Options
Microservice Security Metrics for Secure Communication, Identity Management, and Observability
Publikationstyp
Journal Article
Publikationsdatum
2023-02-13
Sprache
English
Institut
Volume
32
Issue
1
Article Number
3532183
Citation
ACM Transactions on Software Engineering and Methodology 32 (1): 3532183 (2023-02-13)
Publisher DOI
Scopus ID
2-s2.0-85152594050
Microservice architectures are increasingly being used to develop application systems. Despite many guidelines and best practices being published, architecting microservice systems for security is challenging. Reasons are the size and complexity of microservice systems, their polyglot nature, and the demand for the continuous evolution of these systems. In this context, to manually validate that security architecture tactics are employed as intended throughout the system is a time-consuming and error-prone task. In this article, we present an approach to avoid such manual validation before each continuous evolution step in a microservice system, which we demonstrate using three widely used categories of security tactics: secure communication, identity management, and observability. Our approach is based on a review of existing security guidelines, the gray literature, and the scientific literature, from which we derived Architectural Design Decisions (ADDs) with the found security tactics as decision options. In our approach, we propose novel detectors to detect these decision options automatically and formally defined metrics to measure the conformance of a system to the different options of the ADDs. We apply the approach to a case study data set of 10 open source microservice systems, plus another 20 variants of these systems, for which we manually inspected the source code for security tactics. We demonstrate and assess the validity and appropriateness of our metrics by performing an assessment of their conformance to the ADDs in our systems' dataset through statistical methods.
Schlagworte
Additional Key Words and PhrasesMicroservice architecture
microservice security
software architecture detectors
software architecture metrics