Microservice Security Metrics for Secure Communication, Identity Management, and Observability

Microservice architectures are increasingly being used to develop application systems. Despite many guidelines and best practices being published, architecting microservice systems for security is challenging. Reasons are the size and complexity of microservice systems, their polyglot nature, and the demand for the continuous evolution of these systems. In this context, to manually validate that security architecture tactics are employed as intended throughout the system is a time-consuming and error-prone task. In this article, we present an approach to avoid such manual validation before each continuous evolution step in a microservice system, which we demonstrate using three widely used categories of security tactics: secure communication, identity management, and observability. Our approach is based on a review of existing security guidelines, the gray literature, and the scientific literature, from which we derived Architectural Design Decisions (ADDs) with the found security tactics as decision options. In our approach, we propose novel detectors to detect these decision options automatically and formally defined metrics to measure the conformance of a system to the different options of the ADDs. We apply the approach to a case study data set of 10 open source microservice systems, plus another 20 variants of these systems, for which we manually inspected the source code for security tactics. We demonstrate and assess the validity and appropriateness of our metrics by performing an assessment of their conformance to the ADDs in our systems’ dataset through statistical methods.

[1]  Wilhelm Hasselbring,et al.  Detector-based component model abstraction for microservice-based systems , 2021, Computing.

[2]  Theophilus A. Benson,et al.  ViperProbe: Rethinking Microservice Observability with eBPF , 2020, 2020 IEEE 9th International Conference on Cloud Networking (CloudNet).

[3]  José Flora,et al.  Improving the Security of Microservice Systems by Detecting and Tolerating Intrusions , 2020, 2020 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW).

[4]  Jing Sun,et al.  Automated Security Analysis for Microservice Architecture , 2020, 2020 IEEE International Conference on Software Architecture Companion (ICSA-C).

[5]  Stefanie Jasser,et al.  Enforcing Architectural Security Decisions , 2020, 2020 IEEE International Conference on Software Architecture (ICSA).

[6]  Alberto Avritzer,et al.  Challenges and Approaches for the Assessment of Micro-Service Architecture Deployment Alternatives in DevOps : A tutorial presented at ICSA 2020 , 2020, 2020 IEEE International Conference on Software Architecture Companion (ICSA-C).

[7]  Vahid Garousi,et al.  Benefitting from the Grey Literature in Software Engineering Research , 2019, Contemporary Empirical Methods in Software Engineering.

[8]  Jan Jürjens,et al.  Secure Data-Flow Compliance Checks between Models and Code Based on Automated Mappings , 2019, 2019 ACM/IEEE 22nd International Conference on Model Driven Engineering Languages and Systems (MODELS).

[9]  Albert Zündorf,et al.  Aspect-Oriented Modeling of Technology Heterogeneity in Microservice Architecture , 2019, 2019 IEEE International Conference on Software Architecture (ICSA).

[10]  Vahid Garousi,et al.  Guidelines for including the grey literature and conducting multivocal literature reviews in software engineering , 2017, Inf. Softw. Technol..

[11]  Anne V. D. M. Kayem,et al.  A Cyber Risk Based Moving Target Defense Mechanism for Microservice Architectures , 2018, 2018 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Ubiquitous Computing & Communications, Big Data & Cloud Computing, Social Computing & Networking, Sustainable Computing & Communications (ISPA/IUCC/BDCloud/SocialCom/SustainCom).

[12]  Cesare Pautasso,et al.  Guiding Architectural Decision Making on Quality Aspects in Microservice APIs , 2018, ICSOC.

[13]  Jan Jürjens,et al.  Model-based security analysis of feature-oriented software product lines , 2018, GPCE.

[14]  Stefano Russo,et al.  Run-Time Reliability Estimation of Microservice Architectures , 2018, 2018 IEEE 29th International Symposium on Software Reliability Engineering (ISSRE).

[15]  Thomas Engel,et al.  Evaluation of Microservice Architectures: A Metric and Tool-Based Approach , 2018, CAiSE Forum.

[16]  Davide Taibi,et al.  On the Definition of Microservice Bad Smells , 2018, IEEE Software.

[17]  Michael W. Kattan,et al.  The index of prediction accuracy: an intuitive measure useful for evaluating risk prediction models , 2018, Diagnostic and Prognostic Research.

[18]  Nour Ali,et al.  Towards Micro Service Architecture Recovery: An Empirical Study , 2018, 2018 IEEE International Conference on Software Architecture (ICSA).

[19]  Frank Leymann,et al.  Ensuring and Assessing Architecture Conformance to Microservice Decomposition Patterns , 2017, ICSOC.

