[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to main content
Springer Nature Link
Log in

Model-Driven Security Smell Resolution in Microservice Architecture Using LEMMA

  • Conference paper
  • First Online:
Software Technologies (ICSOFT 2023)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 2104))

Included in the following conference series:

  • 131 Accesses

Abstract

Effective security measures are crucial for modern Microservice Architecture (MSA)-based applications as many IT companies rely on microservices to deliver their business functionalities. Security smells may indicate possible security issues. However, detecting security smells and devising strategies to resolve them through refactoring is difficult and expensive, primarily due to the inherent complexity of microservice architectures.

This paper proposes a Model-driven approach to resolving security smells in MSA. The proposed method uses LEMMA as a concrete approach to model microservice applications. We extend LEMMA’s functionalities to enable the modeling of microservices’ security aspects. With the proposed method, LEMMA models can be processed to automatically detect security smells and recommend the refactorings that resolve the identified security smells.

To test the effectiveness of the proposed method, the paper introduces a proof-of-concept implementation of the proposed LEMMA-based, automated microservices’ security smell detection and refactoring.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
GBP 19.95
Price includes VAT (United Kingdom)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
GBP 89.99
Price includes VAT (United Kingdom)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
GBP 54.99
Price includes VAT (United Kingdom)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://www.amazon.com/.

  2. 2.

    https://www.netflix.com/.

  3. 3.

    https://twitter.com/.

  4. 4.

    https://github.com/SeelabFhdo/lemma.

  5. 5.

    This contribution extends our approach described in [36] by providing an extended version of the microservice security smell resolution process including Software Architecture Reconstruction (cf. Sect. 2.3) and LEMMAs Microservice Reconstruction Framework (cf. Sect. 4.1). Additionally, we introduced the Foot to Go Restaurant software system as a case study to validate our extended approach (cf. Sect. 3 and Sect. 5). To include the results from our extended approach, we adapted Sect. 5 to include all detected security smells and Sect. 6 and Sect. 8 to include new results of our research.

  6. 6.

    https://oauth.net/2/.

  7. 7.

    https://github.com/microservices-patterns/ftgo-application/.

  8. 8.

    https://oauth.net/2/.

  9. 9.

    https://projects.eclipse.org/projects/modeling.emf.emf.

  10. 10.

    https://www.eclipse.org/Xtext/documentation/310_eclipse_support.html#quick-fixes.

  11. 11.

    https://kubesec.io.

  12. 12.

    https://www.checkov.io.

  13. 13.

    https://owasp.org/www-project-zap/.

  14. 14.

    http://sonarqube.org/.

References

  1. Arcelli, D., Cortellessa, V., Pompeo, D.D.: Automating performance antipattern detection and software refactoring in UML models. In: Wang, X., Lo, D., Shihab, E. (eds.) 2019 International Conference on Software Analysis, Evolution and Reengineering, SANER 2019, pp. 639–643. IEEE Computer Society (2019)

    Google Scholar 

  2. Arcelli Fontana, F., et al.: Arcan: a tool for architectural smells detection. In: Malavolta, I., Capilla, R. (eds.) 2017 IEEE International Conference on Software Architecture Workshops, ICSA 2017 Workshops, pp. 282–285. IEEE Computer Society (2017)

    Google Scholar 

  3. Balalaie, A., Heydarnoori, A., Jamshidi, P.: Microservices architecture enables DevOps: migration to a cloud-native architecture. IEEE Softw. 33(3), 42–52 (2016)

    Article  Google Scholar 

  4. Balalaie, A., Heydarnoori, A., Jamshidi, P., Tamburri, D.A., Lynn, T.: Microservices migration patterns. Softw. Pract. Experience 48(11), 2019–2042 (2018). https://doi.org/10.1002/spe.2608

  5. Bass, L., Clements, P., Kazman, R.: Software Architecture in Practice, 3rd edn. Addison-Wesley Professional (2012)

    Google Scholar 

  6. Bogner, J., Fritzsch, J., Wagner, S., Zimmermann, A.: Microservices in industry: insights into technologies, characteristics, and software quality. In: 2019 IEEE International Conference on Software Architecture Companion (ICSA-C), pp. 187–195. IEEE (2019)

    Google Scholar 

  7. Combemale, B., France, R.B., Jézéquel, J.M., Rumpe, B., Steel, J., Vojtisek, D.: Engineering Modeling Languages: Turning Domain Knowledge into Tools, 1st edn. CRC Press (2017)

    Google Scholar 

  8. Di Francesco, P., Lago, P., Malavolta, I.: Migrating towards microservice architectures: an industrial survey. In: 2018 IEEE International Conference on Software Architecture (ICSA), pp. 29–38. IEEE (2018)

