Automatic Detection of Security Deficiencies and Refactoring Advises for Microservices
Automatic Detection of Security Deficiencies and Refactoring Advises for Microservices
Abstract—The microservice architecture enables organizations include expanded attacking surface, lack of monitoring ca-
to shorten development cycles and deliver cloud-native appli- pabilities in multiple clouds, and distributed security tracing
cations rapidly. However, it also brings security concerns that [4]; there are more entry points in microservices compared to
need to be addressed by developers. Therefore, security testing
in microservices becomes even more critical. Recent research monolith applications.
papers indicate that security testing of microservices is often Legacy security solutions that are effective for monolith
neglected for reasons such as lack of time, lack of experience in applications are often not good enough for microservices-
the security domain, and absence of automated test environments. based applications. For example, microservices are small and
Even though several security scanning tools exist to detect
independent units of a system and can be written using hetero-
container, containerized workload management (Kubernetes),
and network issues, none individually is sufficient to cover all geneous technologies (e.g., different programming languages).
security problems in microservices. Using multiple scanning tools Furthermore, each microservice can interact with many other
increases the complexity of analyzing findings and mitigating microservices or applications outside an application’s cluster.
security vulnerabilities. This paper presents a fully automated Software security testing is a part of the software testing
test tool suite that can help developers address security issues
in microservices and resolve them. It targets to reduce time domain focused on the security properties of software ap-
and effort in security activities by encapsulating open-source plications. It is divided into functional security testing and
scanning tools into one suite and providing improved feedback. vulnerability security testing [5]. Functional security testing
The developed security scanning suite is named Pomegranate. assures that security functions are successfully implemented
To develop Pomegranate, we employed Design Science and in an application. Vulnerability security testing focuses on re-
conducted our investigation in Ericsson. We have evaluated our
tool using a static approach. The evaluation results indicate that vealing security risks and vulnerabilities that may make a soft-
the Pomegranate could be helpful to developers by providing ware system exploitable by attackers. Vulnerability security
simplified and classified outputs for security vulnerabilities in testing can be static or dynamic. Static focuses on identifying
microservices. More than half of the practitioners who give us misconfigurations and vulnerabilities in source code. Dynamic
feedback found Pomegranate helpful in detecting and mitigating focuses on detecting vulnerabilities and security weaknesses
security problems in microservices. We conclude that a fully
automated test tool suite can help developers to address most in applications by assessing them during their execution.
security issues in microservices. Based on the findings in this Although there are several vulnerability scanning tools for a
paper, the direction for future work is to conduct a dynamic specific purpose, there is a lack of security scanning suites that
validation of Pomegranate in a live project. combine static and dynamic vulnerability scanners, especially
Index Terms—Microservices, Security, Kubernetes, Security for microservices. For instance, OWASP ZAP1 is an open-
Scanning Tools
source tool to detect vulnerabilities in web-based applications
by performing dynamic analysis. Nmap network scanner2 and
I. I NTRODUCTION Kubeaudit3 are examples of security auditing tools that can be
applied to microservices deployed on Kubernetes clusters.
The high demand for software-intensive products has been A security test tool suite that consists of many security
forcing organizations to improve how software is deployed scanning tools to audit classified security deficiencies, aligned
and increase the frequency of deliveries [1]. Organizations are with recommendations to refactor the defective code, may help
migrating their applications to the cloud for several reasons, developers to improve the security and quality of microservice-
such as higher scalability and reliability, disaster recovery, based applications by decreasing the time and effort in iden-
and security. One popular architecture to develop cloud-native tifying issues and matching them to solutions. It may also
applications is the microservice paradigm [2]. remove dependency on security experts in development teams.
