Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
Raveen Kanishka Jayalath, Hussain Ahmad, Diksha Goel, Muhammad Shuja Syed, Faheem Ullah
TL;DR
This work targets the security vulnerabilities intrinsic to microservice architectures by synthesizing 62 studies into a comprehensive taxonomy of 126 vulnerabilities, then validating it empirically with four benchmark microservice applications scanned by three tools. The study maps empirical findings to CVE identifiers, enabling practitioners to prioritize remediation and researchers to identify gaps for future work, including automated vulnerability management and DevSecOps integration. It also demonstrates the complementary value of combining literature reviews with empirical validation to produce actionable security guidance for microservices. Overall, the results highlight the criticality of API gateways, service discovery, containerization, and CI/CD practices in shaping microservice security, and they stress continuous monitoring and multi-tool vulnerability assessment as essential for robust defense.
Abstract
Microservice architectures are revolutionizing both small businesses and large corporations, igniting a new era of innovation with their exceptional advantages in maintainability, reusability, and scalability. However, these benefits come with significant security challenges, as the increased complexity of service interactions, expanded attack surfaces, and intricate dependency management introduce a new array of cybersecurity vulnerabilities. While security concerns are mounting, there is a lack of comprehensive research that integrates a review of existing knowledge with empirical analysis of microservice vulnerabilities. This study aims to fill this gap by gathering, analyzing, and synthesizing existing literature on security vulnerabilities associated with microservice architectures. Through a thorough examination of 62 studies, we identify, analyze, and report 126 security vulnerabilities inherent in microservice architectures. This comprehensive analysis enables us to (i) propose a taxonomy that categorizes microservice vulnerabilities based on the distinctive features of microservice architectures; (ii) conduct an empirical analysis by performing vulnerability scans on four diverse microservice benchmark applications using three different scanning tools to validate our taxonomy; and (iii) map our taxonomy vulnerabilities with empirically identified vulnerabilities, providing an in-depth vulnerability analysis at microservice, application, and scanning tool levels. Our study offers crucial guidelines for practitioners and researchers to advance both the state-of-the-practice and the state-of-the-art in securing microservice architectures.