{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,30]],"date-time":"2026-06-30T10:37:18Z","timestamp":1782815838050,"version":"3.54.5"},"reference-count":90,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2025,2,14]],"date-time":"2025-02-14T00:00:00Z","timestamp":1739491200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,2,14]],"date-time":"2025-02-14T00:00:00Z","timestamp":1739491200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100001711","name":"Schweizerischer Nationalfonds zur F\u00f6rderung der Wissenschaftlichen Forschung","doi-asserted-by":"publisher","award":["200021L_184692"],"award-info":[{"award-number":["200021L_184692"]}],"id":[{"id":"10.13039\/501100001711","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100000780","name":"European Commission","doi-asserted-by":"publisher","award":["952647"],"award-info":[{"award-number":["952647"]}],"id":[{"id":"10.13039\/501100000780","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100002428","name":"Austrian Science Fund","doi-asserted-by":"publisher","award":["I 4268"],"award-info":[{"award-number":["I 4268"]}],"id":[{"id":"10.13039\/501100002428","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2025,5]]},"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>While microservice architectures have become a widespread option for designing distributed applications, designing secure microservice systems remains challenging. Although various security-related guidelines and practices exist, these systems\u2019 sheer size, complex communication structures, and polyglot tech stacks make it difficult to manually validate whether adequate security tactics are applied throughout their architecture. To address these challenges, we have devised a novel solution that involves the automatic generation of security-annotated software decomposition models and the utilization of security-based metrics to guide software architectures through the assessment of security tactics employed within microservice systems. To evaluate the effectiveness of our artifacts, we conducted a controlled experiment where we asked 60 students from two universities and ten experts from the industry to identify and assess the security features of two microservice reference systems. During the experiment, we tracked the correctness of their answers and the time they needed to solve the given tasks to measure how well they could understand the security tactics applied in the reference systems. Our results indicate that the supplemental material significantly improved the correctness of the participants\u2019 answers without requiring them to consult the documentation more. Most participants also stated in a self-assessment that their understanding of the security tactics used in the systems improved significantly because of the provided material, with the additional diagrams considered very helpful. In contrast, the perception of architectural metrics varied widely. We could also show that novice developers benefited most from the supplementary diagrams. In contrast, senior developers could rely on their experience to compensate for the lack of additional help. Contrary to our expectations, we found no significant correlation between the time spent solving the tasks and the overall correctness score achieved, meaning that participants who took more time to read the documentation did not automatically achieve better results. As far as we know, this empirical study is the first analysis that explores the influence of security annotations in component diagrams to guide software developers when assessing microservice system security.<\/jats:p>","DOI":"10.1007\/s10664-024-10601-1","type":"journal-article","created":{"date-parts":[[2025,2,14]],"date-time":"2025-02-14T04:36:04Z","timestamp":1739507764000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":5,"title":["Understanding security tactics in microservice APIs using annotated software architecture decomposition models \u2013 a controlled experiment"],"prefix":"10.1007","volume":"30","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-4236-5951","authenticated-orcid":false,"given":"Patric","family":"Genfer","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Souhaila","family":"Serbout","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Georg","family":"Simhandl","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Uwe","family":"Zdun","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Cesare","family":"Pautasso","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2025,2,14]]},"reference":[{"key":"10601_CR1","doi-asserted-by":"publisher","first-page":"1063","DOI":"10.1007\/s10664-019-09797-4","volume":"25","author":"L