Decision Models for Selecting Patterns and Strategies in Microservices Systems and their Evaluation by Practitioners

Researchers and practitioners have recently proposed many Microservices Architecture (MSA) patterns and strategies covering various aspects of microservices system life cycle, such as service design and security. However, selecting and implementing these patterns and strategies can entail various challenges for microservices practitioners. To this end, this study proposes decision models for selecting patterns and strategies covering four MSA design areas: application decomposition into microservices, microservices security, microservices communication, and service discovery. We used peer-reviewed and grey literature to identify the patterns, strategies, and quality attributes for creating these decision models. To evaluate the familiarity, understandability, completeness, and usefulness of the decision models, we conducted semi-structured interviews with 24 microservices practitioners from 12 countries across five continents. Our evaluation results show that the practitioners found the decision models as an effective guide to select microservices patterns and strategies.

This research was accepted at the 44th International Conference on Software Engineering (ICSE) – Software Engineering in Practice (SEIP) track.

A Decision Model for Selecting Patterns and Strategies to Decompose Applications into Microservices

Microservices Architecture (MSA) style is a promising design approach to develop software applications consisting of multiple small and independently deployable services. Over the past few years, researchers and practitioners have proposed many MSA patterns and strategies covering various aspects of microservices design, such as application decomposition. However, selecting appropriate patterns and strategies can entail various challenges for practitioners. To this end, this study proposes a decision model for selecting patterns and strategies to decompose applications into microservices. We used peer-reviewed and grey literature to collect the patterns, strategies, and quality attributes for creating this decision model.

This paper was co-authored with Muhammad Waseem, Peng Liang, Mojtaba Sahin, Arif Ali Khan and Aakash Ahmad. The paper will be presented at the International Conference on Service Oriented Computing (ICSOC 2021)

Design, Monitoring, and Testing of Microservices Systems: The Practitioners’ Perspective

We conducted a mixed-methods study with 106 survey responses and 6 interviews from microservices practitioners. The main findings are: (1) a combination of domain-driven design and business capability is the most used strategy to decompose an application into microservices, (2) over half of the participants used architecture evaluation and architecture implementation when designing microservices systems, (3) API gateway and Backend for frontend patterns are the most used MSA patterns, (4) resource usage and load balancing as monitoring metrics, log management and exception tracking as monitoring practices are widely used, (5) unit and end- to-end testing are the most used testing strategies, and (6) the complexity of microservices systems poses challenges for their design, monitoring, and testing, for which there are no dedicated solutions.

This study will be published in the Journal of Systems and Software. Pre-print available here

Evaluating Dissemination and Implementation Strategies to Develop Clinical Software

We know that building software presents several challenges. But, in healthcare, these challenges can be increased by the complexity of clinical processes. In an article presented at SEH@ICSE, we presented a study exploring the opinions of clinicians regarding clinical software. This software was built using a methodology that involves stakeholders and clinicians along with implementation and dissemination strategies used in healthcare. These strategies were key to engaging clinicians in software development. The results obtained indicate that the software studied has a high acceptance by clinicians because it operationalizes the clinical activities demanded by clinicians in a timely and seamless manner in clinical processes.

Security in Microservice-Based Systems: A Multivocal Literature Review

In this study we described the design and results of a systematic multivocal literature mapping of the security solutions that have been proposed for microservice-based systems. The study yielded 370 academic articles and 620 grey literature; duplicates removal and the application of exclusion criteria left 36 from the academic literature and 34 from the grey literature. The security solution(s) proposed in each article were classified into variations of standard security mechanisms (e.g., Access Control) and scopes (Info Management, Threat Modeling, etc), and were associated to security contexts (detect, mitigate/stop, react, recover from attack). Our research questions addressed frequency of publications, research methodologies, security mechanisms, and security contexts. Key findings were that (1) both kinds of literature differ in their preferred empirical research strategies (examples, experiments and case studies); (2) The solutions proposed in the 70 selected articles correspond to 15 classifications of security mechanisms and analyses; (3) the most mentioned security mechanisms are Authentication and Authorization; (4) around 2/3 of solutions focused on Mitigate/Stop attacks, but none on reacting and recovering from them, and (5) the methodologies used are mostly block diagrams and code, with little use of models or analysis. These findings hold for both grey and academic literature. This study is a first step towards providing secure software researchers and practitioners a comprehensive catalog of security solutions and mechanisms, and where the clear identification of the most used security solutions will simplify their reuse to address security problems while designing microservice-based systems.