Speeding up the delivery of software and high capability The main aim of our research was to implement a fully
to evolve are the primary outcomes of a microservice archi- automated security test tool suite capable of automatically
tecture. Some of the other benefits are high scalability, fault
isolation, and agile bug fixing [3]. 1 https://www.zaproxy.org/
Despite of its many benefits, there are much security 2 https://nmap.org/
26
Authorized licensed use limited to: UNIVERSITAT OBERTA DE CATALUNYA. Downloaded on October 30,2024 at 14:30:20 UTC from IEEE Xplore. Restrictions apply.
at GitHub, we analyzed their fitness to our research. We
also considered the popularity of the repository as a sign of
community trust. More specifically, we analyzed the number
of forks and stars per project.
1) Design Phase: Once we identified the security issues
and tools associated with microservices, we used its outcome
to develop Pomegranate. Our tool uses a microservice/cloud-
native architecture and capitalizes on existing open-source
components. We provide more details about the tool in Section
IV and our online Appendix4 .
2) Evaluation Phase: The last phase of our research was to
validate Pomegranate (RQ2 and RQ3). To do so, we did two
things: we analyzed our tool’s performance (scanning time and
reliability) and conducted a static validation [14].
To identify the average scanning time of Pomegranate, we
Fig. 1. Research Design Structure used the Pomegranate bash script with recording time at the
beginning and end. We first run it ten times by deploying
the same microservice. After observing that the scanning time
between 200 and 500 hours producing such a report per is nearly the same at each time, we performed the scan
release. ten times in our test environment by deploying ten different
To start addressing the identified problem, we conducted a microservices at each time. Since the type of microservice
rapid literature review focusing on security issues in microser- and the number of implemented features might affect scanning
vices and tools/methods for identifying security deficiencies time, we also chose a diverse type of microservices such as
in microservices. We surveyed both scientific publications databases, and web applications. In the same way, reliability
and grey literature (GitHub repositories, online blog posts, tests can help to understand whether the Pomegranate is trust-
practitioner reports). worthy by creating correct outputs consistently in a specific
We formulated a search string to search existing knowledge time.
in related literature on databases such as Google Scholar and In our static validation, we asked security masters, develop-
IEEE Xplore. We formulated and used the following search ers, and architects to answer a questionnaire that focused on
strings: the usability, feasibility, and reliability of our tool (see Table
I).
search1: (”microservice” AND ”security”) AND (”challenge” We invited 50 practitioners to attend a session wherein
OR ”weakness” OR ”deficiency” OR ”vulnerability” OR ”is- we spent 30 minutes demoing Pomegranate. After the demo,
sue”) we spent 30 minutes answering questions from the audience.
search2: (”microservice” AND ”security”) AND (”solution” In the end, we shared the questionnaire (online) and asked
OR ”practice”) the participants to answer within one week. As a result, 20
search3: (”microservice” AND ”security”) AND (”scanning practitioners answered the questionnaire (11 developers, 8
tool” OR ”detection” OR ”test automation”) security masters, and 1 architect).
To analyze the results, we used descriptive statistics. We also
To account for the rapid evolution of cybersecurity prac- analyzed the text provided in the questionnaire’s open-ended
tices, we applied filtering on the literature review findings to question and selected relevant quotes, which are presented in
eliminate outdated security practices. Section 5.
We also investigated open-source security scanning tools
publicly available on GitHub. We used the advanced search IV. P OMEGRANATE OVERVIEW
feature of Github to search with desired parameters and sort
Pomegranate5 is a security scanning suite for microservices
findings. In our search, we only collected the repositories
that combines different open-source scanning tools and reveals
that are updated in the last 2 years because the technologies
security weaknesses and provides recommendations for cor-
used with microservices are evolving so fast and outdated
rections in an easy-to-interpret way.
repositories are mostly incompatible with the latest versions
The architecture of the Pomegranate is presented in Figure
of technologies. We formulated and used the following search
2. It contains two blocks: scanning and analysis. Testing envi-
string:
ronment, configuration, and development details are available
(”security” AND ”scan”) AND (”microservice” OR ”kuber- in our online Appendix. We provide more details about the
netes” OR ”container” OR ”network”)
4 https://github.com/ramsessw/Pomegranate-
suite/blob/main/doc/OnlineAppendix.pdf
After collecting all security scanning tools publicly available 5 The tool is available at https://github.com/ramsessw/Pomegranate-suite
27
Authorized licensed use limited to: UNIVERSITAT OBERTA DE CATALUNYA. Downloaded on October 30,2024 at 14:30:20 UTC from IEEE Xplore. Restrictions apply.
Fig. 2. Pomegranate Architecture
28
Authorized licensed use limited to: UNIVERSITAT OBERTA DE CATALUNYA. Downloaded on October 30,2024 at 14:30:20 UTC from IEEE Xplore. Restrictions apply.
TABLE II
S ECURITY D EFECTS AND P RACTISES IN C ONTAINER C ATEGORY
TABLE III
S ECURITY D EFECTS AND P RACTISES IN K UBERNETES C ATEGORY
TABLE IV
S ECURITY D EFECTS AND P RACTISES IN N ETWORK C ATEGORY
Trivy
is chosen because it applies all CIS Docker Benchmark [15] Kube-hunter
checklist, which is highly used in the industry as a guide. Trivy Terrascan
is a powerful tool with rich features and a large database of
known vulnerabilities. We also preferred integrating a static
scanning tool like Terrascan to look through source code and
check common best practices in deployed Docker containers.
container configuration deeply before running containerized
The tool checks the presence of requirements listed in the CIS
applications at production.
(Center for Internet Security) Docker Benchmark [15]. It may
In the Kubernetes category, we selected kube-bench and run as a shell script on the host or pre-built container. Findings
kube-hunter as they are leading Kubernetes scanning tools are written in a report file.
in terms of coverage of the identified security weaknesses, Trivy is a security and misconfiguration scanning tool which
community reputation, and ease of installation. is targeting container images, file systems, git repositories,
In the network security category, kube-hunter and Terrascan Kubernetes clusters, and resources. It is an open-source scan-
also cover the defects of this category. In addition to them, we ner created by Aqua Security. The tool has different scanning
included OWASP ZAP and Nmap. options such as scanning known vulnerabilities (CVEs) in
Docker Bench for Security is a fully automated tool to OS packages and software and detecting misconfigurations in
29
Authorized licensed use limited to: UNIVERSITAT OBERTA DE CATALUNYA. Downloaded on October 30,2024 at 14:30:20 UTC from IEEE Xplore. Restrictions apply.
TABLE VI
S ECURITY S CANNING T OOLS C OMPARISON FOR K UBERNETES C ATEGORY
Tools
Kubesec
Kubescape
Kubeaudit
Popeye
Datree
Terrascan
TABLE VII the application are analyzed by the tool to determine security
S ECURITY S CANNING T OOLS C OMPARISON FOR N ETWORK C ATEGORY status.
S15 S16 S17 S18 OWASP ZAP is chosen for Pomegranate because of the
OWASP ZAP capability of scanning Application Programming Interfaces
Tools
Terrascan (APIs) security vulnerabilities. This tool can also scan APIs
Nmap
Kube-hunter that expose microservices to users and communicate with other
services. To scan a microservice with OWASP ZAP, it is
needed to set exposed URL endpoints of the microservice in
ZAP configuration.
different infrastructures.
Network Mapper (Nmap) is a widely used, powerful, and
Kube-hunter is a tool to detect security weaknesses in
portable tool for network discovery and security scanning. Sev-
Kubernetes clusters by performing a static and dynamic in-
eral features of Nmap can be listed as port scanning, network
spection. Kube-hunter can be deployed with three different
discovery, TCP/IP stack fingerprinting, and application version
methods: running on the host machine, using containerized
detection. Using Nmap to inspect network protocols and detect
version, or running as a pod in the cluster. Four main scanning
open ports help network administrators to understand the
options are supported: remote scanning, interface scanning,
flows in the network. Another reason to integrate Nmap in
network scanning, and Kubernetes node-auto-discovery.