Allodi","year":"2020","unstructured":"Allodi L, Cremonini M, Massacci F, Shim W (2020) Measuring the accuracy of software vulnerability assessments: experiments with students and professionals. Empir Softw Eng 25:1063\u20131094","journal-title":"Empir Softw Eng"},{"key":"10601_CR2","doi-asserted-by":"crossref","unstructured":"Alshuqayran N, Ali N, Evans R (2018) Towards micro service architecture recovery: an empirical study. In: 2018 IEEE International conference on software architecture (ICSA), IEEE, pp 47\u20134709","DOI":"10.1109\/ICSA.2018.00014"},{"issue":"268","key":"10601_CR3","doi-asserted-by":"publisher","first-page":"765","DOI":"10.1080\/01621459.1954.10501232","volume":"49","author":"TW Anderson","year":"1954","unstructured":"Anderson TW, Darling DA (1954) A test of goodness of fit. J Am Stat Assoc 49(268):765\u2013769","journal-title":"J Am Stat Assoc"},{"key":"10601_CR4","doi-asserted-by":"crossref","unstructured":"Bermbach D, Wittern E (2020) Benchmarking web api quality\u2013revisited. J Web Eng 603\u2013646","DOI":"10.13052\/jwe1540-9589.19563"},{"issue":"1","key":"10601_CR5","first-page":"17","volume":"42","author":"E Brunner","year":"2000","unstructured":"Brunner E, Munzel U (2000) The nonparametric behrens-fisher problem: asymptotic theory and a small-sample approximation. Biom J J Math Methods Biosci 42(1):17\u201325","journal-title":"Biom J J Math Methods Biosci"},{"key":"10601_CR6","doi-asserted-by":"crossref","unstructured":"Bunke M, Sohr K (2011) An architecture-centric approach to detecting security patterns in software. In: Engineering secure software and systems: third international symposium, ESSoS 2011, Madrid, Spain, February 9-10, 2011. Proceedings 3, Springer, pp 156\u2013166","DOI":"10.1007\/978-3-642-19125-1_12"},{"issue":"1","key":"10601_CR7","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.jebo.2011.08.009","volume":"81","author":"G Charness","year":"2012","unstructured":"Charness G, Gneezy U, Kuhn MA (2012) Experimental methods: Between-subject and within-subject design. J Econ Behav Org 81(1):1\u20138","journal-title":"J Econ Behav Org"},{"issue":"3","key":"10601_CR8","doi-asserted-by":"publisher","first-page":"494","DOI":"10.1037\/0033-2909.114.3.494","volume":"114","author":"N Cliff","year":"1993","unstructured":"Cliff N (1993) Dominance statistics: Ordinal analyses to answer ordinal questions. Psychol Bull 114(3):494","journal-title":"Psychol Bull"},{"key":"10601_CR9","unstructured":"Cloud Security Alliance (2020) Best practices in implementing a secure microservices architecture. https:\/\/cloudsecurityalliance.org\/artifacts\/best-practices-in-implementing-a-secure-microservices-architecture\/"},{"key":"10601_CR10","doi-asserted-by":"crossref","unstructured":"Cohen J (2013) Statistical power analysis for the behavioral sciences","DOI":"10.4324\/9780203771587"},{"issue":"1","key":"10601_CR11","doi-asserted-by":"publisher","first-page":"100","DOI":"10.1109\/TSE.2018.2859926","volume":"46","author":"C Czepa","year":"2018","unstructured":"Czepa C, Zdun U (2018) On the understandability of temporal properties formalized in linear temporal logic, property specification patterns and event processing language. IEEE Trans Softw Eng 46(1):100\u2013112","journal-title":"IEEE Trans Softw Eng"},{"issue":"2","key":"10601_CR12","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3306608","volume":"28","author":"C Czepa","year":"2019","unstructured":"Czepa C, Zdun U (2019) How understandable are pattern-based behavioral constraints for novice software designers? ACM Trans Softw Eng Methodol (TOSEM) 28(2):1\u201338","journal-title":"ACM Trans Softw Eng Methodol (TOSEM)"},{"key":"10601_CR13","doi-asserted-by":"crossref","unstructured":"Czepa C, Tran H, Zdun U, Kim TTT, Weiss E, Ruhsam C (2017) On the understandability of semantic constraints for behavioral software architecture compliance: A controlled experiment. In: 2017 IEEE international conference on software architecture (ICSA), IEEE, pp 