Skip to main content
Log in

SST: A Tool to Support the Triage of Security Smells in Microservice Applications

  • Original Research
  • Published:
SN Computer Science Aims and scope Submit manuscript

Abstract

Microservice security smells denote possible symptoms of bad design decisions that may compromise the security of an application. Therefore, security smells should be carefully checked and possibly resolved by applying some refactorings. In this paper, we introduce SST (Security Smell Triager) an open-source tool that automates the triage of the possibly multiple instances of security smells affecting an existing microservice application, to support determining which instance is “more urgent” than others and should be considered first. SST also supports reasoning on whether/how to resolve a security smell instance through refactoring, by displaying the impact on quality attributes (like maintainability and performance efficiency) of both security smell instances and their refactoring. We also assess the usefulness of SST through a controlled experiment.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Data Availability

Not Applicable.

Notes

  1. https://github.com/Microservice-API-Patterns/LakesideMutual.

  2. SST is publicly available on GitHub athttps://github.com/ms-security/triager.

  3. The full JSON file is publicly available on GitHub at https://github.com/ms-security/triager/tree/main/data.

  4. https://github.com/ms-security/triager/tree/main/data.

References

  1. Márquez G, Soldani J, Ponce F, Astudillo H. Frameworks and high-availability in microservices: An industrial survey. In: CIbSE, 2020. pp. 57–70.

  2. Wang Y, Kadiyala H, Rubin J. Promises and challenges of microservices: an exploratory study. Empir Softw Eng. 2021;26(4):63. https://doi.org/10.1007/s10664-020-09910-y.

    Article  Google Scholar 

  3. Billawa P, Bambhore Tukaram A, Díaz Ferreyra NE, Steghöfer J-P, Scandariato R, Simhandl G. Sok: Security of microservice applications: A practitioners’ perspective on challenges and best practices. In: Proceedings of the 17th international conference on availability, reliability and security. ARES ’22. Association for Computing Machinery, New York, NY, USA 2022. https://doi.org/10.1145/3538969.3538986

  4. Soldani J, Tamburri DA, Van Den Heuvel W-J. The pains and gains of microservices: A systematic grey literature review. J Syst Softw. 2018;146:215–32. https://doi.org/10.1016/j.jss.2018.09.082.

    Article  Google Scholar 

  5. Ponce F, Soldani J, Astudillo H, Brogi A. Smells and refactorings for microservices security: A multivocal literature review. J Syst Softw. 2022;192: 111393. https://doi.org/10.1016/j.jss.2022.111393.

    Article  Google Scholar 

  6. Ponce F, Soldani J, Astudillo H, Brogi A. Should microservice security smells stay or be refactored? towards a trade-off analysis. In: Software architecture. Cham: Springer; 2022. pp. 131–139. https://doi.org/10.1007/978-3-031-16697-6_9

  7. Ponce F, Soldani J, Taramasco C, Astudillo H, Brogi A. To security and beyond: On the impacts of microservice security smells and refactorings. In: 2023 XLIX Latin American Computer Conference (CLEI). IEEE, New York, USA 2023. pp. 1–10. https://doi.org/10.1109/CLEI60451.2023.10346146

  8. Besker T, Martini A, Bosch J. Technical debt triage in backlog management. In: 2019 IEEE/ACM international conference on technical debt (TechDebt). IEEE, New York, USA 2019. pp. 13–22. https://doi.org/10.1109/TechDebt.2019.00010

  9. Ponce F, Soldani J, Taramasco C, Astudillo H, Brogi A. Triaging microservice security smells, with triss. In: Proceedings of the 28th international conference on evaluation and assessment in software engineering. EASE ’24. Association for Computing Machinery, New York, NY, USA 2024. pp. 698–706. https://doi.org/10.1145/3661167.3661282

  10. Kapferer S, Zimmermann O. Domain-driven service design: Context modeling, model refactoring and contract generation. In: Service-Oriented Computing, Cham: Springer; 2020. pp. 189–208. https://doi.org/10.1007/978-3-030-64846-6_11

  11. Panichella S, Rahman MI, Taibi D. Structural Coupling for Microservices. In: Proceedings of the 11th international conference on cloud computing and services science - CLOSER, SciTePress, Setúbal, Portugal 2021. pp. 280–287. INSTICC https://doi.org/10.5220/0010481902800287

  12. Sorgalla J, Wizenty P, Rademacher F, Sachweh S, Zündorf A. Applying model-driven engineering to stimulate the adoption of devops processes in small and medium-sized development organizations: the case for microservice architecture. SN Comput Sci. 2021;2(6):459. https://doi.org/10.1007/s42979-021-00825-z.

    Article  Google Scholar 

  13. Dell’Immagine G, Soldani J, Brogi A. Kubehound: Detecting microservices’ security smells in kubernetes deployments. Future Internet. 2023. https://doi.org/10.3390/fi15070228.

