University of Oulu

Rezaei Nasab, A., Shahin, M., Hoseyni Raviz, S. A., Liang, P., Mashmool, A., & Lenarduzzi, V. (2023). An empirical study of security practices for microservices systems. Journal of Systems and Software, 198, 111563.

An empirical study of security practices for microservices systems

Saved in:
Author: Rezaei Nasab, Ali1; Shahin, Mojtaba2; Hoseyni Raviz, Seyed Ali1;
Organizations: 1School of Computer Science, Wuhan University, 430072 Wuhan, China
2School of Computing Technologies, RMIT University, 3000 Melbourne, Australia
3Department of Computer Science, Bioengineering, Robotics and System Engineering, University of Genoa, 16126 Genoa, Italy
4Faculty of Information Technology and Electrical Engineering, University of Oulu, FI-90014 Oulu, Finland
Format: article
Version: accepted version
Access: embargoed
Persistent link:
Language: English
Published: Elsevier, 2023
Publish Date: 2024-11-26


Despite the numerous benefits of microservices systems, security has been a critical issue in such systems. Several factors explain this difficulty, including a knowledge gap among microservices practitioners on properly securing a microservices system. To (partially) bridge this gap, we conducted an empirical study. We first manually analyzed 861 microservices security points, including 567 issues, 9 documents, and 3 wiki pages from 10 GitHub open-source microservices systems and 306 Stack Overflow posts concerning security in microservices systems. In this study, a microservices security point is referred to as “a GitHub issue, a Stack Overflow post, a document, or a wiki page that entails 5 or more microservices security paragraphs”. Our analysis led to a catalog of 28 microservices security practices. We then ran a survey with 74 microservices practitioners to evaluate the usefulness of these 28 practices. Our findings demonstrate that the survey respondents affirmed the usefulness of the 28 practices. We believe that the catalog of microservices security practices can serve as a valuable resource for microservices practitioners to more effectively address security issues in microservices systems. It can also inform the research community of the required or less explored areas to develop microservices-specific security practices and tools.

see all

Series: Journal of systems and software
ISSN: 0164-1212
ISSN-E: 1873-1228
ISSN-L: 0164-1212
Volume: 198
Article number: 111563
DOI: 10.1016/j.jss.2022.111563
Type of Publication: A1 Journal article – refereed
Field of Science: 113 Computer and information sciences
Funding: This work is funded by the National Natural Science Foundation of China (NSFC) with Grant No. 62172311 and the Special Fund of Hubei Luojia Laboratory.
Dataset Reference: We have shared the link to our dataset in the Rezaei Nasab et al. (2022).
Copyright information: © 2022. This manuscript version is made available under the CC-BY-NC-ND 4.0 license