Youtube for software security?: Youtube Videos Provide Pointers for Microservice Security

Abstract

Microservice applications are defined as software applications, which include services that interact with one another but failure of one service does not impact the execution of another. Microservice oriented design has become a popular software application design paradigm among software companies, such as Uber, Netflix, and Amazon as well as small startup companies due to delivery speed, reliability and greater flexibility. However, any insecure coding pattern in the code while developing microservice applications can make the entire system vulnerable to hackers. The goal of the abstract is to help software developers in building secure microservice applications. We have conducted a qualitative analysis of 6 youtube videos on microservice design antipatterns and an empirical study on open source microservice repositories. We have observed insecure coding patterns in those microservice repositories. We have defined 9 categories each with an associated pattern namely HTTP without TLS, authentication vs authorization, hard coded secret, weak encryption algorithm, use of default ports, violation of least privilege principle, insufficient logging, poor orchestration layer configuration, API service sharing and distributed deadlock. We advocate for future research that will create a taxonomy of insecure coding patterns so that developers can find and resolve insecure coding patterns during code review.