Towards a software engineering view of security for microservice-based applications


Nowadays, security is one of the most important minimum requirements of software applications. In order to meet these requirements, a deep understanding of the software architecture, the security mechanisms the architecture contains, and the effect of these solutions on security and other quality attributes is required. Thus, modeling security in software architectures is a central component of the software development lifecycle. Modeling approaches so far illuminate the security of a software system only from an attacker’s perspective. Threat modeling techniques identify the existing threats and risks of a system. However, software architects and engineers need tools and methods to express and ensure the security of a software system from a constructive side. In this thesis, we explore which security mechanisms exist for microservice-based applications and how modeling these techniques is possible. For the identification and collection of security mechanisms, we conduct a Systematic Literature Review (SLR). From the gathered information we compile a set of catalogs that classify and describe the security mechanisms based on different properties. Based on the insights of the SLR and other related work, we propose a security metamodel for the creation of architectural documentation. This metamodel divides the description of security into six different views, each of which defines its own set of requirements that must be addressed by the respective models. To validate our contributions, we performed semi-structured interviews with research and industry experts who reviewed the modeling approach using security views. With these efforts, we propose a methodology for modeling and describing security in software architectures. We show how a software engineering perspective can be employed to conclude the effectiveness of security controls in a software architecture. Through the proposed definitions and models, we create a basis for a new research direction targeting the analysis of the security quality attribute from a software development point of view.


Project information



Thesis for degree:



Brian Sinkovec