Securing Service Mesh from the Bottom-Up: Adoption Concerns, Vulnerabilities and their Mitigation
Loading...
Authors
Yihao, Chen
Date
Type
thesis
Language
eng
Keyword
Software engineering , Mixed-methods empirical study , Service mesh , Helm , Security , Vulnerability
Alternative Title
Abstract
As service mesh architectures rise in popularity, there is a growing need for a comprehensive understanding of the challenges found by DevOps engineers adopting them, as well as their interplay with package-based deployment methods such as Helm Charts. The sophisticated infrastructure required by service mesh architectures is prone to misconfiguration, leading to prevalent security concerns. Meanwhile, Helm Charts, while simplifying deployment processes, can leave vulnerabilities unnoticed. These risks are especially concerning in the context of service mesh frameworks, which often operate on a large-scale and follow a zero-trust model, where all components in the system must be secured. This thesis carries out two large-scale empirical studies on the adoption concerns and security vulnerabilities present in service mesh frameworks and Helm Charts. By doing so, it lays the foundation for evidence-based strategies to enhance security from the bottom-up. Objective: This thesis employs two mixed-methods empirical investigations to analyze adoption concerns and security vulnerabilities in service mesh frameworks and Helm Charts. By analyzing practitioner questions from service mesh forums and a large dataset of Helm Charts and their maintenance repositories on GitHub, we identify prevalent concerns, trends, and theories to facilitate safer deployments of service mesh systems. Method: Our approach combines Dynamic Topic Modeling (DTM) and open card sorting for service mesh-related question analysis, corroborated by domain expert verification. Concurrently, we construct a Grounded Theory (GT) to discern the prevalence and mitigation strategies of Common Vulnerability Enumerations (CVEs) in Helm Charts, shedding light on the reasons for their high prevalence in such a security-critical context. Results: Our study uncovers persistent infrastructure-related concerns and heightened security and observability issues surrounding service mesh frameworks. Interestingly, most service mesh-related errors are remediable with minimal configuration changes. We find that Helm Charts often harbor unfixed but fixable vulnerabilities, posing a significant risk to the security of service mesh deployments. However, the effectiveness of CVE mitigation strategies in Helm Charts is often impeded by maintainer considerations such as incentives, trade-offs, and trust among stakeholders. Conclusion: The findings advocate for consistent documentation, practical automation of service mesh deployment, and improved container orchestration. We propose a shift towards a shared responsibility model, emphasizing the importance of proactive CVE mitigation to strengthen the security of service mesh frameworks from the ground up. This study offers valuable insights for practitioners, maintainers, and researchers, creating pathways for the safer adoption and deployment of service mesh frameworks.
Description
Citation
Publisher
License
Queen's University's Thesis/Dissertation Non-Exclusive License for Deposit to QSpace and Library and Archives Canada
Proquest PhD and Master's Theses International Dissemination Agreement
Intellectual Property Guidelines at Queen's University
Copying and Preserving Your Thesis
This publication is made available by the authority of the copyright owner solely for the purpose of private study and research and may not be copied or reproduced except as permitted by the copyright laws without written authority from the copyright owne
Proquest PhD and Master's Theses International Dissemination Agreement
Intellectual Property Guidelines at Queen's University
Copying and Preserving Your Thesis
This publication is made available by the authority of the copyright owner solely for the purpose of private study and research and may not be copied or reproduced except as permitted by the copyright laws without written authority from the copyright owne