Lack of awareness and knowledge of microservices-specific security challenges and solutions often leads to ill-informed security decisions in microservices system development. We claim that identifying and leveraging security discussions scattered in existing microservices systems can partially close this gap. We define security discussion as “a paragraph from developer discussions that includes design decisions, challenges, or solutions relating to security”. We first surveyed 67 practitioners and found that securing microservices systems is a unique challenge and that having access to security discussions is useful for making security decisions. The survey also confirms the usefulness of potential tools that can automatically identify such security discussions. We developed fifteen machine/deep learning models to automatically identify security discussions. We applied these models on a manually constructed dataset consisting of 4,813 security discussions and 12,464 non-security discussions. We found that all the models can effectively identify security discussions: an average precision of 84.86%, recall of 72.80%, F1-score of 77.89%, AUC of 83.75% and G-mean 82.77%. DeepM1, a deep learning model, performs the best, achieving above 84% in all metrics and significantly outperforms three baselines. Finally, the practitioners’ feedback collected from a validation survey reveals that security discussions identified by DeepM1 have promising applications in practice.

缺乏对特定于微服务的安全挑战和解决方案的认识和知识，通常会导致在微服务系统开发中做出不明智的安全决策。我们声称，识别和利用分散在现有微服务系统中的安全讨论可以部分弥补这一差距。我们将安全讨论定义为“来自开发人员讨论的一段，其中包括与安全相关的设计决策、挑战或解决方案”. 我们首先对 67 位从业者进行了调查，发现保护微服务系统是一项独特的挑战，并且能够参与安全讨论有助于做出安全决策。该调查还证实了可以自动识别此类安全讨论的潜在工具的有用性。我们开发了 15 个机器/深度学习模型来自动识别安全讨论。我们将这些模型应用于手动构建的数据集，该数据集包含 4,813 个安全讨论和 12,464 个非安全讨论。我们发现所有模型都可以有效识别安全讨论：平均准确率为 84.86%，召回率为 72.80%，F1-score 为 77.89%，AUC 为 83.75%，G-mean 为 82.77%。DeepM1 是一种深度学习模型，表现最好，在所有指标上都达到了 84% 以上，并且明显优于三个基线。