A Framework to Build Secure Microservice Architecture
Abstract
Microservice architecture has become a popular architecture style in recent years. According to a series of surveys conducted by IBM Market Development & Insights in 2021, microservices are heavily used in many industries worldwide. With an increase in the adoption of microservice architecture in the development of applications, such as Netflix, Amazon, Uber, Ebay, Twitter, DoorDash, Capital One, and Monzo, and the increase in security breaches in microservice based systems (e.g., the DoorDash data breaches in 2019 and 2022, Twitter data breach in 2022, and compromises to Netflix’s infrastructure), there is a need to examine and understand security issues that exist in microservice architectures. Security issues within microservice architectures can be summarized with four main points. 1) Security is often considered as an afterthought, rather than during the early development phases. Security considerations are thought of as roadblocks that prevent software from being released on time; 2) There are more vulnerabilities per line of code in applications using microservice architectures compared with equivalent monolithic applications; 3) Microservices present new security challenges that are not present in monolithic applications due to the distributed nature of the architecture; communications between microservices are over the network which means a request may be susceptible to man-in-the-middle attacks; 4) There is a lack of comprehensive knowledge regarding how to build applications using microservice architectures with security in mind. The goal of the research is two-fold: 1) To study and document security properties that can remediate security issues in microservice architectures; and 2) define an effective approach to assist software architects in formally defining security properties early on in the software development lifecycle. The research examines microservice security from the perspective of industry and academia. The research questions (RQ) are as follows: RQ1: What are the security challenges in microservices architecture? RQ2: What mechanisms are currently used to address the security challenges in microservices architecture? RQ3: What approach can enhance the security modeling and specification in microservice architectures? The result of the research is an extensive review of security challenges and practices related to secure microservice architecture that informed the development of a framework that enhances the ability of software architects to formally specify security properties. The resulting framework includes the use of decision trees to guide software architects in determining what specific security properties should be considered, how different security properties are related can be used together, and what additional structural elements (components and connectors) should be considered when adding specific security properties. The impact of the work is that software vulnerabilities are addressed during early phases of software development (architecture and design) rather than later in the software development lifecycle. This helps to significantly reduce costs associated with software defect mitigation. Studies have shown that the cost ratio in tackling a software defect, including security vulnerabilities, is doubled if defects are discovered during the implementation phase compared to the architecture and design phases. This ratio more than triples if defects are discovered during testing. The work provides comprehensive support in defined security in microservice architectures, especially for software architects who have minimal experience in society.
Subject Area
Computer science|Computer Engineering|Web Studies
Recommended Citation
Tai Ramirez, Wai Yan Elsa, "A Framework to Build Secure Microservice Architecture" (2023). ETD Collection for University of Texas, El Paso. AAI30522863.
https://scholarworks.utep.edu/dissertations/AAI30522863