155\u2013164","DOI":"10.1109\/ICSA.2017.10"},{"key":"10601_CR14","doi-asserted-by":"crossref","unstructured":"Da\u00a0Rocha\u00a0Araujo LH, Rodr\u00edguez GH, Vidal SA, Marcos CA, Pereira Dos\u00a0Santos R (2022) Empirical analysis on openapi topic exploration and discovery to support the developer community. Comput Inf","DOI":"10.31577\/cai_2021_6_1345"},{"issue":"5","key":"10601_CR15","doi-asserted-by":"publisher","first-page":"455","DOI":"10.1007\/s10664-009-9127-7","volume":"15","author":"A De Lucia","year":"2010","unstructured":"De Lucia A, Gravino C, Oliveto R, Tortora G (2010) An experimental comparison of er and uml class diagrams for data modelling. Empir Softw Eng 15(5):455\u2013492","journal-title":"Empir Softw Eng"},{"issue":"4","key":"10601_CR16","doi-asserted-by":"publisher","first-page":"485","DOI":"10.1037\/1082-989X.7.4.485","volume":"7","author":"HD Delaney","year":"2002","unstructured":"Delaney HD, Vargha A (2002) Comparing several robust tests of stochastic equality with ordinally scaled variables and small to moderate sized samples. Psychol Methods 7(4):485","journal-title":"Psychol Methods"},{"key":"10601_CR17","volume-title":"Microservices security in action","author":"WKAN Dias","year":"2020","unstructured":"Dias WKAN, Siriwardena P (2020) Microservices security in action. Simon and Schuster"},{"key":"10601_CR18","doi-asserted-by":"crossref","unstructured":"Dragoni N, Giallorenzo S, Lafuente AL, Mazzara M, Montesi F, Mustafin R, Safina L (2017) Microservices: yesterday, today, and tomorrow. Present and ulterior software engineering pp 195\u2013216","DOI":"10.1007\/978-3-319-67425-4_12"},{"key":"10601_CR19","doi-asserted-by":"crossref","unstructured":"Dragoni N, Lanese I, Larsen ST, Mazzara M, Mustafin R, Safina L (2018) Microservices: How to make your application scale. In: Perspectives of system informatics: 11th International Andrei P. Ershov Informatics Conference, PSI 2017, Moscow, Russia, June 27-29, 2017, Revised Selected Papers 11, Springer, pp 95\u2013104","DOI":"10.1007\/978-3-319-74313-4_8"},{"issue":"7","key":"10601_CR20","doi-asserted-by":"publisher","first-page":"661","DOI":"10.1109\/TSE.2015.2396526","volume":"41","author":"M El-Attar","year":"2015","unstructured":"El-Attar M, Luqman H, Karpati P, Sindre G, Opdahl AL (2015) Extending the uml statecharts notation to model security aspects. IEEE Trans Softw Eng 41(7):661\u2013690","journal-title":"IEEE Trans Softw Eng"},{"key":"10601_CR21","doi-asserted-by":"publisher","first-page":"452","DOI":"10.1007\/s10664-017-9523-3","volume":"23","author":"D Falessi","year":"2018","unstructured":"Falessi D, Juristo N, Wohlin C, Turhan B, M\u00fcnch J, Jedlitschka A, Oivo M (2018) Empirical software engineering experts on the use of students and professionals in experiments. Empir Softw Eng 23:452\u2013489","journal-title":"Empir Softw Eng"},{"key":"10601_CR22","doi-asserted-by":"publisher","first-page":"699","DOI":"10.1007\/s10664-012-9208-x","volume":"18","author":"J Feigenspan","year":"2013","unstructured":"Feigenspan J, K\u00e4stner C, Apel S, Liebig J, Schulze M, Dachselt R, Papendieck M, Leich T, Saake G (2013) Do background colors improve program comprehension in the# ifdef hell? Empir Softw Eng 18:699\u2013745","journal-title":"Empir Softw Eng"},{"key":"10601_CR23","unstructured":"French A, Macedo M, Poulsen J, Waterson T, Yu A (2008) Multivariate analysis of variance (manova)"},{"key":"10601_CR24","doi-asserted-by":"crossref","unstructured":"Genfer P, Zdun U (2021) Identifying domain-based cyclic dependencies in microservice apis using source code detectors. In: Software architecture: 15th European Conference, ECSA 2021, Virtual Event, Sweden, September 13-17, 2021, Proceedings, Springer, pp 207\u2013222","DOI":"10.1007\/978-3-030-86044-8_15"},{"key":"10601_CR25","doi-asserted-by":"crossref","unstructured":"Granchelli G, Cardarelli M, Di\u00a0Francesco P, Malavolta I, Iovino L, Di\u00a0Salle A (2017) Towards recovering the software architecture of microservice-based systems. In: 2017 IEEE International conference on software architecture workshops (ICSAW), IEEE, pp 46\u201353","DOI":"10.1109\/ICSAW.2017.48"},{"key":"10601_CR26","doi-asserted-by":"crossref","unstructured":"Hair\u00a0Jr JF, Hult GTM, Ringle CM, Sarstedt M (2021) A primer on partial least squares structural equation modeling (PLS-SEM). Sage publications","DOI":"10.1007\/978-3-030-80519-7"},{"key":"10601_CR27","doi-asserted-by":"publisher","first-page":"83","DOI":"10.1016\/j.jss.2018.11.049","volume":"149","author":"M Hammad","year":"2019","unstructured":"Hammad M, Bagheri H, Malek S (2019) Deldroid: an automated approach for determination and enforcement of least-privilege architecture in android. J Syst Softw 149:83\u2013100","journal-title":"J Syst Softw"},{"key":"10601_CR28","doi-asserted-by":"crossref","unstructured":"Hasselbring W (2018) Software architecture: Past, present, future. The essence of software engineering pp 169\u2013184","DOI":"10.1007\/978-3-319-73897-0_10"},{"key":"10601_CR29","doi-asserted-by":"crossref","unstructured":"Hoisl B, Sobernig S, Strembeck M (2014) Comparing three notations for defining scenario-based model tests: A controlled experiment. In: 2014 9th International conference on the quality of information and communications technology, IEEE, pp 180\u2013189","DOI":"10.1109\/QUATIC.2014.62"},{"key":"10601_CR30","doi-asserted-by":"crossref","unstructured":"Hu C, Zhu J, Yang R, Peng H, Wo T, Xue S, Yu X, Xu J, Ranjan R (2020) Toposch: Latency-aware scheduling based on critical path analysis on shared yarn clusters. In: 2020 IEEE 13th international conference on cloud computing (CLOUD), IEEE, pp 619\u2013627","DOI":"10.1109\/CLOUD49709.2020.00091"},{"key":"10601_CR31","doi-asserted-by":"crossref","unstructured":"Jedlitschka A, Ciolkowski M, Pfahl D (2008) Reporting experiments in software engineering. Guide to advanced empirical software engineering pp 201\u2013228","DOI":"10.1007\/978-1-84800-044-5_8"},{"key":"10601_CR32","doi-asserted-by":"crossref","unstructured":"Jongeling R, Ciccozzi F, Cicchetti A, Carlson J (2022) From informal architecture diagrams to flexible blended models. In: European conference on software architecture, Springer, pp 143\u2013158","DOI":"10.1007\/978-3-031-16697-6_10"},{"issue":"4","key":"10601_CR33","doi-asserted-by":"publisher","first-page":"396","DOI":"10.9734\/BJAST\/2015\/14975","volume":"7","author":"A Joshi","year":"2015","unstructured":"Joshi A, Kale S, Chandel S, Pal DK (2015) Likert scale: Explored and explained. Br J Appl Sci Technol 7(4):396","journal-title":"Br J Appl Sci Technol"},{"issue":"2","key":"10601_CR34","doi-asserted-by":"publisher","first-page":"251524592199960","DOI":"10.1177\/2515245921999602","volume":"4","author":"JD Karch","year":"2021","unstructured":"Karch JD (2021) Psychologists should use brunner-munzel\u2019s instead of mann-whitney\u2019s u test as the default nonparametric procedure. Adv Methods Pract Psychol Sci 4(2):2515245921999602","journal-title":"Adv Methods Pract Psychol Sci"},{"key":"10601_CR35","doi-asserted-by":"crossref","unstructured":"Kirschner YR, Walter M, Bossert F, Heinrich R, Koziolek A (2023) Automatic derivation of vulnerability models for software architectures. In: 2023 IEEE 20th international conference on software architecture companion (ICSA-C), IEEE, pp 276\u2013283","DOI":"10.1109\/ICSA-C57050.2023.00065"},{"key":"10601_CR36","doi-asserted-by":"publisher","first-page":"579","DOI":"10.1007\/s10664-016-9437-5","volume":"22","author":"B Kitchenham","year":"2017","unstructured":"Kitchenham B, Madeyski L, Budgen D, Keung J, Brereton P, Charters S, Gibbs S, Pohthong A (2017) Robust statistical methods for empirical software engineering. Empir Softw Eng 22:579\u2013630","journal-title":"Empir Softw Eng"},{"issue":"8","key":"10601_CR37","doi-asserted-by":"publisher","first-page":"721","DOI":"10.1109\/TSE.2002.1027796","volume":"28","author":"BA Kitchenham","year":"2002","unstructured":"Kitchenham BA, Pfleeger SL, Pickard LM, Jones PW, Hoaglin DC, El Emam K, Rosenberg J (2002) Preliminary guidelines for empirical research in software engineering. IEEE Trans Softw Eng 28(8):721\u2013734","journal-title":"IEEE Trans Softw Eng"},{"key":"10601_CR38","doi-asserted-by":"crossref","unstructured":"Kleehaus M, Matthes F (2019) Challenges in documenting microservice-based it landscape: A survey from an enterprise architecture management perspective. In: 2019 IEEE 23rd international enterprise distributed object computing conference (EDOC), IEEE, pp 11\u201320","DOI":"10.1109\/EDOC.2019.00012"},{"key":"10601_CR39","first-page":"89","volume":"4","author":"AN Kolmogorov","year":"1933","unstructured":"Kolmogorov AN (1933) Sulla determinazione