Smells and Refactorings for Microservices Security: A Multivocal Literature Review
This work addresses security challenges for practitioners in IT companies using microservices, but it is incremental as it synthesizes existing knowledge rather than introducing new methods.
The paper tackles the problem of securing microservice-based applications by identifying ten security smells and corresponding refactorings through a multivocal literature review of 58 studies from 2014 to 2020, providing a taxonomy to help mitigate security leaks.
Context: Securing microservice-based applications is crucial, as many IT companies are delivering their businesses through microservices. If security smells affect microservice-based applications, they can possibly suffer from security leaks and need to be refactored to mitigate the effects of security smells therein. Objective: As the currently available knowledge on securing microservices is scattered across different pieces of white and grey literature, our objective here is to distill well-known smells for securing microservices, together with the refactorings enabling to mitigate the effects of such smells. Method: To capture the state of the art and practice in securing microservices, we conducted a multivocal review of the existing white and grey literature on the topic. We systematically analyzed 58 studies published from 2014 until the end of 2020. Results: Ten bad smells for securing microservices are identified, which we organized in a taxonomy, associating each smell with the security properties it may violate and the refactorings enabling to mitigate its effects. Conclusions: The security smells and the corresponding refactorings have pragmatic value for practitioners, who can exploit them in their daily work on securing microservices. They also serve as a starting point for researchers wishing to establish new research directions on securing microservices.