    Google Scholar 

  9. Garcia, J., Popescu, D., Edwards, G., Medvidovic, N.: Identifying architectural bad smells. In: Winter, A., Ferenc, R., Knodel, J. (eds.) Proceedings of the 2009 European Conference on Software Maintenance and Reengineering, CSMR 2009, pp. 255–258. IEEE Computer Society, USA (2009). https://doi.org/10.1109/CSMR.2009.59

  10. Granchelli, G., Cardarelli, M., Francesco, P.D., Malavolta, I., Iovino, L., Salle, A.D.: Towards recovering the software architecture of microservice-based systems. In: 2017 IEEE International Conference on Software Architecture Workshops (ICSAW), pp. 46–53. IEEE (2017)

    Google Scholar 

  11. Hardy, N.: The confused deputy: (or why capabilities might have been invented). ACM SIGOPS Operating Syst. Rev. 22(4), 36–38 (1988)

    Article  Google Scholar 

  12. Haselböck, S., Weinreich, R., Buchgeher, G.: Decision models for microservices: design areas, stakeholders, use cases, and requirements. In: Lopes, A., de Lemos, R. (eds.) ECSA 2017. LNCS, vol. 10475, pp. 155–170. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-65831-5_11

    Chapter  Google Scholar 

  13. Hassan, S., Ali, N., Bahsoon, R.: Microservice ambients: an architectural meta-modelling approach for microservice granularity. In: 2017 IEEE International Conference on Software Architecture (ICSA), pp. 1–10. IEEE (2017)

    Google Scholar 

  14. JHipster: JHipster Domain Language (JDL) (2023). https://www.jhipster.tech/jdl/intro

  15. Kapferer, S., Zimmermann, O.: Domain-driven service design. In: Dustdar, S. (ed.) SummerSOC 2020. CCIS, vol. 1310, pp. 189–208. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64846-6_11

    Chapter  Google Scholar 

  16. Knoche, H., Hasselbring, W.: Drivers and barriers for microservice adoption – a survey among professionals in Germany. Enterp. Model. Inf. Syst. Archit. 14(1), 1–35 (2019)

    Google Scholar 

  17. Morris, K.: Infrastructure as Code. O’Reilly Media (2020)

    Google Scholar 

  18. Neri, D., Soldani, J., Zimmermann, O., Brogi, A.: Design principles, architectural smells and refactorings for microservices: a multivocal review. SICS Softw.-Intensive Cyber-Phys. Syst. 35(1), 3–15 (2020). https://doi.org/10.1007/s00450-019-00407-8

    Article  Google Scholar 

  19. Newman, S.: Building Microservices: Designing Fine-Grained Systems. O’Reilly (2015)

    Google Scholar 

  20. Pigazzini, I., Fontana, F.A., Lenarduzzi, V., Taibi, D.: Towards microservice smells detection. In: Proceedings of the 3rd International Conference on Technical Debt, TechDebt 2020, pp. 92–97. Association for Computing Machinery, New York, NY, USA (2020). https://doi.org/10.1145/3387906.3388625

  21. Ponce, F., Soldani, J., Astudillo, H., Brogi, A.: Should microservice security smells stay or be refactored? Towards a trade-off analysis. In: Gerostathopoulos, I., et al. (eds.) Software Architecture, ECSA 2022. LNCS, vol. 13444, pp. 131–139. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-16697-6_9

  22. Ponce, F., Soldani, J., Astudillo, H., Brogi, A.: Smells and refactorings for microservices security: a multivocal literature review. J. Syst. Softw. 192, 111393 (2022). https://doi.org/10.1016/j.jss.2022.111393

  23. Rademacher, F.: A Language Ecosystem for Modeling Microservice Architecture. Ph.D. thesis, University of Kassel (2022)

    Google Scholar 

  24. Rademacher, F., Sachweh, S., Zündorf, A.: Deriving microservice code from underspecified domain models using DevOps-enabled modeling languages and model transformations. In: 2020 46th Euromicro Conference on Software Engineering and Advanced Applications (SEAA), pp. 229–236. IEEE (2020).https://doi.org/10.1109/SEAA51224.2020.00047

  25. Rademacher, F., Sachweh, S., Zündorf, A.: A modeling method for systematic architecture reconstruction of microservice-based software systems. In: Nurcan, S., Reinhartz-Berger, I., Soffer, P., Zdravkovic, J. (eds.) BPMDS/EMMSAD -2020. LNBIP, vol. 387, pp. 311–326. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-49418-6_21

    Chapter  Google Scholar 

  26. Rahman, A., Parnin, C., Williams, L.: The seven sins: security smells in infrastructure as code scripts. In: 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE), pp. 164–175 (2019). https://doi.org/10.1109/ICSE.2019.00033

