings for microservices: a multivocal review. SICS Softw.-Intensiv. Cyber-Phys. Syst. 35(1), 3–15 (2020). https://doi.org/10.1007/s00450-019-00407-8

  34. Newman, S.: Building Microservices. O’Reilly, Springfield (2015)

    Google Scholar 

  35. O’Neill, L.: Microservice security - what you need to know. CrashTest Security (2020). https://bit.ly/3tPXUaK

  36. OpenID: Openid connect (2014). https://openid.net/connect/

  37. Parecki, A.: OAuth: When things go wrong. Okta Developer (2019). https://www.youtube.com/watch?v=H6MxsFMAoP8

  38. Pereira-Vale, A., Fernandez, E.B., Monge, R., Astudillo, H., Márquez, G.: Security in microservice-based systems: a multivocal literature review. Comput. Secur. 103, 102200 (2021). https://doi.org/10.1016/j.cose.2021.102200

    Article  Google Scholar 

  39. Poddar, N.: Simplifying microservices security with a service mesh. Cloud Native Computing Foundation, Webinar (2019). https://youtu.be/Ai8HlkI7Mm4

  40. Ponce, F., Soldani, J., Astudillo, H., Brogi, A.: Should microservice security smells stay or be refactored? towards a trade-off analysis. In: Gerostathopoulos, I., Lewis, G., Batista, T., Bureš, T. (eds.) Software Architecture. ECSA 2022. Lecture Notes in Computer Science, vol. 13444, pp. 131–139. Springer International Publishing, Cham (2022). https://doi.org/10.1007/978-3-031-16697-6_9

  41. Ponce, F., Soldani, J., Astudillo, H., Brogi, A.: Smells and refactorings for microservices security: a multivocal literature review. J. Syst. Softw. 192, 111393 (2022). https://doi.org/10.1016/j.jss.2022.111393

    Article  Google Scholar 

  42. Radware: microservice architectures challenge traditional security practices (2020). https://bit.ly/3n4N393

  43. Raible, M.: 11 patterns to secure microservice architectures. DZone (2020). https://bit.ly/3tPQoNf

  44. Raible, M.: Security patterns for microservice architectures. Okta Developer (2020). https://bit.ly/3tLMc0D

  45. Sahni, V.: Best practices for building a microservice architecture. Vinay Sahni (2019). https://bit.ly/2UTHLNS

  46. Sass, R.: Security in the world of microservices. ITProPortal (2017). https://bit.ly/3HIbFhe

  47. Siriwardena, P.: Mutual authentication with TLS, pp. 47–58. Apress (2014). https://doi.org/10.1007/978-1-4302-6817-8_4

  48. Siriwardena, P.: Microservices security landscape. WSO2 Integration Summit 2019 (2019). https://youtu.be/6jGePTpbgtI

  49. Siriwardena, P.: Challenges of securing microservices. Medium (2020). https://bit.ly/3tRyF7T

  50. Siriwardena, P., Dias, N.: Microservices security in action. Manning (2020)

    Google Scholar 

  51. Smith, T.: How to secure APIs. DZone (2019). https://bit.ly/3QyusQh

  52. Soldani, J., Tamburri, D.A., Van Den Heuvel, W.J.: The pains and gains of microservices: a systematic grey literature review. J. Syst. Softw. 146, 215–232 (2018). https://doi.org/10.1016/j.jss.2018.09.082

    Article  Google Scholar 

  53. SumoLogic: improving security in your microservices architecture (2019). https://bit.ly/3zSSXls

  54. Taibi, D., Lenarduzzi, V.: On the definition of microservice bad smells. IEEE Softw. 35(3), 56–62 (2018). https://doi.org/10.1109/MS.2018.2141031

    Article  Google Scholar 

  55. Taibi, D., Lenarduzzi, V., Pahl, C.: Architectural patterns for microservices: a systematic mapping study. In: Proceedings of the 8th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER, pp. 221–232. SciTePress (2018). https://doi.org/10.5220/0006798302210232

  56. Torkura, K.A., Sukmana, M.I., Kayem, A.V., Cheng, F., Meinel, C.: A cyber risk based moving target defense mechanism for microservice architectures. In: 2018 IEEE ISPA/IUCC/BDCloud/SocialCom/SustainCom, pp. 932–939. IEEE (2018). https://doi.org/10.1109/BDCloud.2018.00137

  57. Troisi, M.: 8 best practices for microservices app sec. TechBeacon (2017). https://bit.ly/3HDgDvZ

  58. Wallarm: A CISO’s guide to cloud application security (2019). https://bit.ly/3QAQKB6

  59. Wallarm: moving to microservices with security in mind (2019). https://bit.ly/3HItMnC

  60. Wichers, D., Williams, J.: Owasp top-10 2017. OWASP Foundation (2017)

    Google Scholar 

  61. Wohlin, C., Runeson, P., Höst, M., Ohlsson, M.C., Regnell, B., Wesslén, A.: Experimentation in Software Engineering: An Introduction. Kluwer Academic Publishers, Alphen aan den Rijn (2000)

    Book  MATH  Google Scholar 

  62. Wolff, E.: Microservices: Flexible Software Architecture. O’Reilly, Springfield (2016)

    Google Scholar 

  63. Yarygina, T., Bagge, A.: Overcoming security challenges in microservice architectures. In: 2018 IEEE Symposium on Service-Oriented System Engineering (SOSE), pp. 11–20. IEEE (2018). https://doi.org/10.1109/SOSE.2018.00011

  64. Ziade, T.: Python Microservices Development. Packt Publishing, Birmingham (2017)

    Google Scholar 

Download references

Acknowledgements

This work was partially supported by ANID PIA/APOYO AFB180002 (CCTVal), Instituto de tecnología para la innovación en salud y bienestar, facultad de ingeniería (Universidad Andrés Bello, Chile), and by the project hOlistic Sustainable Management of distributed softWARE systems (OSMWARE, UNIPI PRA_2022_64), funded by the University of Pisa, Italy.

Author information

Authors and Affiliations

  1. Universidad Técnica Federico Santa María, Valparaíso, Chile

    Francisco Ponce & Hernán Astudillo

  2. Instituto de Tecnología para la Innovación en Salud y Bienestar, Facultad de Ingeniería, Universidad Andrés Bello, Valparaíso, Chile

    Francisco Ponce

  3. University of Pisa, Pisa, Italy

    Jacopo Soldani & Antonio Brogi

Authors
  1. Francisco Ponce
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jacopo Soldani
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hernán Astudillo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Antonio Brogi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Francisco Ponce .

Editor information

Editors and Affiliations

  1. Federal University of Rio Grande do Norte, Natal, Brazil

    Thais Batista

  2. Charles University, Prague, Czech Republic

    Tomáš Bureš

  3. Vrije Universiteit Amsterdam, Amsterdam, The Netherlands

    Claudia Raibulet

  4. University of L’Aquila, L’Aquila, Italy

    Henry Muccini

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ponce, F., Soldani, J., Astudillo, H., Brogi, A. (2023). Microservices Security: Bad vs. Good Practices. In: Batista, T., Bureš, T., Raibulet, C., Muccini, H. (eds) Software Architecture. ECSA 2022 Tracks and Workshops. ECSA 2022. Lecture Notes in Computer Science, vol 13928. Springer, Cham. https://doi.org/10.1007/978-3-031-36889-9_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-36889-9_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-36888-2

  • Online ISBN: 978-3-031-36889-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation