Development Activities, Tools and Techniques of Secure Microservices Compositions

  • Peter Nkomo
  • Marijke CoetzeeEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11879)


The decomposition of an application into independent microservices increases the attack surface, and makes it difficult to monitor each microservice in order to secure and control their network traffic. The adoption of microservices, together with new trends in software development that aim to quickly deliver software in short software development iterations often leaves software engineers with little time to give attention to the security of such applications. Consequently, it is not uncommon for many software development teams to release software without performing full-scale security testing. Although various tools and techniques are available to assist software engineers with the development of secure microservices throughout their life cycle, there is limited guidance on how these tools and techniques can be integrated into the software engineer’s daily software development tasks. The aim of this paper is to identify and review tools and techniques that software engineers can use as part of security-focused activities incorporated into the software development process, so that security is given early attention during the development of microservices.


Security Microservices Secure development activities 


  1. 1.
    Pahl, C., Jamshidi, P.: Microservices: A Systematic Mapping Study. In: CLOSER (1), pp. 137–146 (2016)Google Scholar
  2. 2.
    Newman, S.: Building Microservices: Designing Fine-Grained Systems. O’Reilly Media Inc., Newton (2015)Google Scholar
  3. 3.
    Dragoni, N., et al.: Microservices: yesterday, today, and tomorrow. Present and Ulterior Software Engineering, pp. 195–216. Springer, Cham (2017). Scholar
  4. 4.
    Nadareishvili, I., Mitra, R., McLarty, M., Amundsen, M.: Microservice Architecture: Aligning Principles, Practices, and Culture. O’Reilly Media Inc, Newton (2016)Google Scholar
  5. 5.
    Bossert, O.: A two-speed architecture for the digital enterprise. In: El-Sheikh, E., Zimmermann, A., Jain, Lakhmi C. (eds.) Emerging Trends in the Evolution of Service-Oriented and Enterprise Architectures. ISRL, vol. 111, pp. 139–150. Springer, Cham (2016). Scholar
  6. 6.
    Schmidt, C.: Agile Software Development. Springer, Cham (2016). Scholar
  7. 7.
    Ravichandran, A., Taylor, K., Waterhouse, P.: DevOps foundations. In: DevOps for Digital Leaders, pp. 27–47. Apress (2016)Google Scholar
  8. 8.
    Oyetoyan, T.D., Cruzes, D.S., Jaatun, M.G.: An empirical study on the relationship between software security skills, usage and training needs in agile settings. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 548–555. IEEE (2016)Google Scholar
  9. 9.
    Heinrich, R., et al.: Performance engineering for microservices: research challenges and directions. In: Proceedings of the 8th ACM/SPEC on International Conference on Performance Engineering Companion, pp. 223–226. ACM (2017)Google Scholar
  10. 10.
    Veracode (2017)Google Scholar
  11. 11.
    AlHogail, A.: Design and validation of information security culture framework. Comput. Human Behav. 49, 567–575 (2015)CrossRefGoogle Scholar
  12. 12.
    Cramer, J., Krueger, A.B.: Disruptive change in the taxi business: The case of Uber. Am. Econ. Rev. 106(5), 177–182 (2016)CrossRefGoogle Scholar
  13. 13.
    Merkel, D.: Docker: lightweight linux containers for consistent development and deployment. Linux J. 2014(239), 2 (2014)Google Scholar
  14. 14.
    Kissel, R.: Glossary of key information security terms. NIST Interagency Reports NIST IR, 7298(3) (2013)Google Scholar
  15. 15.
    Nkomo, P., Coetzee, M.: Software development activities for secure microservices. In: Misra, S., et al. (eds.) ICCSA 2019. LNCS, vol. 11623, pp. 573–585. Springer, Cham (2019). Scholar
  16. 16.
    Di Francesco, P., Malavolta, I., Lago, P.: Research on architecting microservices: trends, focus, and potential for industrial adoption. In: 2017 IEEE International Conference on Software Architecture (ICSA), pp. 21–30. IEEE (2017)Google Scholar
  17. 17.
    Petersen, K., Feldt, R., Mujtaba, S., Mattsson, M.: Systematic mapping studies in software engineering. In: EASE, vol. 8, pp. 68–77 (2008)Google Scholar
  18. 18.
    Kitchenham, B., Charters, S.: guidelines for performing systematic literature reviews in software engineering. Technical Report EBSE 2007- 001, Keele University and Durham University Joint Report (2007)Google Scholar
  19. 19.
    ISO I.: 7498-2. information processing systems open systems interconnection basic reference model-part 2: Security architecture. ISO Geneva, Switzerland (1989)Google Scholar
  20. 20.
    Satoh, F., Tokuda, T.: Security policy composition for composite web services. IEEE Trans. Serv. Comput. 4(4), 314–327 (2011)CrossRefGoogle Scholar
  21. 21.
    Gummaraju, J., Desikan, T., Turner, Y.: Over 30% of official images in docker hub contain high priority security vulnerabilities, pp. 1–6 (2015).
  22. 22.
    Nacer, H., Djebari, N., Slimani, H., Aissani, D.: A distributed authentication model for composite Web services. Comput. Secur. 70, 144–178 (2017)CrossRefGoogle Scholar
  23. 23.
    Dell’Amico, M., Serme, G., Idrees, M.S., De Oliveira, A.S., Roudier, Y.: Hipolds: a hierarchical security policy language for distributed systems. Inf. Secur. Tech. Rep. 17(3), 81–92 (2013)CrossRefGoogle Scholar
  24. 24.
    Ahmadvand, M., Ibrahim, A.: Requirements reconciliation for scalable and secure microservice (de) composition. In: IEEE International on Requirements Engineering Conference Workshops (REW), pp. 68–73. IEEE (2016)Google Scholar
  25. 25.
    Howard, M., Lipner, S.: The Security Development Lifecycle (SDL): A Process for Developing Demonstrably More Secure Software. Microsoft Press (2006)Google Scholar
  26. 26.
    Kadam, S.P., Joshi, S.: Secure by design approach to improve the security of object-oriented software. In: 2015 2nd International Conference on Computing for Sustainable Global Development (INDIACom), pp. 24–30. IEEE (2015)Google Scholar
  27. 27.
    Sahu, D.R., Tomar, D.S.: Analysis of web application code vulnerabilities using secure coding standards. Arab. J. Sci. Eng. 42(2), 885–895 (2017)CrossRefGoogle Scholar
  28. 28.
    White, G.K.: Secure coding practices, tools, and processes (No. LLNL-CONF-671591). Lawrence Livermore National Laboratory (LLNL), Livermore, CA (2015)Google Scholar
  29. 29.
    Neumann, P.G.: Fundamental trustworthiness principles. New Solutions for Cybersecurity (2018)Google Scholar
  30. 30.
    Gkioulos, V., Wolthusen, S.D.: Security requirements for the deployment of services across tactical SOA. In: Rak, J., Bay, J., Kotenko, I., Popyack, L., Skormin, V., Szczypiorski, K. (eds.) MMM-ACNS 2017. LNCS, vol. 10446, pp. 115–127. Springer, Cham (2017). Scholar
  31. 31.
    Bertolino, A., Busch, M., Daoudagh, S., Lonetti, F., Marchetti, E.: A toolchain for designing and testing access control policies. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds.) Engineering Secure Future Internet Services and Systems. LNCS, vol. 8431, pp. 266–286. Springer, Cham (2014). Scholar
  32. 32.
    Bass, L., Weber, I., Zhu, L.: DevOps: A Software Architect’s Perspective. Addison-Wesley Professional, Boston (2015)Google Scholar
  33. 33.
    Paul, M.: Official (ISC) 2 Guide to the CSSLP. CRC Press, Boca Raton (2016)CrossRefGoogle Scholar
  34. 34.
    Tian-yang, G., Yin-Sheng, S., You-yuan, F.: Research on software security testing. World Acad. Sci. Eng. Technol. 21(70), 647–651 (2010)Google Scholar
  35. 35.
    Kaur, H.: Automating Static Code Analysis for Risk Assessment and Quality Assurance of Medical Record Software (2017)Google Scholar
  36. 36.
    Le Ru, Y., Aron, M., Gerval, J.-P., Napoleon, T.: Tests generation oriented web-based automatic assessment of programming assignments. In: Uskov, Vladimir L., Howlett, Robert J., Jain, Lakhmi C. (eds.) Smart Education and Smart e-Learning. SIST, vol. 41, pp. 117–127. Springer, Cham (2015). Scholar
  37. 37.
    de Andrade Gomes, P.H., Garcia, R.E., Spadon, G., Eler, D.M., Olivete, C., Correia, R.C.M.: Teaching software quality via source code inspection tool. In: 2017 IEEE Frontiers in Education Conference (FIE), pp. 1–8. IEEE (2017)Google Scholar
  38. 38.
    Kuusela, J.: Security testing in continuous integration processes (2017)Google Scholar
  39. 39.
    Peischl, B., Felderer, M., Beer, A.: Testing security requirements with non-experts: approaches and empirical investigations. In: 2016 IEEE International Conference on Software Quality, Reliability and Security (QRS), pp. 254–261. IEEE (2016)Google Scholar
  40. 40.
    Cruzes, D.S., Felderer, M., Oyetoyan, T.D., Gander, M., Pekaric, I.: How is security testing done in agile teams? A cross-case analysis of four software teams. In: Baumeister, H., Lichter, H., Riebisch, M. (eds.) XP 2017. LNBIP, vol. 283, pp. 201–216. Springer, Cham (2017). Scholar
  41. 41.
    Campbell, G., Papapetrou, P.P.: SonarQube in Action. Manning Publications Co., New York (2013)Google Scholar
  42. 42.
    Hochstein, L., Moser, R.: Ansible: Up and Running: Automating Configuration Management and Deployment the Easy Way. O’Reilly Media Inc., Newton (2017)Google Scholar
  43. 43.
    Taylor, M., Vargo, S.: Learning Chef: A Guide to Configuration Management and Automation. O’Reilly Media Inc., Newton (2014)Google Scholar
  44. 44.
    Loope, J.: Managing Infrastructure with Puppet: Configuration Management at Scale. O’Reilly Media Inc., Newton (2011)Google Scholar
  45. 45.
    Hall, D.: Ansible configuration management. Packt Publishing Ltd., Birmingham (2013)Google Scholar
  46. 46.
    CloudWatch: Amazon cloudwatch (2014)Google Scholar
  47. 47.
    Cloudmonix: CloudMonix (2018). Accessed 9 May 2018
  48. 48.
    Willnecker, F., Brunnert, A., Gottesheim, W., Krcmar, H.: Using dynatrace monitoring data for generating performance models of java ee applications. In: Proceedings of the 6th ACM/SPEC International Conference on Performance Engineering, pp. 103–104. ACM (2015)Google Scholar
  49. 49.
    Zabbix, S.I.A.: Zabbix. The Enterprise-class Monitoring Solution for Everyone (2014)Google Scholar
  50. 50.
    AppDynamics, A.I.P.: AppDynamics Pro Documentation Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.University of JohannesburgJohannesburgSouth Africa

Personalised recommendations