Automatic Detection of Security Deficiencies and Refactoring Advises for Microservices
2023 (English)In: Proceedings - 2023 IEEE/ACM International Conference on Software and System Processes, ICSSP 2023, Institute of Electrical and Electronics Engineers (IEEE), 2023, p. 25-34Conference paper, Published paper (Refereed)
Abstract [en]
The microservice architecture enables organizations to shorten development cycles and deliver cloud-native applications rapidly. However, it also brings security concerns that need to be addressed by developers. Therefore, security testing in microservices becomes even more critical. Recent research papers indicate that security testing of microservices is often neglected for reasons such as lack of time, lack of experience in the security domain, and absence of automated test environments. Even though several security scanning tools exist to detect container, containerized workload management (Kubernetes), and network issues, none individually is sufficient to cover all security problems in microservices. Using multiple scanning tools increases the complexity of analyzing findings and mitigating security vulnerabilities. This paper presents a fully automated test tool suite that can help developers address security issues in microservices and resolve them. It targets to reduce time and effort in security activities by encapsulating open-source scanning tools into one suite and providing improved feedback. The developed security scanning suite is named Pomegranate. To develop Pomegranate, we employed Design Science and conducted our investigation in Ericsson. We have evaluated our tool using a static approach. The evaluation results indicate that the Pomegranate could be helpful to developers by providing simplified and classified outputs for security vulnerabilities in microservices. More than half of the practitioners who give us feedback found Pomegranate helpful in detecting and mitigating security problems in microservices. We conclude that a fully automated test tool suite can help developers to address most security issues in microservices. Based on the findings in this paper, the direction for future work is to conduct a dynamic validation of Pomegranate in a live project. © 2023 IEEE.
Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2023. p. 25-34
Keywords [en]
Kubernetes, Microservices, Security, Security Scanning Tools, Automation, Fully automated, Microservice, Scanning tool, Security problems, Security scanning, Security scanning tool, Security testing, Security vulnerabilities, Containers
National Category
Computer Sciences
Identifiers
URN: urn:nbn:se:bth-25262DOI: 10.1109/ICSSP59042.2023.00013ISI: 001032744000003Scopus ID: 2-s2.0-85166196449ISBN: 9798350311969 (print)OAI: oai:DiVA.org:bth-25262DiVA, id: diva2:1787087
Conference
17th IEEE/ACM International Conference on Software and System Processes, ICSSP 2023, Melbourne, 14 May through 15 May 2023
2023-08-112023-08-112023-08-31Bibliographically approved