empirica di una legge didistribuzione. Giorn Dell\u2019inst Ital Degli Att 4:89\u201391","journal-title":"Giorn Dell\u2019inst Ital Degli Att"},{"issue":"260","key":"10601_CR40","doi-asserted-by":"publisher","first-page":"583","DOI":"10.1080\/01621459.1952.10483441","volume":"47","author":"WH Kruskal","year":"1952","unstructured":"Kruskal WH, Wallis WA (1952) Use of ranks in one-criterion variance analysis. J Am Stat Assoc 47(260):583\u2013621","journal-title":"J Am Stat Assoc"},{"key":"10601_CR41","doi-asserted-by":"crossref","unstructured":"Labunets K, Paci F, Massacci F, Ruprai R (2014) An experiment on comparing textual vs. visual industrial methods for security risk assessment. In: 2014 IEEE 4th international workshop on empirical requirements engineering (EmpiRE), IEEE, pp 28\u201335","DOI":"10.1109\/EmpiRE.2014.6890113"},{"key":"10601_CR42","doi-asserted-by":"crossref","unstructured":"Lodderstedt T, Basin D, Doser J (2002) Secureuml: A uml-based modeling language for model-driven security. In: International conference on the unified modeling language, Springer, pp 426\u2013441","DOI":"10.1007\/3-540-45800-X_33"},{"issue":"2","key":"10601_CR43","doi-asserted-by":"publisher","first-page":"545","DOI":"10.11144\/Javeriana.upsy10-2.cdcp","volume":"10","author":"G Macbeth","year":"2011","unstructured":"Macbeth G, Razumiejczyk E, Ledesma RD (2011) Cliff\u2019s delta calculator: A non-parametric effect size program for two groups of observations. Univ Psychol 10(2):545\u2013555","journal-title":"Univ Psychol"},{"key":"10601_CR44","doi-asserted-by":"crossref","unstructured":"Matos DR, Pardal ML, Silva AR, Correia M (2023) $$\\mu $$verum: Intrusion recovery for microservice applications. IEEE Access","DOI":"10.1109\/ACCESS.2023.3298113"},{"issue":"2","key":"10601_CR45","doi-asserted-by":"publisher","first-page":"135","DOI":"10.3923\/itj.2003.135.139","volume":"2","author":"M Mendes","year":"2003","unstructured":"Mendes M, Pala A (2003) Type i error rate and power of three normality tests. Pakistan J Inf Technol 2(2):135\u2013139","journal-title":"Pakistan J Inf Technol"},{"key":"10601_CR46","doi-asserted-by":"crossref","unstructured":"Miller L, M\u00e9rindol P, Gallais A, Pelsser C (2021) Towards secure and leak-free workflows using microservice isolation. In: 2021 IEEE 22nd international conference on high performance switching and routing (HPSR), IEEE, pp 1\u20135","DOI":"10.1109\/HPSR52026.2021.9481820"},{"key":"10601_CR47","doi-asserted-by":"crossref","unstructured":"Morais G, Bork D, Adda M (2021) Towards an ontology-driven approach to model and analyze microservices architectures. In: Proceedings of the 13th international conference on management of digital EcoSystems, pp 79\u201386","DOI":"10.1145\/3444757.3485108"},{"key":"10601_CR48","doi-asserted-by":"publisher","first-page":"111046","DOI":"10.1016\/j.jss.2021.111046","volume":"181","author":"AR Nasab","year":"2021","unstructured":"Nasab AR, Shahin M, Liang P, Basiri ME, Raviz SAH, Khalajzadeh H, Waseem M, Naseri A (2021) Automated identification of security discussions in microservices systems: Industrial surveys and experiments. J Syst Softw 181:111046","journal-title":"J Syst Softw"},{"key":"10601_CR49","doi-asserted-by":"publisher","first-page":"111563","DOI":"10.1016\/j.jss.2022.111563","volume":"198","author":"AR Nasab","year":"2023","unstructured":"Nasab AR, Shahin M, Raviz SAH, Liang P, Mashmool A, Lenarduzzi V (2023) An empirical study of security practices for microservices systems. J Syst Softw 198:111563","journal-title":"J Syst Softw"},{"issue":"10","key":"10601_CR50","doi-asserted-by":"publisher","first-page":"5055","DOI":"10.1016\/j.csda.2006.04.025","volume":"51","author":"M Neuh\u00e4user","year":"2007","unstructured":"Neuh\u00e4user M, L\u00f6sch C, J\u00f6ckel KH (2007) The chen-luo test in case of heteroscedasticity. Comput Stat Data Anal 51(10):5055\u20135060","journal-title":"Comput Stat Data Anal"},{"key":"10601_CR51","unstructured":"Newman S (2021) Building microservices. \u201c O\u2019Reilly Media, Inc.