Towards a Security Benchmark for the Architectural Design of Microservice Applications

The microservice architecture presents many challenges from a security perspective, due to the large amount of services, leading to an increased attack surface and an unmanageble cognitive load for security analysts. Several benchmarks exist to guide the secure configuration of the deployment infrastructure for microservice applications, including containers (e.g., Docker), orchestration systems (e.g., Kubernetes), cloud platforms (e.g., AWS), and even operating systems (e.g., Linux). In this paper we approach the creation of a benchmark for the design of the microservice applications themselves. To this aim, we inventorize a number of relevant security rules for the architectural design of microservice applications and assess (in a preliminary way) how these rules could be checked automatically.

[1]  N. E. D. Ferreyra,et al.  Security of Microservice Applications: A Practitioners' Perspective on Challenges and Best Practices , 2022, ArXiv.

[2]  S. Giallorenzo,et al.  Microservice security: a systematic literature review , 2022, PeerJ Comput. Sci..

[3]  Antonio Brogi,et al.  Smells and Refactorings for Microservices Security: A Multivocal Literature Review , 2021, J. Syst. Softw..

[4]  Abdelhakim Hannousse,et al.  Securing Microservices and Microservice Architectures: A Systematic Mapping Study , 2020, Comput. Sci. Rev..

[5]  Stefanie Jasser,et al.  Enforcing Architectural Security Decisions , 2020, 2020 IEEE International Conference on Software Architecture (ICSA).

[6]  Hernán Astudillo,et al.  Security Mechanisms Used in Microservices-Based Systems: A Systematic Mapping , 2019, 2019 XLV Latin American Computing Conference (CLEI).

[7]  Karsten Sohr,et al.  The Architectural Security Tool Suite — ARCHSEC , 2019, 2019 19th International Working Conference on Source Code Analysis and Manipulation (SCAM).

[8]  Riccardo Scandariato,et al.  Flaws in Flows: Unveiling Design Flaws via Information Flow Analysis , 2019, 2019 IEEE International Conference on Software Architecture (ICSA).

[9]  Robert Heinrich,et al.  Data-Driven Software Architecture for Analyzing Confidentiality , 2019, 2019 IEEE International Conference on Software Architecture (ICSA).

[10]  Willem-Jan van den Heuvel,et al.  The pains and gains of microservices: A Systematic grey literature review , 2018, J. Syst. Softw..

[11]  Wouter Joosen,et al.  SPARTA: Security & Privacy Architecture Through Risk-Driven Threat Assessment , 2018, 2018 IEEE International Conference on Software Architecture Companion (ICSA-C).

[12]  Anya Helene Bagge,et al.  Overcoming Security Challenges in Microservice Architectures , 2018, 2018 IEEE Symposium on Service-Oriented System Engineering (SOSE).

[13]  Jan Jürjens,et al.  Model-based privacy and security analysis with CARiSMA , 2017, ESEC/SIGSOFT FSE.

[14]  Bradley R. Schmerl,et al.  Architecture Modeling and Analysis of Security in Android Systems , 2016, ECSA.

[15]  Karsten Sohr,et al.  Automatically Extracting Threats from Extended Data Flow Diagrams , 2016, ESSoS.

[16]  John Grundy,et al.  Automated software architecture security risk analysis using formalized signatures , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[17]  David A. Basin,et al.  Automated analysis of security-design models , 2009, Inf. Softw. Technol..

[18]  Richard N. Taylor,et al.  A Secure Software Architecture Description Language , 2005 .

[19]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[20]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.