Microservices define an architectural style that conceives systems as a suite of modular, independent and scalable services. While application design is now simpler, designing secure applications is in general harder than for monolithic applications and the current literature offers little orientation to architects and developers regarding solutions. This article describes the design and results of a multivocal literature review of the security solutions that have been proposed for microservice-based systems. The study yielded 370 academic articles and 620 grey literature; duplicates removal and the application of exclusion criteria left 36 from the academic literature and 34 from the grey literature. The security solution(s) proposed in each article were classified into variations of standard security mechanisms (e.g., Access Control) and scopes (Info Management, Threat Modeling, etc), and were associated to security contexts (detect, mitigate/stop, react, recover from attack). Our research questions addressed frequency of publications, research methodologies, security mechanisms, and security contexts. Key findings were that (1) both kinds of literature differ in their preferred empirical research strategies (examples, experiments and case studies); (2) The solutions proposed in the 70 selected articles correspond to 15 classifications of security mechanisms and analyses; (3) the most mentioned security mechanisms are Authentication and Authorization; (4) around 2/3 of solutions focused on Mitigate/Stop attacks, but none on reacting and recovering from them, and (5) the methodologies used are mostly block diagrams and code, with little use of models or analysis. These findings hold for both grey and academic literature. This study is a first step towards providing secure software researchers and practitioners a comprehensive catalog of security solutions and mechanisms, and where the clear identification of the most used security solutions will simplify their reuse to address security problems while designing microservice-based systems.

微服务定义了一种架构样式，该架构样式将系统视为一组模块化，独立和可扩展的服务。尽管现在应用程序设计更简单，但是设计安全应用程序通常比单片应用程序难，而且当前的文献对解决方案的架构师和开发人员几乎没有指导意义。本文介绍了针对基于微服务的系统提出的安全解决方案的多方面文献综述的设计和结果。该研究产生了370篇学术文章和620篇灰色文献。重复删除和排除标准的应用从学术文献中删除了36条，从灰色文献中删除了34条。每篇文章中提出的安全解决方案都被分类为标准安全机制的变体（例如，访问控制）和范围（信息管理，威胁建模等），并与安全上下文相关联（检测，缓解/停止，做出反应，从攻击中恢复）。我们的研究问题涉及出版物的频率，研究方法，安全机制和安全环境。主要发现是：（1）两种文献在首选的实证研究策略（实例，实验和案例研究）上都不相同；（2）所选的70篇文章中提出的解决方案对应于安全机制和分析的15种分类；（3）最受关注的安全机制是身份验证和授权；（4）大约有2/3的解决方案侧重于缓解/停止攻击，而无一是针对它们的反应和从中恢复，以及（5）所使用的方法主要是框图和代码，很少使用模型或分析。这些发现适用于灰色文献和学术文献。这项研究是向安全软件研究人员和从业人员提供安全解决方案和机制的全面目录的第一步，并且在设计基于微服务的系统时，明确识别最常用的安全解决方案将简化其重用，以解决安全问题。