\u201d"},{"key":"10601_CR52","doi-asserted-by":"crossref","unstructured":"Nguyen PH, Song H, Chauvel F, Muller R, Boyar S, Levin E (2019) Using microservices for non-intrusive customization of multi-tenant saas. In: Proceedings of the 2019 27th ACM joint meeting on european software engineering conference and symposium on the foundations of software engineering, pp 905\u2013915","DOI":"10.1145\/3338906.3340452"},{"key":"10601_CR53","unstructured":"NIST (2019) Nist special publication (sp) 800-204, security strategies for microservices-based application systems. https:\/\/www.nist.gov\/news-events\/news\/2019\/08\/security-strategies-microservices-based-application-systems-nist-publishes"},{"key":"10601_CR54","doi-asserted-by":"crossref","unstructured":"Nordli ET, Nguyen PH, Chauvel F, Song H (2020) Event-based customization of multi-tenant saas using microservices. In: International conference on coordination languages and models, Springer, pp 171\u2013180","DOI":"10.1007\/978-3-030-50029-0_11"},{"key":"10601_CR55","doi-asserted-by":"publisher","first-page":"625","DOI":"10.1007\/s10459-010-9222-y","volume":"15","author":"G Norman","year":"2010","unstructured":"Norman G (2010) Likert scales, levels of measurement and the \u201claws\u2019\u2019 of statistics. Adv Health Sci Educ 15:625\u2013632","journal-title":"Adv Health Sci Educ"},{"issue":"11","key":"10601_CR56","doi-asserted-by":"publisher","first-page":"2521","DOI":"10.1007\/s00607-021-01002-z","volume":"103","author":"E Ntentos","year":"2021","unstructured":"Ntentos E, Zdun U, Plakidas K, Genfer P, Geiger S, Meixner S, Hasselbring W (2021) Detector-based component model abstraction for microservice-based systems. Computing 103(11):2521\u20132551","journal-title":"Computing"},{"key":"10601_CR57","unstructured":"OWASP (2021) Microservices based security arch doc cheat sheet. https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Microservices_based_Security_Arch_Doc_Cheat_Sheet.html"},{"key":"10601_CR58","doi-asserted-by":"publisher","first-page":"15","DOI":"10.1016\/j.infsof.2017.10.008","volume":"95","author":"M Ozkaya","year":"2018","unstructured":"Ozkaya M (2018) Do the informal & formal software modeling notations satisfy practitioners for software architecture modeling? Inf Softw Technol 95:15\u201333","journal-title":"Inf Softw Technol"},{"key":"10601_CR59","doi-asserted-by":"publisher","first-page":"110987","DOI":"10.1016\/j.jss.2021.110987","volume":"178","author":"P Paulweber","year":"2021","unstructured":"Paulweber P, Simhandl G, Zdun U (2021) On the understandability of language constructs to structure the state and behavior in abstract state machine specifications: A controlled experiment. J Syst Softw 178:110987","journal-title":"J Syst Softw"},{"key":"10601_CR60","doi-asserted-by":"crossref","unstructured":"Pearson K (1895) Vii. note on regression and inheritance in the case of two parents. proceedings of the royal society of London 58(347-352):240\u2013242","DOI":"10.1098\/rspl.1895.0041"},{"key":"10601_CR61","doi-asserted-by":"crossref","unstructured":"Pereira-Vale A, M\u00e1rquez G, Astudillo H, Fernandez EB (2019) Security mechanisms used in microservices-based systems: a systematic mapping. In: 2019 XLV Latin American computing conference (CLEI), IEEE, pp 01\u201310","DOI":"10.1109\/CLEI47609.2019.235060"},{"key":"10601_CR62","doi-asserted-by":"crossref","unstructured":"Petre M (2013) Uml in practice. In: 2013 35th international conference on software engineering (ICSE), IEEE, pp 722\u2013731","DOI":"10.1109\/ICSE.2013.6606618"},{"key":"10601_CR63","doi-asserted-by":"crossref","unstructured":"Rademacher F, Sachweh S, Z\u00fcndorf A (2020) A modeling method for systematic architecture reconstruction of microservice-based software systems. In: Enterprise, business-process and information systems modeling: 21st international conference, BPMDS 2020, 25th International Conference, EMMSAD 2020, Held at CAiSE 2020, Grenoble, France, June 8\u20139, 2020, Proceedings 21, Springer, pp 311\u2013326","DOI":"10.1007\/978-3-030-49418-6_21"},{"issue":"1","key":"10601_CR64","first-page":"21","volume":"2","author":"NM Razali","year":"2011","unstructured":"Razali NM, Wah YB et al (2011) Power comparisons of shapiro-wilk, kolmogorov-smirnov, lilliefors and anderson-darling tests. J Stat Model Anal 2(1):21\u201333","journal-title":"J Stat Model Anal"},{"key":"10601_CR65","doi-asserted-by":"crossref","unstructured":"Saculinggan M, Balase EA (2013) Empirical power comparison of goodness of fit tests for normality in the presence of outliers. In: Journal of physics: conference series, IOP Publishing, vol 435, pp 