Abstract

It is important in software development to enforce proper restrictions on protected services and resources. Typically software services can be accessed through REST API endpoints where restrictions can be applied using the Role-Based Access Control (RBAC) model. However, RBAC policies can be inconsistent across services, and they require proper assessment. Currently, developers use penetration testing, which is a costly and cumbersome process for a large number of APIs. In addition, modern applications are split into individual microservices and lack a unified view in order to carry out automated RBAC assessment. Often, the process of constructing a centralized perspective of an application is done using Systematic Architecture Reconstruction (SAR). This article presents a novel approach to automated SAR to construct a centralized perspective for a microservice mesh based on their REST communication pattern. We utilize the generated views from SAR to propose an automated way to find RBAC inconsistencies.

Highlights

  • With the software industry’s growth, the complexity of security administration is becoming more and more challenging

  • Our proposed method reconstructs MicroService Architecture (MSA) architecture based on the Representational State Transfer (REST) communication pattern, similar to the service modeling described by Rademacher, Sachweh & Zündorf (2020)

  • The whole Teacher Management System (TMS) system consists of four individual microservices: user management system (UMS), question management system (QMS), exam management system (EMS) and configuration management system (CMS)

Read more

Summary

INTRODUCTION

With the software industry’s growth, the complexity of security administration is becoming more and more challenging. We need to establish an automatic way to generate the overall communication pattern for the whole application before diving into the security aspects This is done through a process of Systematic Architecture Reconstruction (SAR) in which overall views are constructed from existing application artifacts. We first introduce a solution for automatic SAR of a microservice application, which generates a view of the microservices’ REST communication pattern. According to a survey conducted in 2014 by the International Data Group (Mohanty, Mohanty & Balakrishnan, 2016), about 63% of applications have not been tested for security vulnerabilities This can be mitigated by enforcing standard security features during the regular software development process (McGraw, 2004). Throughout the article, the terms “inconsistency”, “violation” and “issue” are used interchangeably to indicate a potential flaw

RELATED WORK
PROPOSED METHOD
Method
Findings
CONCLUSION
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call