Automatic Detection of Security Deficiencies and Refactoring Advises for Microservices

The microservice architecture enables organizations to shorten development cycles and deliver cloud-native applications rapidly. However, it also brings security concerns that need to be addressed by developers. Therefore, security testing in microservices becomes even more critical. Recent research papers indicate that security testing of microservices is often neglected for reasons such as lack of time, lack of experience in the security domain, and absence of automated test environments. Even though several security scanning tools exist to detect container, containerized workload management (Kubernetes), and network issues, none individually is sufficient to cover all security problems in microservices. Using multiple scanning tools increases the complexity of analyzing findings and mitigating security vulnerabilities. This paper presents a fully automated test tool suite that can help developers address security issues in microservices and resolve them. It targets to reduce time and effort in security activities by encapsulating open-source scanning tools into one suite and providing improved feedback. The developed security scanning suite is named Pomegranate. To develop Pomegranate, we employed Design Science and conducted our investigation in Ericsson. We have evaluated our tool using a static approach. The evaluation results indicate that the Pomegranate could be helpful to developers by providing simplified and classified outputs for security vulnerabilities in microservices. More than half of the practitioners who give us feedback found Pomegranate helpful in detecting and mitigating security problems in microservices. We conclude that a fully automated test tool suite can help developers to address most security issues in microservices. Based on the findings in this paper, the direction for future work is to conduct a dynamic validation of Pomegranate in a live project. © 2023 IEEE.