012041","DOI":"10.1088\/1742-6596\/435\/1\/012041"},{"key":"10601_CR66","doi-asserted-by":"crossref","unstructured":"Sarstedt M, Mooi E, et\u00a0al. (2014) A concise guide to market research. The Process, Data, and 12","DOI":"10.1007\/978-3-642-53965-7"},{"issue":"3\/4","key":"10601_CR67","doi-asserted-by":"publisher","first-page":"591","DOI":"10.2307\/2333709","volume":"52","author":"SS Shapiro","year":"1965","unstructured":"Shapiro SS, Wilk MB (1965) An analysis of variance test for normality (complete samples). Biometrika 52(3\/4):591\u2013611","journal-title":"Biometrika"},{"issue":"5","key":"10601_CR68","doi-asserted-by":"publisher","first-page":"76","DOI":"10.1109\/MCC.2016.111","volume":"3","author":"A Sill","year":"2016","unstructured":"Sill A (2016) The design and architecture of microservices. IEEE Cloud Comput 3(5):76\u201380","journal-title":"IEEE Cloud Comput"},{"key":"10601_CR69","doi-asserted-by":"crossref","unstructured":"Silva S, Correia J, Bento A, Araujo F, Barbosa R (2021) $$\\mu $$ viz: Visualization of microservices. In: 2021 25th International conference information visualisation (IV), IEEE, pp 120\u2013128","DOI":"10.1109\/IV53921.2021.00028"},{"key":"10601_CR70","doi-asserted-by":"crossref","unstructured":"Smith S, Robinson E, Frederiksen T, Stevens T, Cerny T, Bures M, Taibi D (2023) Benchmarks for end-to-end microservices testing. arXiv:2306.05895","DOI":"10.1109\/SOSE58276.2023.00013"},{"key":"10601_CR71","doi-asserted-by":"crossref","unstructured":"Sohr K, Berger B (2010) Idea: Towards architecture-centric security analysis of software. In: Engineering secure software and systems: second international symposium, ESSoS 2010, Pisa, Italy, February 3-4, 2010. Proceedings 2, Springer, pp 70\u201378","DOI":"10.1007\/978-3-642-11747-3_6"},{"issue":"3\/4","key":"10601_CR72","doi-asserted-by":"publisher","first-page":"441","DOI":"10.2307\/1422689","volume":"100","author":"C Spearman","year":"1987","unstructured":"Spearman C (1987) The proof and measurement of association between two things. Am J Psychol 100(3\/4):441\u2013471","journal-title":"Am J Psychol"},{"key":"10601_CR73","doi-asserted-by":"crossref","unstructured":"Stevanetic S, Javed MA, Zdun U (2014) Empirical evaluation of the understandability of architectural component diagrams. In: Proceedings of the WICSA 2014 companion volume, pp 1\u20138","DOI":"10.1145\/2578128.2578230"},{"key":"10601_CR74","doi-asserted-by":"crossref","unstructured":"Stocker M, Zimmermann O (2021) From code refactoring to api refactoring: Agile service design and evolution. In: Symposium and summer school on service-oriented computing, Springer, pp 174\u2013193","DOI":"10.1007\/978-3-030-87568-8_11"},{"key":"10601_CR75","doi-asserted-by":"crossref","unstructured":"Svahnberg M, Aurum A, Wohlin C (2008) Using students as subjects-an empirical evaluation. In: Proceedings of the Second ACM-IEEE international symposium on Empirical software engineering and measurement, pp 288\u2013290","DOI":"10.1145\/1414004.1414055"},{"key":"#cr-split#-10601_CR76.1","doi-asserted-by":"crossref","unstructured":"Taibi D, Lenarduzzi V, Pahl C (2018) Architectural patterns for microservices: a systematic mapping study. In: CLOSER 2018: Proceedings of the 8th international conference on cloud computing and services science","DOI":"10.5220\/0006798302210232"},{"key":"#cr-split#-10601_CR76.2","unstructured":"Funchal, Madeira, Portugal, 19-21 March 2018, SciTePress"},{"issue":"1","key":"10601_CR77","doi-asserted-by":"publisher","first-page":"116","DOI":"10.1109\/MS.2015.11","volume":"32","author":"J Th\u00f6nes","year":"2015","unstructured":"Th\u00f6nes J (2015) Microservices. IEEE Softw 32(1):116\u2013116","journal-title":"IEEE Softw"},{"key":"10601_CR78","doi-asserted-by":"crossref","unstructured":"de\u00a0Toledo SS, Martini A, Przybyszewska A, Sj\u00f8berg DI (2019) Architectural technical debt in microservices: a case study in a large company. In: 2019 IEEE\/ACM international conference on technical debt (TechDebt), IEEE, pp 78\u201387","DOI":"10.1109\/TechDebt.2019.00026"},{"key":"10601_CR79","doi-asserted-by":"crossref","unstructured":"Vanciu R, Abi-Antoun M (2013) Finding architectural flaws using constraints. In: 2013 28th IEEE\/ACM international conference on automated software engineering (ASE), IEEE, pp 334\u2013344","DOI":"10.1109\/ASE.2013.6693092"},{"key":"10601_CR80","unstructured":"Votipka