– Quality and security in a microservices world –
Security Concerns in Microservices Architectures
Microservices are generally considered as a variant of service-oriented architecture and fortunately most aspects of security in microservice architecture are similar to monolithic applications. However, microservice architectural patterns introduce specific security challenges and problems, which should be treated differently. Based on the existing literature review and best practices adopted by many leading IT companies (e.g. Amazon, Netflix, Spotify, Twitter) we have identified several areas of security concerns and risk categories that have arisen along with the microservice paradigm.
An overview of security challenges in microservice architectures has been proposed in the form of a hierarchical decomposition in 6 layers: hardware, virtualization, cloud, communication, service/application and orchestration.
Development of Secure Microservices
Microservices, as software products in nature, need to be developed having security in mind from the early stages of their development. Simply ensuring the implementation and deployment of mechanisms (either external or internal) that enhance the protection of the microservices with respect to important security aspects, including availability, confidentiality, and integrity, is not enough for fully protecting them against attacks.
Most of the software vulnerabilities stem from a small number of common programming errors. For instance, SQL injection and cross-site scripting, which are listed both by OWASP and NIST as the most dangerous and common vulnerabilities of web services and applications, are caused by lack of input validation/sanitization, which is a relatively simple programming error to address. Another source of security issues is the selection of insecure third-party reusable components and Application Programming Interfaces (APIs). Appropriate tooling is required to help them avoid the introduction of such security issues during the SDLC, and therefore write more secure code.
Automatic Static Analysis (ASA) tools have been proven effective in uncovering security-related bugs early enough in the software development process. They are applied directly to the source or compiled code of the system, without requiring its execution. In fact, automatic static analysis is considered an important technique for adding security during the software development process. Moreover, static analysis is believed to be more effective in detecting code-level vulnerabilities compared to other dynamic testing approaches like penetration testing and fuzzing, as it is observed to produce significantly fewer false negatives.
Quality Assessment through Machine Learning
Machine Learning technologies have been applied to resolve multiple and quite diverse research problems such as defect management, cost/effort estimation, management of design-time quality attributes, recommendations for efficient project management, and detection of security threats. In terms of quality attributes, the most relevant ones appear to be the improvement of maintainability and functional suitability (i.e., correctness), followed by security and business quality attributes. Overall, the following practices can be mapped to quality management:
Cost/Effort Estimation: Monetization is a key concept in quality management. To this end, any cost or effort estimation approach based on past data can be considered as relevant to predict the cost of applying refactoring or to predict the cost of future maintenance effort. In this category of Software Engineering problems special emphasis is placed on studies that deal with software maintenance effort prediction.
Management of Design-Time QAs and Defects: In this high-level category, various related problems have been identified. First, many studies focused on change- and fault-proneness. These concepts are closely related to interest probability, in the sense that changes and faults lead to maintenance activities that can accumulate interest. Additionally, other studies focus on the detection of small occurrences. Finally, any method that is used for assessing or characterizing the levels of QAs (e.g., maintainability) can be useful.
Requirements and Project Management Recommendations: Many studies use ML to provide recommendations to developers related to which requirements shall be implemented first, or which reported bugs shall be prioritized. Such recommendations could be useful for Technical Debt prioritization, by considering that artefacts that are not expected to change (due to bug fixing, or implementation of new requirements), shall not be prioritized for design-time quality improvements.
Given the above, we can conclude to the following baseline market requirements for the development of the SmartCLIDE solution:
SmartCLIDE shall support
- user-friendly GUI even for non-technical users
- visually intuitive interfaces to help users with model generation and training
- implementation of coding-by-example principle
- the provision of abstractions to minimize manual intervention that are required by the developers to the source code for implementing new features
- the classification of services, learning from code or applying Machine Learning algorithms
- user stories, features specification
- specification of acceptance criteria for functional and non-functional requirements
- the short iterations concept
- Continuous Integration / COntinuous Development (CI/CD)
- automated testing in different flavours: Acceptance Test-Driven Development (ATDD) / Behavioral Driven Development (BDD) / Test-Driven Development (TDD).
- static analysis
- working code as a source of documentation
- integration with run-time monitoring tools
- version control of software
- cloud native IDE for cloud native solutions
- Business Process Modelling capabilities
- service discovery and search
- service integration through the online dashboard
- a wrapper which isolates user from Deep Learning (DL) complexity as far as possible, releasing developers from boilerplate code generation
- the provision of coding blueprints which can serve as a base for more complex tasks, making code more reusable and easier to understand
SmartCLIDE should support
- easy configuration
- the provision of metrics for maintainability / reusability at the service and the system level
- the extension of existing tools for measuring maintainability and reusability to capture the metrics at the service level
- the provision of solutions for facilitating the identification and elimination of critical vulnerabilities that reside in the source code of microservices from the early stages of their development
- the provision of an easy non-coding implementation for DL usage (general problems) depending on input data
- the provision of code blueprints (skeletons) based on Gherkin inputs for services implementation
- the discovery and composition of basic services based on ontologies
- scalability of processing capability
- replicability of architecture to increase flexibility
- fault tolerance and reliable
- security through isolation / dependability
- the monitoring of maintainability and reusability of the project under development
- dynamic software configuration
SmartCLIDE may support
- generation of automatic tests by natural language interpretation of acceptance tests
- the provision of on-the-fly suggestions on how to improve the reusability and maintainability of the system
- SmartCLIDE may support
- agile tools such as a Kanban board
- implementation of artefacts for product and sprint backlog management (e.g. Kanban or Scrumban boards)
- implementation of artefacts facilitating waterfall life cycles
This part is the continuation of the article “The road towards microservices“.
The reader can find more details on this topic in the public deliverable D1.1-State-of-the-Art and Market Requirements.