Microservices and testing

Building Microservices Architecture (MSA)-based applications is immensely supported by using software testing fundamentals. With the increasing interest in the development of MSA-based applications, it is important to systematically identify, analyze, and classify the publication trends, research themes, approaches, tools, and challenges in the context of testing MSA-based applications. In order to know state of the art regarding testing and MSAs, we conducted a systematic mapping study.

The search yielded 2,481 articles, and 33 articles were finally selected as the primary studies with snowballing. The key findings are that (i) 5 research themes characterize testing approaches in MSA-based applications; (ii) integration and unit testing are the most popular testing approaches; and (iii) addressing the challenges in automated and inter-communication testing is gaining the interest of the community. Additionally, it emerges that there is a lack of dedicated tools to support testing for MSA-based applications, and the reasons and solutions behind the challenges in testing MSA-based applications need to be further explored.

This study will be presented at the Asia-Pacific Software Engineering Conference (APSEC)

Dissemination and implementation strategies in software requirements elicitation

Clinical software is a fundamental tool for supporting healthcare systems because it improves the quality of patient care and automatizes the most frequently performed clinical tasks. Nevertheless, since health systems include various components, such as supplies, transportation, laboratories, and interoperability, eliciting the most critical requirements for understanding the problem that the clinical software must solve is quite a complex task. Indeed, the requirement elicitation process may directly determine the success or failure of the clinical software. In this article, we present the D&I framework, a methodology that uses dissemination and implementation strategies to recommend guidelines for the elicitation of clinical software requirements. The objective of this framework is to support software developers in the identification of key requirements with the goal of more holistically understanding the problem to be solved by the clinical software. We evaluated the D&I framework with a real case study related to a bed management system. We employed a usability instrument with 50 clinicians to evaluate tasks in software modules that represent clinical priorities defined by stakeholders. The results indicate that the perception of usability by end-users is acceptable, suggesting that the evaluated tasks satisfy the established clinical priorities. The D&I framework provides a starting point for research and discussion about the contribution of dissemination and implementation strategies to the body of knowledge about requirement engineering.

Screen Shot 2020-08-18 at 11.58.57 AM.png


Overview of security incidents in telemedicine

There is no doubt that telemedicine is positioning itself as an alternative for medical consulting, especially in the pandemic times we live. Nevertheless, as telemedicine grows, so does the motivation to infringe these types of systems and perpetrate fraud.

In Chile, healthcare codes are increasingly being approved for telemedicine care [1]. This is a significant advance for patients, but at the same time, it is a great challenge in terms of the confidentiality and privacy of patient data.

In order to have an overview of the current situation of reported security incidents in telemedicine, I have reviewed 46 public sources (press releases, blogs, web portals, forums, among others) to describe, in general, the factors surrounding security incidents in telemedicine. It is important to note that each information regarding security incidents can be investigated in detail. But, more specific data on these incidents is very restricted to the public (for obvious reasons, right?)

Screen Shot 2020-05-22 at 2.51.25 PM

This overview aims to have a “starting point” for defining practices, guidelines, and policies to safeguard the confidentiality and privacy of telemedicine in Chile. Additionally, all efforts should be focused on reducing the most common security risks that exist in telemedicine, which are: (i)¬†data integrity, (ii)confidentiality, (iii) availability, (iv) authentication, (v) traceability of transactions and (vi) attribution of acts [2].


[1] Teleconsulting codes in Chile

[2] Why telemedicine represents a cybersecurity risk?

Security quality model for Electronic Health Records

Electronic Health Records (EHRs) are real-time, patient-centered records that instantly and securely make information available to authorized users. The information contained in EHRs is sensitive since, in general, it consists of the patient’s medical history (hospitalizations, treatments, illnesses, among others).

One of the most relevant aspects of EHRs is security. More specifically, Confidentiality and Privacy are critical attributes for security in EHRs. In this regard, assessing the security of EHRs (and systems, in general) is too complex. Security can be characterized from institutional policies to sophisticated attacks on software and critical infrastructure. Therefore, to help reduce this complexity, we are working on a quality model to evaluate the current state of EHR security to support security decision-making in software vendors and clinical facilities. The first version of this quality model was evaluated with 20 professionals from the Chilean healthcare industry.

Screen Shot 2020-05-21 at 10.49.29 PM

We are improving the model and, at the same time, developing a platform that will allow us to automate this evaluation.

Frameworks, platforms, and microservices

In the development of microservices-based systems, one of the typical questions that software developers ask is: Which technologies (such as frameworks and platforms) do I have to select to develop the microservices project? The market for frameworks and platforms to develop not only microservices-based systems but also all kinds of systems is too broad. So, What criteria should be used to select technologies? One “obvious” criterion is “the technology that is cheaper and takes less time”. But, this criterion is one of many that an architect should consider when developing a microservices-based system.

To help with this complex task, we have created a technique that allows evaluating sets of frameworks and platforms based on quality attributes.

Screen Shot 2020-05-21 at 10.07.54 PM

This tool helps the software architect reduce the space of technological solutions in the market into a more specific set that allows her or him to satisfy the main non-functional requirements of a microservices project. To evaluate the technique, we used it in an industrial project, obtaining promising results.

Security and Telehealth System

Software Engineering can be applied in several fields, such as health. In this regard, there are many challenges that some health systems, such as Telehealth systems, promote in software development. Having said that, we investigated how Software Engineering helps to develop secure Telehealth systems. The findings of our research suggest that sophisticated requirements elicitation and the correct definition of software architectures are essential to satisfy security.

This work was published in IEEE Access.

Experts or novices in the software architectural design decision-making? An experimental study

Software engineering literature describes several decision-making techniques for architectural design. However, the impact of the experience of those who use these techniques on their efficacy has been little explored.

We experimented with 24 IT practitioners in order to evaluate the impact of the experience of software architecture decision-making team members on the efficacy of TaSPeR (Tactics Selection Poker), a technique that supports architectural design decisions (inspired in the Planning Poker technique).

This research, led by Juan P. Brito, reveal that for teams with more experienced members the use of TaSPeR turned out to be harmful for the selection of software architecture tactics, in contrast to the more experienced teams, for which the use of TaSPeR was quite beneficial. Other key findings are discussed in the article.

This article was accepted in the International Conference of the Chilean Computer Science Society (SCCC).

Migration from monolithic to microservices, What has been done so far?

Microservices architecture has become enormously popular because traditional monolithic architectures no longer meet the needs of scalability and rapid development cycle, and the success of some large companies in building and deploying services is a strong motivation for others to consider making the change.

However, performing the migration process is not trivial. Most systems acquire too many dependencies between their modules, and thus can’t be sensibly broken apart. It is for this reason that studies that provide information associated with the migration process to practitioners are necessary.

We have performed a rapid review to analyze the current state of the migration of monolith systems to microservices. In this investigation, led by Francisco Ponce, we discuss some key findings related to:

What techniques are used to migrate monolith systems to microservices?

What happens to databases during migration?

This article was accepted in the International Conference of the Chilean Computer Science Society (SCCC).

Security, availability, ‚Äčand microservices-based systems

There is no doubt that security is a constant concern for organizations. Furthermore, if these organizations use microservice architectures in their systems, security becomes an ongoing concern. To address security concerns, three critical quality attributes must be analyzed, which are integrity, confidentiality, and availability. Regarding this last one quality attribute, we conducted an empirical study where we identified design decisions (better known as architectural tactics) for availability with the aim of supporting security designs in microservices architectures (see the below Table).


This study will be presented in the 1st workshop on Designing and Measuring CyberSecurity in Software Architectures (DeMeSSA), held by the European Conference on Software Architecture (ECSA).

Security Mechanisms Used in Microservices-Based Systems

Microservices is an emerging architectural style that is being used by the industry. This style provides several advantages, but at the same time, challenges. One of the critical challenges is security. In order to understand the current scene regarding security, we performed a systematic literature mapping to illustrate the security mechanisms used in microservices-based applications. In summary: many proposals detect and/or mitigate attacks. However, there are very few proposals that react to attacks and, on the other hand, we do not find proposals to recover from attacks. The figure describes the mechanisms currently used (Y-axis) and the primary studies (letter “M”) sorted by year (X-axis).


Screen Shot 2019-06-20 at 11.41.34 PM.png

This article was accepted in XLV Latin American Computing Conference (CLEI 2019).