Microservices Security: Bad vs. Good Practices

The microservice architectural style is widespread in enterprise IT, making the securing of microservices a crucial issue. Many bad practices in securing microservices have been identified by researchers and practitioners, along with security good practices that, if adopted, allow to avoid the corresponding security issues. However, this knowledge is scattered across multiple pieces of white and grey literature, making its consulting complex and time consuming. We present here the results of a multivocal literature review that analyzes 44 primary studies discussing bad and good practices for microservice security. We were able to identify four bad and six good practices, and to associate each bad practice with specific bad smell(s) that signal it and with good practice(s) that avoid incurring in it. The resulting mapping between bad and good practices for microservice security can help practitioners and researchers to explore the systematic securing of microservice-based applications.