TY - GEN
T1 - Triaging Microservice Security Smells, with TriSS
AU - Ponce, Francisco
AU - Soldani, Jacopo
AU - Taramasco, Carla
AU - Astudillo, Hernan
AU - Brogi, Antonio
N1 - Publisher Copyright:
© 2024 Owner/Author.
PY - 2024/6/18
Y1 - 2024/6/18
N2 - Securing microservice applications is crucial. Security smells denote symptoms of bad -often unintentional- design decisions, which may result in violating security properties, and that can be resolved via refactoring. Stakeholders take into account the services' business value, problem criticality, and available resources to decide which smells to resolve or leave alone, but making such decisions is inherently complex for microservice applications with many services, possibly affected by multiple security smell instances. Borrowing from hospital emergency room triage practices, which assign an urgency code to incoming patients, this paper introduces the notion of urgency for microservice security smell instances, and proposes the TriSS method to triage them. TriSS enables assigning to each security smell instance with an urgency code based on combining the services' business relevance and the smells' impacts on security and other quality attributes, e.g., performance and maintainability. The practical applicability of TriSS is illustrated with a use case based on a third-party microservice application, and its usefulness is evaluated with a controlled experiment involving 26 practitioners. The experiment's results suggest that TriSS eases the triage process and yields urgency codes on which practitioners are more confident.
AB - Securing microservice applications is crucial. Security smells denote symptoms of bad -often unintentional- design decisions, which may result in violating security properties, and that can be resolved via refactoring. Stakeholders take into account the services' business value, problem criticality, and available resources to decide which smells to resolve or leave alone, but making such decisions is inherently complex for microservice applications with many services, possibly affected by multiple security smell instances. Borrowing from hospital emergency room triage practices, which assign an urgency code to incoming patients, this paper introduces the notion of urgency for microservice security smell instances, and proposes the TriSS method to triage them. TriSS enables assigning to each security smell instance with an urgency code based on combining the services' business relevance and the smells' impacts on security and other quality attributes, e.g., performance and maintainability. The practical applicability of TriSS is illustrated with a use case based on a third-party microservice application, and its usefulness is evaluated with a controlled experiment involving 26 practitioners. The experiment's results suggest that TriSS eases the triage process and yields urgency codes on which practitioners are more confident.
KW - microservices
KW - microservices security
KW - security smells
KW - triage
KW - TriSS
UR - http://www.scopus.com/inward/record.url?scp=85197437728&partnerID=8YFLogxK
U2 - 10.1145/3661167.3661282
DO - 10.1145/3661167.3661282
M3 - Conference contribution
AN - SCOPUS:85197437728
T3 - ACM International Conference Proceeding Series
SP - 698
EP - 706
BT - Proceedings of 2024 28th International Conference on Evaluation and Assessment in Software Engineering, EASE 2024
PB - Association for Computing Machinery
T2 - 28th International Conference on Evaluation and Assessment in Software Engineering, EASE 2024
Y2 - 18 June 2024 through 21 June 2024
ER -