Smells and Refactorings for Microservices Security: A Multivocal Literature Review

TL;DR

This paper systematically reviews literature to identify security smells in microservices, categorizes them, and links each to refactoring strategies, providing practical guidance for practitioners and research directions.

Contribution

It presents a taxonomy of ten security smells in microservices and associates each with specific refactorings, filling a knowledge gap in the scattered literature.

Findings

Identified ten security smells affecting microservices.

Organized smells into a taxonomy with associated refactorings.

Provided pragmatic guidance for practitioners and researchers.

Abstract

Context: Securing microservice-based applications is crucial, as many IT companies are delivering their businesses through microservices. If security smells affect microservice-based applications, they can possibly suffer from security leaks and need to be refactored to mitigate the effects of security smells therein. Objective: As the currently available knowledge on securing microservices is scattered across different pieces of white and grey literature, our objective here is to distill well-known smells for securing microservices, together with the refactorings enabling to mitigate the effects of such smells. Method: To capture the state of the art and practice in securing microservices, we conducted a multivocal review of the existing white and grey literature on the topic. We systematically analyzed 58 studies published from 2014 until the end of 2020. Results: Ten bad smells for securing microservices are identified, which we organized in a taxonomy, associating each smell with the security properties it may violate and the refactorings enabling to mitigate its effects. Conclusions: The security smells and the corresponding refactorings have pragmatic value for practitioners, who can exploit them in their daily work on securing microservices. They also serve as a starting point for researchers wishing to establish new research directions on securing microservices.