  27. Richardson, C.: Microservices Patterns. Manning Publications (2019)

    Google Scholar 

  28. Sanchez, A., Barbosa, L.S., Madeira, A.: Modelling and verifying smell-free architectures with the Archery language. In: Canal, C., Idani, A. (eds.) SEFM 2014. LNCS, vol. 8938, pp. 147–163. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15201-1_10

    Chapter  Google Scholar 

  29. Soldani, J., Muntoni, G., Neri, D., Brogi, A.: The \(\mu \)TOSCA toolchain: mining, analyzing, and refactoring microservice-based architectures. Softw. Pract. Experience 51(7), 1591–1621 (2021). https://doi.org/10.1002/spe.2974

  30. Soldani, J., Tamburri, D.A., Heuvel, W.J.V.D.: The pains and gains of microservices: a systematic grey literature review. J. Syst. Softw. 146, 215–232 (2018)

    Google Scholar 

  31. Sorgalla, J., Wizenty, P., Rademacher, F., Sachweh, S., Zündorf, A.: Applying model-driven engineering to stimulate the adoption of DevOps processes in small and medium-sized development organizations: the case for microservice architecture. SN Comput. Sci. 2(6), 459 (2021)

    Article  Google Scholar 

  32. Taibi, D., Lenarduzzi, V.: On the definition of microservice bad smells. IEEE Softw. 35(3), 56–62 (2018). https://doi.org/10.1109/MS.2018.2141031

    Article  Google Scholar 

  33. Taibi, D., Lenarduzzi, V., Pahl, C.: Microservices anti-patterns: a taxonomy. Microserv. Sci. Eng., 111–128 (2020)

    Google Scholar 

  34. Terzić, B., Dimitrieski, V., Kordić, S., Milosavljević, G., Luković, I.: Development and evaluation of MicroBuilder: a model-driven tool for the specification of REST microservice software architectures. Enterp. Inf. Syst. 12(8–9), 1034–1057 (2018)

    Google Scholar 

  35. Vidal, S., Vazquez, H., Diaz-Pace, J.A., Marcos, C., Garcia, A., Oizumi, W.: JSpIRIT: a flexible tool for the analysis of code smells. In: Marín, B., Soto, R. (eds.) 34th International Conference of the Chilean Computer Science Society, SCCC 2015, pp. 1–6. IEEE Computer Society (2015)

    Google Scholar 

  36. Wizenty., P., et al.: Towards resolving security smells in microservices, model-driven. In: Proceedings of the 18th International Conference on Software Technologies - ICSOFT, INSTICC, pp. 15–26. SciTePress (2023). https://doi.org/10.5220/0012049800003538

Download references

Acknowledgments

This work was partially supported by ANID under grant PIA/APOYO AFB180002, Instituto de tecnología para la innovación en salud y bienestar, facultad de ingeniería (Universidad Andrés Bello, Chile), and by the project hOlistic Sustainable Management of distributed softWARE systems (OSMWARE, UNIPI PRA_2022_64), funded by the University of Pisa, Italy.

Author information

Authors and Affiliations

  1. IDiAL Institute, University of Applied Sciences and Arts Dortmund, Dortmund, Germany

    Philip Wizenty & Sabine Sachweh

  2. Universidad Técnica Federico Santa María, Valparaíso, Chile

    Francisco Ponce & Hernán Astudillo

  3. ITiSB, Universidad Andrés Bello, Viña del Mar, Chile

    Francisco Ponce & Hernán Astudillo

  4. Software Engineering, RWTH Aachen University, Aachen, Germany

    Florian Rademacher

  5. University of Pisa, Pisa, Italy

    Jacopo Soldani & Antonio Brogi

Authors
  1. Philip Wizenty
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Francisco Ponce
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Florian Rademacher
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jacopo Soldani
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Hernán Astudillo
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Antonio Brogi
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Sabine Sachweh
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Francisco Ponce , Florian Rademacher , Jacopo Soldani , Hernán Astudillo , Antonio Brogi or Sabine Sachweh .

Editor information

Editors and Affiliations

  1. University of Fribourg, Fribourg, Switzerland

    Hans-Georg Fill

  2. University of Seville, Seville, Sevilla, Spain

    Francisco José Domínguez Mayo

  3. University of Twente, Enschede, The Netherlands

    Marten van Sinderen

  4. Macquarie University and Wrocław University of Economics and Business, Wrocław, Poland

    Leszek A. Maciaszek

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wizenty, P. et al. (2024). Model-Driven Security Smell Resolution in Microservice Architecture Using LEMMA. In: Fill, HG., Domínguez Mayo, F.J., van Sinderen, M., Maciaszek, L.A. (eds) Software Technologies. ICSOFT 2023. Communications in Computer and Information Science, vol 2104. Springer, Cham. https://doi.org/10.1007/978-3-031-61753-9_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-61753-9_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-61752-2

  • Online ISBN: 978-3-031-61753-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation