Towards Security-Aware Microservices: On Extracting Endpoint Data Access Operations to Determine Access Rights

Security policies are typically defined centrally for a particular system. However, the current mainstream architecture - microservices - introduces decentralization with self-contained interacting parts. This brings better evolution autonomy to individual microservices but introduces new challenges with consistency. The most basic security perspective is the setting of access rights; we typically enforce access rights at system endpoints. Given the self-contained and decentralized microservice nature, each microservice has to implement these policies individually. Considering that different development teams are involved in microservice development, likely the access rights are not consistently implemented across the system. Moreover, as the system evolves, it can quickly become cumbersome to identify a holistic view of the full set of access rights applied in the system. Various issues can emerge from inconsistent settings and potentially lead to security vulnerabilities and unintended bugs, such as incorrectly granting write or read access to system data. This paper presents an approach aiding a human-centered access right analysis of system endpoints in microservices. It identifies the system data that a particular endpoint accesses throughout its call paths and determines which operations are performed on these data across the call paths. In addition, it takes into account inter-service communication across microservices, which brings a great and novel instrument to practitioners who would otherwise need to perform a thorough code review of self-contained codebases to extract such information from the system. The presented approach has broad potential related to security analysis, further detailed in the paper.