Should Microservice Security Smells Stay or be Refactored? Towards a Trade-off Analysis

Securing microservice-based applications is crucial, as many IT companies are delivering their businesses through microservices. Security smells, i.e. possible symptoms of (often unintentional) bad design decisions, can occur in microservice-based applications, resulting in violations of key security properties as well as design soundness (i.e. adherence to microservice design principles). However, it is non-trivial to decide in each case whether to apply a refactoring to mitigate the effects of a smell, or whether it is more convenient to keep the smell in the application (at least at that specific time), since its refactoring may impact both the application quality and design soundness. This paper argues for trade-off analysis to help determining whether to keep a security smell or to apply a refactoring, based on their positive/negative impacts on specific quality attributes and design soundness. The method enacts and supports this trade-off analysis using Softgoal Interdependency Graphs (SIGs), a visual formalism that provides a holistic view of the positive/negative impacts of, in our case, security smells and refactorings on software quality attributes and design soundness. We also illustrate our method with a detailed analysis of a well-known security smell and its possible refactoring. Further development and empirical validation of this method will allow to deploy automatic recommendations on trade-offs and appropriateness of possible refactorings of microservice applications.