TY - JOUR
T1 - Security in microservice-based systems
T2 - A Multivocal literature review
AU - Pereira-Vale, Anelis
AU - Fernandez, Eduardo B.
AU - Monge, Raúl
AU - Astudillo, Hernán
AU - Márquez, Gastón
N1 - Publisher Copyright:
© 2021 Elsevier Ltd
PY - 2021/4
Y1 - 2021/4
N2 - Microservices define an architectural style that conceives systems as a suite of modular, independent and scalable services. While application design is now simpler, designing secure applications is in general harder than for monolithic applications and the current literature offers little orientation to architects and developers regarding solutions. This article describes the design and results of a multivocal literature review of the security solutions that have been proposed for microservice-based systems. The study yielded 370 academic articles and 620 grey literature; duplicates removal and the application of exclusion criteria left 36 from the academic literature and 34 from the grey literature. The security solution(s) proposed in each article were classified into variations of standard security mechanisms (e.g., Access Control) and scopes (Info Management, Threat Modeling, etc), and were associated to security contexts (detect, mitigate/stop, react, recover from attack). Our research questions addressed frequency of publications, research methodologies, security mechanisms, and security contexts. Key findings were that (1) both kinds of literature differ in their preferred empirical research strategies (examples, experiments and case studies); (2) The solutions proposed in the 70 selected articles correspond to 15 classifications of security mechanisms and analyses; (3) the most mentioned security mechanisms are Authentication and Authorization; (4) around 2/3 of solutions focused on Mitigate/Stop attacks, but none on reacting and recovering from them, and (5) the methodologies used are mostly block diagrams and code, with little use of models or analysis. These findings hold for both grey and academic literature. This study is a first step towards providing secure software researchers and practitioners a comprehensive catalog of security solutions and mechanisms, and where the clear identification of the most used security solutions will simplify their reuse to address security problems while designing microservice-based systems.
AB - Microservices define an architectural style that conceives systems as a suite of modular, independent and scalable services. While application design is now simpler, designing secure applications is in general harder than for monolithic applications and the current literature offers little orientation to architects and developers regarding solutions. This article describes the design and results of a multivocal literature review of the security solutions that have been proposed for microservice-based systems. The study yielded 370 academic articles and 620 grey literature; duplicates removal and the application of exclusion criteria left 36 from the academic literature and 34 from the grey literature. The security solution(s) proposed in each article were classified into variations of standard security mechanisms (e.g., Access Control) and scopes (Info Management, Threat Modeling, etc), and were associated to security contexts (detect, mitigate/stop, react, recover from attack). Our research questions addressed frequency of publications, research methodologies, security mechanisms, and security contexts. Key findings were that (1) both kinds of literature differ in their preferred empirical research strategies (examples, experiments and case studies); (2) The solutions proposed in the 70 selected articles correspond to 15 classifications of security mechanisms and analyses; (3) the most mentioned security mechanisms are Authentication and Authorization; (4) around 2/3 of solutions focused on Mitigate/Stop attacks, but none on reacting and recovering from them, and (5) the methodologies used are mostly block diagrams and code, with little use of models or analysis. These findings hold for both grey and academic literature. This study is a first step towards providing secure software researchers and practitioners a comprehensive catalog of security solutions and mechanisms, and where the clear identification of the most used security solutions will simplify their reuse to address security problems while designing microservice-based systems.
KW - Microservice-based systems
KW - Multivocal literature review
KW - Secure software development
KW - Security mechanisms
KW - Security solutions
UR - http://www.scopus.com/inward/record.url?scp=85099774847&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2021.102200
DO - 10.1016/j.cose.2021.102200
M3 - Article
AN - SCOPUS:85099774847
SN - 0167-4048
VL - 103
JO - Computers and Security
JF - Computers and Security
M1 - 102200
ER -