D, Fulton KR, Parker J, Hou M, Mazurek ML, Hicks M (2020) Understanding security mistakes developers make: Qualitative analysis from build it, break it, fix it. In: 29th USENIX Security Symposium (USENIX Security 20), pp 109\u2013126"},{"key":"10601_CR81","doi-asserted-by":"publisher","first-page":"32721","DOI":"10.1109\/ACCESS.2021.3060895","volume":"9","author":"H Vural","year":"2021","unstructured":"Vural H, Koyuncu M (2021) Does domain-driven design lead to finding the optimal modularity of a microservice? IEEE Access 9:32721\u201332733","journal-title":"IEEE Access"},{"key":"10601_CR82","doi-asserted-by":"crossref","unstructured":"Wen F, Nagy C, Bavota G, Lanza M (2019) A large-scale empirical study on code-comment inconsistencies. In: 2019 IEEE\/ACM 27th international conference on program comprehension (ICPC), IEEE, pp 53\u201364","DOI":"10.1109\/ICPC.2019.00019"},{"key":"10601_CR83","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4612-4380-9_16","volume-title":"Individual comparisons by ranking methods","author":"F Wilcoxon","year":"1992","unstructured":"Wilcoxon F (1992) Individual comparisons by ranking methods. Springer"},{"issue":"22","key":"10601_CR84","doi-asserted-by":"publisher","first-page":"e4436","DOI":"10.1002\/cpe.4436","volume":"31","author":"D Yu","year":"2019","unstructured":"Yu D, Jin Y, Zhang Y, Zheng X (2019) A survey on security issues in services communication of microservices-enabled fog applications. Concurr Comput Pract Exper 31(22):e4436","journal-title":"Concurr Comput Pract Exper"},{"key":"10601_CR85","doi-asserted-by":"crossref","unstructured":"Zdun U, Queval PJ, Simhandl G, Scandariato R, Chakravarty S, Jeli\u0107 M, Jovanovi\u0107 A (2023a) Detection strategies for microservice security tactics. IEEE Trans Depend Secur Comput","DOI":"10.1109\/TDSC.2023.3276487"},{"issue":"1","key":"10601_CR86","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3532183","volume":"32","author":"U Zdun","year":"2023","unstructured":"Zdun U, Qu\u00e8val PJ, Simhandl G, Scandariato R, Chakravarty S, Jelic M, Jovanovic A (2023) Microservice security metrics for secure communication, identity management, and observability. ACM Trans Softw Eng Methodol 32(1):1\u201334","journal-title":"ACM Trans Softw Eng Methodol"},{"key":"10601_CR87","doi-asserted-by":"crossref","unstructured":"Zhou Y, Gu R, Chen T, Huang Z, Panichella S, Gall H (2017) Analyzing apis documentation and code to detect directive defects. In: 2017 IEEE\/ACM 39th international conference on software engineering (ICSE), IEEE, pp 27\u201337","DOI":"10.1109\/ICSE.2017.11"},{"issue":"4","key":"10601_CR88","doi-asserted-by":"publisher","first-page":"354","DOI":"10.1080\/00221300009598589","volume":"127","author":"DW Zimmerman","year":"2000","unstructured":"Zimmerman DW (2000) Statistical significance levels of nonparametric tests biased by heterogeneous variances of treatment groups. J Gen Psychol 127(4):354\u2013364","journal-title":"J Gen Psychol"},{"key":"10601_CR89","unstructured":"Zimmermann O, Stocker M, L\u00fcbke D, Zdun U, Pautasso C (2023) Patterns for API Design: Simplifying Integration with Loosely Coupled Message Exchanges. Addison-Wesley Signature Series (Vernon), Pearson, https:\/\/api-patterns.org"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-024-10601-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10664-024-10601-1\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-024-10601-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,20]],"date-time":"2025-11-20T13:28:03Z","timestamp":1763645283000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10664-024-10601-1"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,2,14]]},"references-count":90,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2025,5]]}},"alternative-id":["10601"],"URL":"https:\/\/doi.org\/10.1007\/s10664-024-10601-1","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"value":"1382-3256","type":"print"},{"value":"1573-7616","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,2,14]]},"assertion":[{"value":"5 December 2024","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"14 February 2025","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declared that they have no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflicts of interest"}}],"article-number":"66"}}