Thesis
Supporting triage of microservice security smells, using trade-off analysis

No Thumbnail Available
Date
2024
Authors
Ponce Mella, Francisco Leonardo
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Microservice-based applications (MSAs) are pervading enterprise IT, as they enable building cloud native applications that can fully exploit the capabilities of cloud computing, exhibiting distributed, dynamic, and fault-resilient behavior. MSAs introduce new security challenges, including the so-called secu rity smells, i.e., symptoms of poor decisions that may impact MSA security. Security smell instances must be carefully checked, and possibly resolved via refactoring, to preempt authenticity, integrity, or confidentiality issues. In this thesis ten smells for securing microservices are identified, and organized in a taxonomy, associ ating each security smell with the security properties it may violate and the refactorings enabling to mitigate its effects. Furthermore, this thesis also presents an end-to-end approach for resolving security smells in existing MSAs that automatizes smell detection and provides users with an interactive mechanism for smell resolution across the concerned MSA components. On the other hand, choosing between tolerating a given microservice security smell instance and resolving it with a refactoring requires careful trade-off considerations, since both the smell and its refactoring may impact other quality attributes besides security, e.g., maintainability and performance. For example, the centralized authorization security smell harms the authenticity and time behavior of the MSA but favors its testability. Thus, resolving the security smell by applying the use decentralized authorization refactoring would favor the MSA authenticity and modularity, but would harm its testability and resource utilization. Making informed refactoring decisions requires assessing the trade-offs of impacts on multiple affected quality attributes. This thesis also argues for trade-off analysis to help determine whether to keep a microservice secu rity smell or to apply a refactoring, based on their positive/negative impacts on specific quality attributes and design soundness. The proposed method enacts and supports this trade-off analysis using Softgoal Interdependency Graphs (SIGs), a visual formalism that - in our case - enables a holistic view of the pos itive/negative impacts of microservice security smells and refactorings on software quality attributes and design soundness. Additionally, we systematically elicit possible impacts of smells and refactorings on ap plications’ maintainability, performance efficiency, and adherence to microservices’ key design principles, which were then validated through an online survey targeting experienced practitioners and researchers. Since multiple security smell instances can affect multiple services in an MSA, architects must not only find trade-offs for each smell instance but also decide which smell instances to resolve first. Indeed, some smell instances may be more “urgent” than others because they affect services that implement core func tionalities and/or quality attributes that are critical for a services effective functioning. Given the number of services forming an MSA, their quality requirements, and the multiple different impacts of security smells on quality attributes, it is inherently complex and costly to determine which security smell instances should be resolved first, being the most urgent. Taking the above into consideration, this thesis also proposes a triage method to systematically associate security smell instances with “urgency codes”, similar to what triage nurses do with patients who enter a hospital emergency room and describe their symptoms. The proposed method enables assigning each security smell instance (i.e., a security smell affecting a service in an MSA) an urgency code, which is computed by combining (i) the relevance of the service to the business, and (ii) the importance of the service quality attributes that are impacted by the smell instance. The method systematizes this process by assigning smell instances to urgency codes, which can be used by practitioners to decide which smell instances to resolve first (presumably, those with the highest urgency). The practical applicability of the proposed triage method is illustrated with a use case based on a third-party MSA, and its usefulness is evaluated with a controlled experiment involving 26 practitioners. Our results suggest that the proposed triage method eases the triage process and yields urgency codes on which practitioners are more confident.
Description
Keywords
Microservices , Security smells , Microservices security , Triage
Citation