[20]  Stefan Wagner,et al.  Towards a practical maintainability quality model for service-and microservice-based systems , 2017, ECSA.

[21]  Raimir Holanda Filho,et al.  Model-Based Quantitative Network Security Metrics: A Survey , 2017, IEEE Communications Surveys & Tutorials.

[22]  Ludovico Iovino,et al.  Towards Recovering the Software Architecture of Microservice-Based Systems , 2017, 2017 IEEE International Conference on Software Architecture Workshops (ICSAW).

[23]  Sam Malek,et al.  Determination and Enforcement of Least-Privilege Architecture in Android , 2017, 2017 IEEE International Conference on Software Architecture (ICSA).

[24]  Sushil Jajodia,et al.  A Suite of Metrics for Network Attack Graph Analytics , 2017 .

[25]  Olaf Zimmermann,et al.  Microservices tenets , 2017, Computer Science - Research and Development.

[26]  Claus Pahl,et al.  Microservices: A Systematic Mapping Study , 2016, CLOSER.

[27]  James E. Helmreich Regression Modeling Strategies with Applications to Linear Models, Logistic and Ordinal Regression and Survival Analysis (2nd Edition) , 2016 .

[28]  Sam Newman,et al.  Building microservices - designing fine-grained systems, 1st Edition , 2015 .

[29]  Horst Lichter,et al.  Experience on a Microservice-Based Reference Architecture for Measurement Systems , 2014, 2014 21st Asia-Pacific Software Engineering Conference.

[30]  Uwe Zdun,et al.  Semi-automated architectural abstraction specifications for supporting software evolution , 2014, Sci. Comput. Program..

[31]  Radu Vanciu,et al.  Finding architectural flaws using constraints , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[32]  Nenad Medvidovic,et al.  A comparative analysis of software architecture recovery techniques , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[33]  Ralph E. Johnson,et al.  Growing a pattern language (for security) , 2012, Onward! 2012.

[34]  Sushil Jajodia,et al.  Cauldron mission-centric cyber situational awareness with defense in depth , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[35]  Tapio Salakoski,et al.  An experimental comparison of cross-validation techniques for estimating the area under the ROC curve , 2011, Comput. Stat. Data Anal..

[36]  Karsten Sohr,et al.  An Architecture-Centric Approach to Detecting Security Patterns in Software , 2011, ESSoS.

[37]  Yijun Yu,et al.  Run-Time Security Traceability for Evolving Systems , 2010, Comput. J..

[38]  Elmar Jürgens,et al.  Flexible architecture conformance assessment with ConQAT , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[39]  Karsten Sohr,et al.  Idea: Towards Architecture-Centric Security Analysis of Software , 2010, ESSoS.

[40]  N. Obuchowski,et al.  Assessing the Performance of Prediction Models: A Framework for Traditional and Novel Measures , 2010, Epidemiology.

[41]  ndreAS,et al.  Run-time security traceability for evolving systems , 2010 .

[42]  Stéphane Ducasse,et al.  Software Architecture Reconstruction: A Process-Oriented Taxonomy , 2009, IEEE Transactions on Software Engineering.

[43]  Cesare Pautasso,et al.  Why is the web loosely coupled?: a multi-faceted metric for service design , 2009, WWW '09.

[44]  Northrop Grumman,et al.  Reference Architecture Foundation for Service Oriented Architecture Version 1.0 , 2009 .

[45]  Sushil Jajodia,et al.  An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.

[46]  Marten van Sinderen,et al.  On Interoperability and Conformance Assessment in Service Composition , 2007, 11th IEEE International Enterprise Distributed Object Computing Conference (EDOC 2007).

[47]  Frank Leymann,et al.  Reusable Architectural Decision Models for Enterprise Application Development , 2007, QoSA.

[48]  Shirley C. Payne,et al.  A Guide to Security Metrics , 2007 .

[49]  M. Schumacher,et al.  Consistent Estimation of the Expected Brier Score in General Survival Models with Right‐Censored Event Times , 2006, Biometrical journal. Biometrische Zeitschrift.

[50]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[51]  Arie van Deursen,et al.  Symphony: view-driven software architecture reconstruction , 2004, Proceedings. Fourth Working IEEE/IFIP Conference on Software Architecture (WICSA 2004).

[52]  Tom Mens,et al.  Maintaining software through intentional source-code views , 2002, SEKE '02.

[53]  Rick Kazman,et al.  A Software Architecture Reconstruction Method , 1999, WICSA.

[54]  David Notkin,et al.  Software reflexion models: bridging the gap between source and high-level models , 1995, SIGSOFT FSE.

[55]  Jerome L. Myers,et al.  Research Design and Statistical Analysis , 1991 .