This study is published in the Computer & Security journal

Involving stakeholders in the design and development of microservice architectures

We know that microservice-based systems promote agility and rapid business development. Some features, such as fast time-to-market, scalability and optimal response times, have encouraged stakeholders to get more involved in the development and implementation of microservices architectures in order to translate their business vision into the implementation of the architecture. We realized some techniques allow the inclusion of the stakeholders’ perspective in the design of microservice architectures, few proposals consider such perspectives in the selection and evaluation of technologies that implement microservice architectures. Indeed, the qualities that characterize microservice-based systems strongly depend on the suitable selection of technologies, such as application frameworks and platforms. We have proposed a collaborative technique that includes stakeholders and software architects to select and evaluate application frameworks and platforms to implement microservice-based systems. We evaluated the technique in an industrial case of design and implementation of an Ambient-Assisted Living (AAL) system, which combines microservice architecture and Internet-of-Medical-Things (IoMT) sensors.

This work has been published in the IEEE Access journal

Microservices and testing

Building Microservices Architecture (MSA)-based applications is immensely supported by using software testing fundamentals. With the increasing interest in the development of MSA-based applications, it is important to systematically identify, analyze, and classify the publication trends, research themes, approaches, tools, and challenges in the context of testing MSA-based applications. In order to know state of the art regarding testing and MSAs, we conducted a systematic mapping study.

The search yielded 2,481 articles, and 33 articles were finally selected as the primary studies with snowballing. The key findings are that (i) 5 research themes characterize testing approaches in MSA-based applications; (ii) integration and unit testing are the most popular testing approaches; and (iii) addressing the challenges in automated and inter-communication testing is gaining the interest of the community. Additionally, it emerges that there is a lack of dedicated tools to support testing for MSA-based applications, and the reasons and solutions behind the challenges in testing MSA-based applications need to be further explored.

This study will be presented at the Asia-Pacific Software Engineering Conference (APSEC)

Dissemination and implementation strategies in software requirements elicitation

Clinical software is a fundamental tool for supporting healthcare systems because it improves the quality of patient care and automatizes the most frequently performed clinical tasks. Nevertheless, since health systems include various components, such as supplies, transportation, laboratories, and interoperability, eliciting the most critical requirements for understanding the problem that the clinical software must solve is quite a complex task. Indeed, the requirement elicitation process may directly determine the success or failure of the clinical software. In this article, we present the D&I framework, a methodology that uses dissemination and implementation strategies to recommend guidelines for the elicitation of clinical software requirements. The objective of this framework is to support software developers in the identification of key requirements with the goal of more holistically understanding the problem to be solved by the clinical software. We evaluated the D&I framework with a real case study related to a bed management system. We employed a usability instrument with 50 clinicians to evaluate tasks in software modules that represent clinical priorities defined by stakeholders. The results indicate that the perception of usability by end-users is acceptable, suggesting that the evaluated tasks satisfy the established clinical priorities. The D&I framework provides a starting point for research and discussion about the contribution of dissemination and implementation strategies to the body of knowledge about requirement engineering.

Screen Shot 2020-08-18 at 11.58.57 AM.png


Overview of security incidents in telemedicine

There is no doubt that telemedicine is positioning itself as an alternative for medical consulting, especially in the pandemic times we live. Nevertheless, as telemedicine grows, so does the motivation to infringe these types of systems and perpetrate fraud.

In Chile, healthcare codes are increasingly being approved for telemedicine care [1]. This is a significant advance for patients, but at the same time, it is a great challenge in terms of the confidentiality and privacy of patient data.

In order to have an overview of the current situation of reported security incidents in telemedicine, I have reviewed 46 public sources (press releases, blogs, web portals, forums, among others) to describe, in general, the factors surrounding security incidents in telemedicine. It is important to note that each information regarding security incidents can be investigated in detail. But, more specific data on these incidents is very restricted to the public (for obvious reasons, right?)

Screen Shot 2020-05-22 at 2.51.25 PM

This overview aims to have a “starting point” for defining practices, guidelines, and policies to safeguard the confidentiality and privacy of telemedicine in Chile. Additionally, all efforts should be focused on reducing the most common security risks that exist in telemedicine, which are: (i) data integrity, (ii)confidentiality, (iii) availability, (iv) authentication, (v) traceability of transactions and (vi) attribution of acts [2].


[1] Teleconsulting codes in Chile

[2] Why telemedicine represents a cybersecurity risk?

Security quality model for Electronic Health Records

Electronic Health Records (EHRs) are real-time, patient-centered records that instantly and securely make information available to authorized users. The information contained in EHRs is sensitive since, in general, it consists of the patient’s medical history (hospitalizations, treatments, illnesses, among others).

One of the most relevant aspects of EHRs is security. More specifically, Confidentiality and Privacy are critical attributes for security in EHRs. In this regard, assessing the security of EHRs (and systems, in general) is too complex. Security can be characterized from institutional policies to sophisticated attacks on software and critical infrastructure. Therefore, to help reduce this complexity, we are working on a quality model to evaluate the current state of EHR security to support security decision-making in software vendors and clinical facilities. The first version of this quality model was evaluated with 20 professionals from the Chilean healthcare industry.

Screen Shot 2020-05-21 at 10.49.29 PM

We are improving the model and, at the same time, developing a platform that will allow us to automate this evaluation.