Microservice Vulnerability Analysis: A Literature Review with Empirical Insights

TL;DR

This paper reviews existing literature on microservice security vulnerabilities, proposes a taxonomy, and empirically validates it through vulnerability scans on benchmark applications, offering practical guidelines for enhancing microservice security.

Contribution

It provides the first comprehensive taxonomy of microservice vulnerabilities combined with empirical validation using multiple scanning tools and benchmark applications.

Findings

Identified 126 microservice vulnerabilities from 62 studies

Validated the taxonomy through vulnerability scans on four benchmark applications

Mapped vulnerabilities across microservice, application, and tool levels

Abstract

Microservice architectures are revolutionizing both small businesses and large corporations, igniting a new era of innovation with their exceptional advantages in maintainability, reusability, and scalability. However, these benefits come with significant security challenges, as the increased complexity of service interactions, expanded attack surfaces, and intricate dependency management introduce a new array of cybersecurity vulnerabilities. While security concerns are mounting, there is a lack of comprehensive research that integrates a review of existing knowledge with empirical analysis of microservice vulnerabilities. This study aims to fill this gap by gathering, analyzing, and synthesizing existing literature on security vulnerabilities associated with microservice architectures. Through a thorough examination of 62 studies, we identify, analyze, and report 126 security vulnerabilities inherent in microservice architectures. This comprehensive analysis enables us to (i) propose a taxonomy that categorizes microservice vulnerabilities based on the distinctive features of microservice architectures; (ii) conduct an empirical analysis by performing vulnerability scans on four diverse microservice benchmark applications using three different scanning tools to validate our taxonomy; and (iii) map our taxonomy vulnerabilities with empirically identified vulnerabilities, providing an in-depth vulnerability analysis at microservice, application, and scanning tool levels. Our study offers crucial guidelines for practitioners and researchers to advance both the state-of-the-practice and the state-of-the-art in securing microservice architectures.