Software Development Activities for Secure Microservices

The decomposition of an application into a set of distributed and collaborating microservices using microservices architecture principles, increases an application’s attack surface. A preliminary risk analysis can provide an understanding of security threats from a hypothetical attacker’s point of view. Identified security threats equip software engineers of microservices compositions with knowledge of assets most likely to be targeted, the most likely attack vectors, and the potential attacker’s profile. The knowledge is useful to ensure that microservices compositions are designed to avoid vulnerabilities and to withstand any attack, and in the event of an attack to ensure that adverse consequences of an attack are minimized. In this regard, this paper aims to identify security threats that could arise as a result of flaws in the design of microservices compositions and harm that may arise from misuse of a microservices composition by malicious users. The preliminary risk analysis leads to a list of security requirements to be met by this research to be able to develop secure microservices compositions. The contribution of this review is a list of development activities for secure microservices.

[1]  Dirk Merkel,et al.  Docker: lightweight Linux containers for consistent development and deployment , 2014 .

[2]  Björn Butzin,et al.  Microservices approach for the internet of things , 2016, 2016 IEEE 21st International Conference on Emerging Technologies and Factory Automation (ETFA).

[3]  Fabrizio Montesi,et al.  Microservices: Yesterday, Today, and Tomorrow , 2017, Present and Ulterior Software Engineering.

[4]  D. Shah,et al.  Dynamic and Ubiquitous Security Architecture for Global SOA , 2008, 2008 The Second International Conference on Mobile Ubiquitous Computing, Systems, Services and Technologies.

[5]  Oliver Bossert,et al.  A Two-Speed Architecture for the Digital Enterprise , 2016, Emerging Trends in the Evolution of Service-Oriented and Enterprise Architectures.

[6]  Mike Amundsen,et al.  Microservice Architecture: Aligning Principles, Practices, and Culture , 2016 .

[7]  Michael B. Jones,et al.  JSON Web Token (JWT) , 2015, RFC.

[8]  Dror G. Feitelson,et al.  Development and Deployment at Facebook , 2013, IEEE Internet Computing.

[9]  Brishen Rogers,et al.  The Social Costs of Uber , 2015 .

[10]  Richard Candell,et al.  Towards a systematic threat modeling approach for cyber-physical systems , 2015, 2015 Resilience Week (RWS).

[11]  Yuanfang Cai,et al.  Towards an Architecture-Centric Approach to Security Analysis , 2016, 2016 13th Working IEEE/IFIP Conference on Software Architecture (WICSA).

[12]  Liming Zhu,et al.  DevOps - A Software Architect's Perspective , 2015, SEI series in software engineering.

[13]  David Bernstein Is Amazon Becoming the New Cool Software Company for Developers? , 2015, IEEE Cloud Computing.

[14]  Sameerchand Pudaruth,et al.  PEOPLE FACTORS IN AGILE SOFTWARE DEVELOPMENT AND PROJECT MANAGEMENT , 2012 .

[15]  Athanasios V. Vasilakos,et al.  Web services composition: A decade's overview , 2014, Inf. Sci..

[16]  Luciano Baresi,et al.  Empowering Low-Latency Applications Through a Serverless Edge Computing Architecture , 2017, ESOCC.

[17]  Parnian Najafi Borazjani Security Issues in Cloud Computing , 2017, GPC.

[18]  Peter Saint-Andre,et al.  Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS) , 2015, RFC.