Security Mechanisms Used in Microservices-Based Systems

Microservices is an emerging architectural style that is being used by the industry. This style provides several advantages, but at the same time, challenges. One of the critical challenges is security. In order to understand the current scene regarding security, we performed a systematic literature mapping to illustrate the security mechanisms used in microservices-based applications. In summary: many proposals detect and/or mitigate attacks. However, there are very few proposals that react to attacks and, on the other hand, we do not find proposals to recover from attacks. The figure describes the mechanisms currently used (Y-axis) and the primary studies (letter “M”) sorted by year (X-axis).

 

Screen Shot 2019-06-20 at 11.41.34 PM.png

This article was accepted in XLV Latin American Computing Conference (CLEI 2019).

Architectural Technical Debt and Microservices-based Systems

Today, the microservices architectural style is an emerging trend in the industry. In order to develop microservices-based systems, architectural decisions are the first and fundamental steps to address quality goals. In this article, we described preliminary research about a content-based recommender system (CBRS) composed by microservices architecture patterns and architectural tactics as a basis for obtaining a recommendation of architectural decisions in microservices architectures to make more robust decisions to manage architectural technical debt.

Screen Shot 2019-05-08 at 12.26.13 PM.png

Scalability and Microservices-based Systems

Recently, we conducted an empirical study on open microservices-based systems and scalability. We used our pattern language in order to explore which frameworks (commonly used to develop microservices architectures) address the scalability dimensions. Results show that (1) 9 common frameworks satisfy the scalability dimensions (see the following figure, x-axis: frameworks, y-axis: microservices patterns); (2) frameworks produce trade-offs among scalability dimensions; and (3) few frameworks address several scalability dimensions at once. Finally, we identify five reusable design decisions to address scalability requirements and propose them as microservices architectural tactics.

Screen Shot 2019-05-07 at 11.06.40 PM.png

This study was presented at the 37th International Conference of the Chilean Computer Science Society (SCCC), 2018.

Exploring Security Issues in Telehealth Systems

Telehealth systems (TS’s) provide remote health-based services to improve the quality of service of patient treatment. Most healthcare professionals have access to standard telecommunications technology (such as Wireless Body Area Network (WBAN), biosensors, remote medical robots, and others) to offer remote care of elderly and physically less able patients as well as remote surgeries, treatments, and diagnoses. In order to ensure the functionality of TS’s, several systemic properties must be satisfied, including security. Although there are studies that discuss different security approaches in TS’s, it is difficult to have a clear view of existing security issues and solutions for these systems.

We conducted a review to detect, organize and characterize security issues in TS’s in order to discuss challenges (emerged from these issues) from Software Engineering point of view. In summary, we identified 5 attacks, 4 vulnerabilities, 2 threats, and 1 weakness commonly reported in TS’s. Also, we described solutions (reported in academia) to face these security issues plus other qualitative results.

Finally, in the following figure, we illustrate the evolution of security issues according to years and TS’s contexts.

Screen Shot 2019-03-08 at 12.17.27 AM.png

Letters “I” (Integration), “P” (Privacy), “D” (Insecure data transmission), “T” (Trust), “IO” (Interoperability), “M” (Risk Management), and “R” (Requirements) indicates target problems. Composed letters (e.g., I-T) indicate more than one target problem.

Finally, our paper was accepted in the 1st International Workshop on Software Engineering for Healthcare (SEH) (in conjunction with ICSE 2019).

Actual Use of Architectural Patterns in Microservices-based Open Source Projects

In APSEC 2018, we presented our current research related to architectural patterns in microservices. The goal of our research is to capture new knowledge about patterns in microservices. We realized there is a huge number of pattern that came from SOA (Service Oriented Architecture), but there is a little number of “new” patterns arisen from the microservices world. The following figure illustrates the most common architectural patterns found in microservices open projects. These patterns were obtained based on the frameworks used in the projects. These patterns were obtained based on the frameworks used in the projects and were organized by categories (x-axis) and quality attributes (y-axis).

crossCheck

Finally, the next figure describes the “new” architectural patterns which resolve problems for exclusively microservices.

Screen Shot 2019-01-02 at 12.45.12 AM

Architectural Tactics and Patterns in Microservices

There is no doubt that microservices are becoming an essential industrial standard to develop complex systems. But, How developers and architects are building this kind of architecture? In ICSE (International Conference on Software Engineering) 2018, we presented a work-in-process article that shows architectural tactics and pattern in microservices reported in academia and industry. We realized that many architectural patterns are re-used knowledge from SOA.

On the other hand, we find poor evidence of architectural tactics in microservices. Architectural tactics are reusable architectural design-time solutions that satisfy quality attributes stimulus. For example, if a system component fails to respond to a particular input, then a possible architectural tactic to detect this fault is a heartbeat.

We are planning to investigate how these two areas impact the microservices research. We already published results in conferences like CibSE and journal like IEEE Latin America Transactions.

Security Tactics Selection Poker (TaSPeR)

Today, facing security issues in organizations is a crucial task to achieve business success. There are different procedures, techniques, methodologies, and others; proposed by academia and industry that answer the “big” question: how to make my organization less vulnerable to security attacks?

Avoid completely the vulnerabilities is (almost) impossible, especially if the most security leaks come from stakeholders. For this reason, we propose TaSPeR, a card game-based technique and consensus-building technique (based on Planning Poker) that allows development team members to identify, argue for, and choose among architectural security tactics according to objectives and priorities. We presented this technique in ECSA (12th European Conference on Software Architecture) 2018.

This technique involves the participation of all stakeholders in order to provide ideas and feedback about what they think about security. Our research establishes that including stakeholders in the security design of crucial software systems may provide other points of views that experts in security did not consider (at first glance). We tested this technique using subjects with different profiles (students, practitioners, and security experts) getting interesting results in the security decision-making.

Finally, we provided a more “social” technique aiming to help to face one of the most important and critical challenges in the industry, cyber-security.