    Article  Google Scholar 

  14. Lenarduzzi V, Besker T, Taibi D, Martini A, Arcelli Fontana F. A systematic literature review on technical debt prioritization: Strategies, processes, factors, and tools. J Syst Softw. 2021;171: 110827. https://doi.org/10.1016/j.jss.2020.110827.

    Article  Google Scholar 

  15. Wizenty P, Ponce F, Rademacher F, Soldani J, Astudillo H, Brogi A, Sachweh S. Towards resolving security smells in microservices, model-driven. In: 18th international conference on software technologies (ICSOFT), SciTePress, Setúbal, Portugal 2023. pp. 15–26. INSTICC https://doi.org/10.5220/0012049800003538

  16. Cerny T, Abdelfattah AS, Maruf AA, Janes A, Taibi D. Catalog and detection techniques of microservice anti-patterns and bad smells: a tertiary study. J Syst Softw. 2023;206: 111829. https://doi.org/10.1016/j.jss.2023.111829.

    Article  Google Scholar 

  17. Haendler T, Sobernig S, Strembeck M. Towards triaging code-smell candidates via runtime scenarios and method-call dependencies. In: Proceedings of the XP2017 scientific workshops. XP ’17. Association for Computing Machinery, New York, NY, USA 2017. https://doi.org/10.1145/3120459.3120468

  18. Malhotra R, Singh P. Exploiting bad-smells and object-oriented characteristics to prioritize classes for refactoring. Int J Syst Assur Eng Manage. 2020;11(S2):133–44. https://doi.org/10.1007/s13198-020-01001-x.

    Article  Google Scholar 

  19. Verma R, Kumar K, Verma HK. Code smell prioritization in object-oriented software systems: a systematic literature review. J Softw Evol Process. 2023;35(12):2536. https://doi.org/10.1002/smr.2536.

    Article  Google Scholar 

  20. Alshammari T, Alshayeb M. Toward a software bad smell prioritization model for software maintainability. Arab J Sci Eng. 2021;46(9):9157–77. https://doi.org/10.1007/s13369-021-05766-6.

    Article  Google Scholar 

  21. Arcelli Fontana F, Ferme V, Zanoni M, Roveda R. Towards a prioritization of code debt: A code smell intensity index. In: 2015 IEEE 7th international workshop on managing technical debt (MTD), IEEE, New York, USA 2015. pp. 16–24 https://doi.org/10.1109/MTD.2015.7332620

  22. Aung TWW, Wan Y, Huo H, Sui Y. Multi-triage: a multi-task learning framework for bug triage. J Syst Softw. 2022;184: 111133. https://doi.org/10.1016/j.jss.2021.111133.

    Article  Google Scholar 

  23. Lim S, Zaidi S, Woo H, Lee C-G. Toward an effective bug triage system using transformers to add new developers. J Sens. 2022;2022:19. https://doi.org/10.1155/2022/4347004.

    Article  Google Scholar 

  24. Pecorelli F, Palomba F, Khomh F, De Lucia A. Developer-driven code smell prioritization. In: Proceedings of the 17th international conference on mining software repositories. MSR ’20, Association for Computing Machinery, New York, NY, USA 2020. pp. 220–231. https://doi.org/10.1145/3379597.3387457

  25. Sae-Lim N, Hayashi S, Saeki M. Context-based code smells prioritization for prefactoring. In: 2016 IEEE 24th international conference on program comprehension (ICPC), IEEE, New York, USA 2016. pp. 1–10. IEEE https://doi.org/10.1109/ICPC.2016.7503705

  26. Sae-Lim N, Hayashi S, Saeki M. Revisiting context-based code smells prioritization: on supporting referred context. In: Proceedings of the XP2017 scientific workshops. XP ’17. Association for Computing Machinery, New York, NY, USA 2017. https://doi.org/10.1145/3120459.3120463

  27. Vidal SA, Marcos C, Díaz-Pace JA. An approach to prioritize code smells for refactoring. Autom Softw Eng. 2016;23:501–32. https://doi.org/10.1007/s10515-014-0175-x.

    Article  Google Scholar 

Download references

Acknowledgements

This work is partly supported by the following projects: FREEDA (CUP: I53D23003550006), funded by the frameworks PRIN (MUR, Italy) and Next Generation EU.

Author information

Authors and Affiliations

Authors

Contributions

All authors have participated equally in this work.

Corresponding author

Correspondence to Francisco Ponce.

Ethics declarations

Conflict of interest

The authors have no relevant financial or non-financial interests to disclose.

Research Involving Human and/or Animals

Not Applicable.

Informed Consent

Not Applicable.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ponce, F., Malnati, A., Negro, R. et al. SST: A Tool to Support the Triage of Security Smells in Microservice Applications. SN COMPUT. SCI. 5, 1014 (2024). https://doi.org/10.1007/s42979-024-03372-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s42979-024-03372-5

Keywords

Navigation