Characterizing Vulnerabilities in Microservices: Source, Age and Severity

Document Type

Conference Proceeding

Source of Publication

Proceedings 2025 IEEE 22nd International Conference on Software Architecture Icsa 2025

Publication Date

4-30-2025

Abstract

Microservices architecture has become a popular choice for developing scalable, cloud-native applications because of its modularity. However, this architecture introduces unique security risks due to its distributed nature and dependency management requirements. While existing literature has investigated some security challenges and proposed mitigation strategies, there is a lack of comprehensive research on the security vulnerabilities present within systems using this architecture. To bridge this gap, we used three vulnerability detection tools to analyze security vulnerabilities across 30 open-source microservices projects from GitHub, identifying three sources of vulnerabilities: 'application code', 'dependencies', and 'container configurations'. Vulnerabilities related to request and data handling were most common, stemming from container misconfigurations and outdated dependencies. Dependency-related vulnerabilities are new but most fall into pre-established CWE and OWASP top 10 categories. Most of the detected vulnerabilities fall under a severity of medium to high. While the emergence of microservices has not introduced new vulnerabilities, the severity of existing vulnerabilities urges developers to implement secure data and request handling, address container misconfigurations, and update dependencies timely.

ISBN

[9798331520908]

First Page

96

Last Page

106

Disciplines

Computer Sciences

Keywords

CVE, CWE, cybersecurity, Microservice architectures, vulnerability scanning

Scopus ID

105005024458

Indexed in Scopus

yes

Open Access

no

Link to Full Text

Share

COinS