Security in Microservices Architectures

Mateus-Coelho, Nuno; Cruz-Cunha, Manuela; Ferreira, Luís

doi:10.1016/j.procs.2021.01.320

Cited by 56 publications

(22 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Spring Security Framework [14][15][16] is a robust, highly customizable, comprehensive, and extensible open-source Java framework supporting authentication and authorization. Furthermore, it provides a solution to protect common external attacks [28][29][30][31][32][33][34][35][36][37], such as session fixation, clickjacking, CSRF, etc. For securing Spring-based applications, it is the de-facto standard.…”

Section: Basic Preliminariesmentioning

confidence: 99%

“…Microservice Architecture (MSA) [29][30][31][32][33][34][35][36][37] has arisen to describe a specific way of developing software systems for independently deployable services. The traditional monolithic software development approach suffers from the following drawbacks: bundled deployment as a single stack, intransigent scalability, high cost of resources and refactoring efforts, and DevOps challenges among dispersed teams [15,16].…”

Section: Basic Preliminariesmentioning

confidence: 99%

See 1 more Smart Citation

Applying Spring Security Framework with KeyCloak-Based OAuth2 to Protect Microservice Architecture APIs: A Case Study

Chatterjee

Prinz

2022

Sensors

View full text Add to dashboard Cite

In this study, we implemented an integrated security solution with Spring Security and Keycloak open-access platform (SSK) to secure data collection and exchange over microservice architecture application programming interfaces (APIs). The adopted solution implemented the following security features: open authorization, multi-factor authentication, identity brokering, and user management to safeguard microservice APIs. Then, we extended the security solution with a virtual private network (VPN), Blowfish and crypt (Bcrypt) hash, encryption method, API key, network firewall, and secure socket layer (SSL) to build up a digital infrastructure. To accomplish and describe the adopted SSK solution, we utilized a web engineering security method. As a case study, we designed and developed an electronic health coaching (eCoach) prototype system and hosted the system in the expanded digital secure infrastructure to collect and exchange personal health data over microservice APIs. We further described our adopted security solution’s procedural, technical, and practical considerations. We validated our SSK solution implementation by theoretical evaluation and experimental testing. We have compared the test outcomes with related studies qualitatively to determine the efficacy of the hybrid security solution in digital infrastructure. The SSK implementation and configuration in the eCoach prototype system has effectively secured its microservice APIs from an attack in all the considered scenarios with 100% accuracy. The developed digital infrastructure with SSK solution efficiently sustained a load of (≈)300 concurrent users. In addition, we have performed a qualitative comparison among the following security solutions: Spring-based security, Keycloak-based security, and their combination (our utilized hybrid security solution), where SSK showed a promising outcome.

show abstract

Section: Basic Preliminariesmentioning

confidence: 99%

Section: Basic Preliminariesmentioning

confidence: 99%

Applying Spring Security Framework with KeyCloak-Based OAuth2 to Protect Microservice Architecture APIs: A Case Study

Chatterjee

Prinz

2022

Sensors

View full text Add to dashboard Cite

show abstract

“…Moreover, many of these types of threats exploit AI-enabled technology to improve their effectiveness, rendering traditional forms of defence useless. Attacks supported by AI are more dangerous, and most defences are not sufficiently prepared for this fight [15].…”

Section: Artificial Intelligence In Cybersecuritymentioning

confidence: 99%

Artificial Intelligence as a Support Tool to Cybersecurity Activities

Arnaud¹,

Matos²

2022

ARIS2-Journal

View full text Add to dashboard Cite

The present study is based on the analysis of the concepts of Cybersecurity and Artificial Intelligence, focusing on how both relate to each other. The COVID-19 pandemic and the fact that the world was forced into confinement had a huge impact on the increase of cyber-attacks and the birth of new threats. Currently, Cybersecurity is becoming an extremely complicated task, as we can no longer think of blocking an attack only by resorting to humans. The advanced and automated ways in which attacks have been developing mean that the task of defence must also be automated. Artificial Intelligence, due to its particularities, meets this need. This technology has been playing an increasingly important role in Cybersecurity, even though we may still consider it to be at an early stage

show abstract

“…This smell occurs whenever two microservices in an application interact without enacting a secure communication [44,73]. As microservice-based applications are highly distributed, communication interfaces and channels proliferate, hence increasing the overall application attack surface.…”

Section: Non-secured Service-to-service Communicationsmentioning

confidence: 99%

“…Each access point constitutes a potential attack vector that can be exploited by an intruder to authenticate as an end-user, and having multiple access points hence result in increasing the attack surface to violate Authenticity in a microservice-based application [35]. The use of multiple access points for user authentication also results in maintainability and usability issues, since user login is to be developed, maintained, and used in multiple parts of the application [44].…”

Section: Multiple User Authenticationmentioning

confidence: 99%

Smells and Refactorings for Microservices Security: A Multivocal Literature Review

Ponce¹,

Soldani²,

Astudillo³

et al. 2021

Preprint

View full text Add to dashboard Cite

Securing microservice-based applications is crucial, as many IT companies are delivering their businesses through microservices. If security "smells" affect microservice-based applications, they can possibly suffer from security leaks and need to be refactored to mitigate the effects of security smells therein. Objective: As the currently available knowledge on securing microservices is scattered across different pieces of white and grey literature, our objective here is to distill well-known smells for securing microservices, together with the refactorings enabling to mitigate the effects of such smells. Method: To capture the state of the art and practice in securing microservices, we conducted a multivocal review of the existing white and grey literature on the topic. We systematically analyzed 58 studies published from 2014 until the end of 2020. Results: Ten bad smells for securing microservices are identified, which we organized in a taxonomy, associating each smell with the security properties it may violate and the refactorings enabling to mitigate its effects. Conclusions: The security smells and the corresponding refactorings have pragmatic value for practitioners, who can exploit them in their daily work on securing microservices. They also serve as a starting point for researchers wishing to establish new research directions on securing microservices.

show abstract

Security in Microservices Architectures

Cited by 56 publications

References 18 publications

Applying Spring Security Framework with KeyCloak-Based OAuth2 to Protect Microservice Architecture APIs: A Case Study

Applying Spring Security Framework with KeyCloak-Based OAuth2 to Protect Microservice Architecture APIs: A Case Study

Artificial Intelligence as a Support Tool to Cybersecurity Activities

Smells and Refactorings for Microservices Security: A Multivocal Literature Review

Contact Info

Product

Resources

About