In Pomegranate, kube-hunter is deployed as a pod in the our test tool suite is its capability to scan known TLS/SSL
same cluster with a sample microservice. This deployment vulnerabilities and check certificates and used TLS algorithms.
type provides detecting more security issues since it simulates The tool is installed in our host machine using its binary
the circumstance that a cluster is exposed by the attacker and file. It might be also deployed as a pod that uses its container
a pod of microservice is compromised due to a vulnerability. image to inspect microservice network operations. The outputs
Kube-bench is a tool checking Kubernetes deployments are written into a report file in XML format. It does not only
based on the checklist of CIS Kubernetes Benchmark [16]. list open ports but also presents TLS/SSL security status if
It ensures authorization, authentication, and encryption in secure communication protocols are used.
Kubernetes Control Plane Components. Security and Net- Terrascan is a static code analyzer to detect security
work Policies, Secret Management and configurations are also weaknesses in different platforms such as Kubernetes, Docker,
checked by following the benchmark. For each item in the CIS and Terraform by inspecting configuration files. It helps to scan
benchmark, the result is printed as ”PASS” for success, ”FAIL” the code for misconfigurations and find security vulnerabilities
for failure, ”INFO” for information or ”WARN” for warning. and compliance violations. The tool can be installed on the
The tool can be run using a container, deploying in a host machine or run directly via the Docker container.
Kubernetes cluster, or installing binary on the host machine. Pomegranate uses Terrascan to detect faulty container con-
Similarly, as kube-hunter, we deployed kube-bench as a pod figurations and ensure Kubernetes network configuration by
in the Kubernetes cluster to inspect Kubernetes security defi- scanning Microservice source code. The tool can identify
ciencies as part of Pomegranate. The scan is started by using a infrastructure configuration files from the given repository and
YAML file belonging to a job and ended with saving findings address security issues. The generated report in JSON format
in a report. includes only the details of found security violations.
OWASP Zed Attack Proxy (ZAP) is a security scanning
C. Pomegranate Analysis Block
tool for web applications to detect vulnerabilities at run time. It
is created and developed by the OWASP Foundation that con- The analysis block includes a parsing script that reads all
tributes to the cybersecurity community through open-source generated reports and a vulnerability sorter script that classifies
projects and activities to improve software security. OWASP findings based on the security issue categorization presented
ZAP helps perform dynamic analysis in web applications by in this paper.
acting as a proxy between the client application and server. A mapping strategy is necessary to be able to classify
Sent requests to the application and received responses from results from tool reports and prevent duplicates. Therefore, we
30
Authorized licensed use limited to: UNIVERSITAT OBERTA DE CATALUNYA. Downloaded on October 30,2024 at 14:30:20 UTC from IEEE Xplore. Restrictions apply.
went through the policies belong to used open-source tools in ”Is the suite easy to extend with new scanners and parser? Is
their documentation. After studying policy, we mapped and it possible to detect holes in your security scanning, like a list
addressed policies in tools with our classification approach in of security guidelines that are not currently scanned? It seems
this thesis. that it is a good idea to grab a bunch of different open-source
Developed Pomegranate provides outputs for users as refac- tools and unify the output so you don’t have to look at all the
toring advises to mitigate found security issues in tested mi- different reports manually.”
croservice. The outcomes are a summary table for the security
status of a microservice and advisory files of categorized Two respondents raised concern about the suggested refac-
refactoring suggestions. The output summary table (see Figure toring suggestions, which indicates the importance of a dy-
3) reveals the result for each security defect and practice if namic validation of Pomegranate:
they appear in the tested microservice. The status column
in the table shows if microservice under test is secure or ”I answered neutral on the ’Automatic detection of security
not according to each security issue. The classified advisory deficiencies and refactoring advises’ question, since it is
files (see Figure 4) convey the details about vulnerability or difficult to know the refactoring will play out in practice since
misconfiguration and refactoring advice. I have not tried it and Pomegranate will only be as accurate
as the tools are defined in the suite..”
V. E VALUATION R ESULTS
In this section, we present the results to RQ2 and RQ3. ”Pomegranate is meant to detect and provide simplified ag-
A. RQ2 - Pomegranate Performance Evaluation gregated results of the findings. I am not sure if there was
something to fix/resolve the issues found (as mentioned in one
We evaluated the average scanning time and reliability of the of the questions). Another point or rather question, when you
test tool suite. The calculated average scan time after obtaining say reliable, does that mean there is some intelligent logic
all results was about 19 minutes. This average scan time can implemented or the Pomegranate itself is relying on the tools
be accepted as good because all integrated security scanning used in it e.g. kube-bench?”
tools in the Pomegranate run sequentially. So this result shows
us that scan time can be even less than 19 minutes by running All-in-all, the result of our evaluation was positive and
scan tools in parallel (a potential future improvement). indicated that Pomegranate is in the right direction.
To verify the reliability of the Pomegranate, we performed
the scan in our test environment, repeating it ten times. All VI. D ISCUSSION
repeating scans were performed with the same microservice Pomegranate provides a useful and efficient solution for
to determine whether the Pomegranate creates consistent and many limitations in the literature by combining multiple se-
accurate results. At the end of the repetitive scan, we collected curity scanning tools and uniforming all results from different
all generated files as the output of the Pomegranate and scanners. Another value of this research is that the evaluation
verified the results by comparing them with each other. of the Pomegranate was conducted in a large-scale organiza-
tion with microservice practitioners such as developers and
B. RQ3 - Pomegranate Feasibility and User Evaluation
security masters.
In this section, we present the feasibility, usefulness, and Covering identified security defects and practices with a
usability results of the Pomegranate based on the feedback minimum number of scanning tools in this research is an
questionnaire realized with 20 Microservice practitioners. Ta- important approach in terms of the efficiency and simplicity
ble VIII consolidates the results. of the installations. Dozens of open-source security scanning
The majority of the participants were positive about the tools with diverse features and capabilities are publicly avail-
usability and simplicity (90%) of Pomegranate, the extent it able online. However, it is observed that most of them are
is helpful for inexperienced developers (90%), its reliability outdated or have poor documentation, or have low community
(70%), its usefulness (85%), and the extent it helps to reduce trust based on the GitHub statistics like issues, numbers of
lead time and effort (85%). forks, and stars. As well as reviewing scanner tool documen-
We have asked the respondents to provide additional tation, we also performed benchmarking in our testing environ-
feedback and suggestions in an open-ended way. We re- ment to understand each tool’s features and capabilities. The
ceived very constructive feedback and improvement ideas for benchmarking activity helped us to eliminate scanning tools
Pomegranate. For example, two participants highlighted that it that are insufficient and have complex installation procedures.
would be good to extend the Pomegranate with a transparent By introducing an analysis module in Pomegranate, this
configuration file to utilize advanced options in scanning tools: research simplifies security assessment and handles overlap-
ping vulnerabilities in different reports generated by tools.
”What would also be interesting to see is how Pomegranate is As stated previously, the common problem with an existing
configured & what options are available. Many of the open- scanner tools are that each tool creates a separate report and the
source tools used have different configuration options. Users same vulnerabilities appear in different reports. This increases
might want to try out and use together with the Pomegranate the complexity of making security assessments and resolving
suite.”
31
Authorized licensed use limited to: UNIVERSITAT OBERTA DE CATALUNYA. Downloaded on October 30,2024 at 14:30:20 UTC from IEEE Xplore. Restrictions apply.
Fig. 3. Pomegranate output: Summary table
TABLE VIII
R ESULTS OF F EEDBACK Q UESTIONNAIRE WITH M ICROSERVICE P RACTITIONERS
32
Authorized licensed use limited to: UNIVERSITAT OBERTA DE CATALUNYA. Downloaded on October 30,2024 at 14:30:20 UTC from IEEE Xplore. Restrictions apply.
Fig. 4. Pomegranate output: Categorized files
found issues. Parsing and unifying capabilities of the analysis a single comprehensive tool with more detection capabilities,
module in the Pomegranate help us to overcome the existing our research would be a good starting point with listing current
problem in a better way in light of user evaluation results. tools and classified security issues.
Another advantage of Pomegranate over existing scanning
solutions is that Pomegranate enables the integration of new VII. T HREATS TO VALIDITY
open-source tools without requiring major changes. If users Reliability concerns the extent to which it is possible to
notice that there are better or integrated tools are outdated, reproduce the results of an investigation. Some of the data used
Pomegranate can be updated. Going through the documen- in our investigation are qualitative and were obtained through
tation, policies in new tools can be mapped to existing questionnaires. The threats to the validity of our investigation
classifications in Pomegranate. in this category include respondent and researcher bias.
The main implications of this research for practitioners Construct validity concerns the extent to which the opera-
are reducing the complexity and the technical specialization tional measures used in our investigation represent and answer
in the security domain while securing the microservices. our research questions. In this category, there is one main
Pomegranate contributes by filtering overlapped security vul- threat to the validity of our investigation: misinterpretation of
nerabilities and misconfigurations in tool reports. Since the re- the questionnaire questions. To mitigate this threat, at the start
lease frequency of microservices is high in agile development of the session wherein we presented Pomegranate to experts,
environments, developers can utilize Pomegranate in every we clarified the purpose of the session and the questionnaire.
release to save time and reduce the workload on the security We also used an iterative process to design and improve the
assessments. questionnaire, to avoid ambiguities.
The main implications of this research for other researchers Internal validity relates to the confounding factors that could
are the purposed approach of analyzing tool reports to elimi- impact the validity of our results. It may be possible that we
nate the complexity and the benchmarking results of security have not covered all existing security defects in our simplified
scanning tools based on the identified security vulnerabilities. classification. As a consequence, it might be the case that
Researchers, who are studying the DevSecOps approach in Pomegranate would not include all relevant scanners. To miti-
organizations, can utilize our work to introduce security testing gate this threat, we have used triangulation (identified security
automation for live projects. As the limitation was highlighted issues and best practices from different sources). Another va-
previously, existing tools are not capable of covering all lidity threat relates to the extent to which the evaluation results
security issues in microservices, further studies are needed to relate to Pomegranate or are due to confounding factors not
improve current tools. If a researcher intends to implement controlled in our investigation. To mitigate this threat, we have
33
Authorized licensed use limited to: UNIVERSITAT OBERTA DE CATALUNYA. Downloaded on October 30,2024 at 14:30:20 UTC from IEEE Xplore. Restrictions apply.
included a diverse set of respondents in our investigation, from [4] P. Siriwardena and N. Dias, Microservices Security in action. Manning
different product areas in Ericsson. However, we acknowledge Publications Co., 2020.
[5] S. Y.-s. Gu Tian-yang and F. You-yuan, “Research on software secu-
that it is still necessary to evaluate the tool in a semi-controlled rity testing,” World Academy of Science, Engineering and Technology
environment, account for potential confounding factors, and International Journal of Computer and Information Engineering Vol:4,
use project data to evaluate Pomegranate’s usefulness and No:9, 2010, 2010.
[6] A. Carrasco, B. v. Bladel, and S. Demeyer, “Migrating towards mi-
feasibility. In doing so, we could increase the significance of croservices: migration and architecture smells,” Proceedings of the 2nd
the evaluation results. International Workshop on Refactoring, 2018.
External validity concerns the extent to which the findings [7] D. Neri, J. Soldani, O. Zimmermann, and A. Brogi, “Design principles,
architectural smells and refactorings for microservices: A multivocal
can be generalized and are interesting outside the inves- review,” SICS Software-Intensive Cyber-Physical Systems, vol. 35, no.
tigated case. Our results have limited generalizability; we 1-2, p. 3–15, 2019.
have evaluated Pomegranate only in Ericsson. At the same [8] F. Ponce, J. Soldani, H. Astudillo, and A. Brogi, “Smells and refactorings
for microservices security: A multivocal literature review,” Journal of
time, Pomegranate, along with our findings, can be of use Systems and Software, vol. 192, p. 111393, 2022.
to practitioners with a similar context as the one in our [9] P. Billawa, A. Bambhore Tukaram, N. E. Dı́az Ferreyra, J.-P. Steghöfer,
investigation. R. Scandariato, and G. Simhandl, “Sok: Security of microservice appli-
cations: A practitioners’ perspective on challenges and best practices,”
Proceedings of the 17th International Conference on Availability, Reli-
VIII. C ONCLUSIONS AND F UTURE W ORK ability and Security, 2022.
In this paper, we proposed Pomegranate, a tool that enables [10] D. Berardi, S. Giallorenzo, J. Mauro, A. Melis, F. Montesi, and
M. Prandini, “Microservice security: A systematic literature review,”
the streamlines of scanning security vulnerabilities in mi- PeerJ Computer Science, vol. 7, 2022.
croservices and recommends refactorings to address identified [11] F. Minna and F. Massacci, “An open-source cloud testbed for security
vulnerabilities. experimentation,” 2022 22nd IEEE International Symposium on Cluster,
Cloud and Internet Computing (CCGrid), 2022.
Following the Design Science Method, we identified and [12] C. K. Rudrabhatla, “Security design patterns in distributed microservice
framed the research problem based on practitioners’ needs. architecture,” International Journal of Computer Science and Informa-
Then, we conducted a rapid literature review to identify tion Security (IJCSIS), Vol. 18, No. 7, Jul 2020.
[13] C. Wohlin and P. Runeson, “Guiding the selection of research method-
security issues and best practices to avoid/address them. Then, ology in industry–academia collaboration in software engineering,”
we developed Pomegranate, incorporating a series of open- Information and Software Technology, vol. 140, p. 106678, 2021.
source components that effectively reveal security vulnera- [14] [Online]. Available: https://ieeexplore.ieee.org/document/4012630
[15] “Cis docker benchmarks.” [Online]. Available:
bilities. Furthermore, we added to our tool a capability that https://www.cisecurity.org/benchmark/docker
consolidates the results of multiple scanners and groups them [16] “Cis kubernetes benchmarks.” [Online]. Available:
according to the security issue classification we proposed https://www.cisecurity.org/benchmark/kubernetes
in this paper. Finally, we evaluated our tool through static
validation.
The static validation results show that most participants
were positive towards Pomegranate. The majority of the par-
ticipants were positive about its usability and simplicity (90%),
the extent it is helpful for inexperienced developers (90%), its
reliability (70%), its usefulness (85%), and the extent it helps
to reduce lead time and effort (85%).
As a future work, there are many potential directions. For
example, it is necessary to containerize Pomegranate to make it
isolated and portable, delivering it as a Docker image. In doing
so, it could be easily integrated into Continuous Integration
pipelines, supporting continuous identification and refactoring
of vulnerabilities.
Another relevant future work is to do a dynamic validation
of Pomegranate in a live project. More specifically, it is
necessary to use Pomegranate for a specific period in a project
and evaluate its usability, usefulness, and impact on lead time
end effort reduction.
R EFERENCES
[1] R. V. O’Connor, P. Elger, and P. M. Clarke, “Continuous software
engineering-a microservices architecture perspective,” Journal of Soft-
ware: Evolution and Process, vol. 29, no. 11, 2017.
[2] M. Amundsen, Microservice architecture. O’Reilly Media, Inc, Usa,
2016.
[3] Martinekuan, “Microservice architecture style - azure archi-
tecture center.” [Online]. Available: https://docs.microsoft.com/en-
us/azure/architecture/guide/architecture-styles/microservices
34
Authorized licensed use limited to: UNIVERSITAT OBERTA DE CATALUNYA. Downloaded on October 30,2024 at 14:30:20 UTC from IEEE Xplore. Restrictions apply.