{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,10]],"date-time":"2026-02-10T19:08:26Z","timestamp":1770750506702,"version":"3.50.0"},"reference-count":50,"publisher":"MDPI AG","issue":"7","license":[{"start":{"date-parts":[[2023,6,26]],"date-time":"2023-06-26T00:00:00Z","timestamp":1687737600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>As microservice-based architectures are increasingly adopted, microservices security has become a crucial aspect to consider for IT businesses. Starting from a set of \u201csecurity smells\u201d for microservice applications that were recently proposed in the literature, we enable the automatic detection of such smells in microservice applications deployed with Kubernetes. We first introduce possible analysis techniques to automatically detect security smells in Kubernetes-deployed microservices. We then demonstrate the practical applicability of the proposed techniques by introducing KubeHound, an extensible prototype tool for automatically detecting security smells in microservice applications, and which already features a selected subset of the discussed analyses. We finally show that KubeHound can effectively detect instances of security smells in microservice applications by means of controlled experiments and by applying it to existing, third-party applications.<\/jats:p>","DOI":"10.3390\/fi15070228","type":"journal-article","created":{"date-parts":[[2023,6,27]],"date-time":"2023-06-27T01:49:21Z","timestamp":1687830561000},"page":"228","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":17,"title":["KubeHound: Detecting Microservices\u2019 Security Smells in Kubernetes Deployments"],"prefix":"10.3390","volume":"15","author":[{"given":"Giorgio","family":"Dell\u2019Immagine","sequence":"first","affiliation":[{"name":"Department of Computer Science, University of Pisa, Largo B. Pontecorvo 3, 56127 Pisa, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2435-3543","authenticated-orcid":false,"given":"Jacopo","family":"Soldani","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Pisa, Largo B. Pontecorvo 3, 56127 Pisa, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2048-2468","authenticated-orcid":false,"given":"Antonio","family":"Brogi","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Pisa, Largo B. Pontecorvo 3, 56127 Pisa, Italy"}]}],"member":"1968","published-online":{"date-parts":[[2023,6,26]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"111393","DOI":"10.1016\/j.jss.2022.111393","article-title":"Smells and refactorings for microservices security: A multivocal literature review","volume":"192","author":"Ponce","year":"2022","journal-title":"J. Syst. Softw."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"116","DOI":"10.1109\/MS.2015.11","article-title":"Microservices","volume":"32","year":"2015","journal-title":"IEEE Softw."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"42","DOI":"10.1109\/MS.2016.64","article-title":"Microservices Architecture Enables DevOps: Migration to a Cloud-Native Architecture","volume":"33","author":"Balalaie","year":"2016","journal-title":"IEEE Softw."},{"key":"ref_4","first-page":"301","article-title":"Microservices Tenets","volume":"32","author":"Zimmermann","year":"2017","journal-title":"Comput. Sci."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"215","DOI":"10.1016\/j.jss.2018.09.082","article-title":"The pains and gains of microservices: A Systematic grey literature review","volume":"146","author":"Soldani","year":"2018","journal-title":"J. Syst. Softw."},{"key":"ref_6","unstructured":"Lenhard, J., Meng, F., and Wang, Y. (2018). Proceedings of the 2018 IEEE Symposium on Service-Oriented System Engineering (SOSE 2018), Bamberg, Germany, 26\u201329 March 2018, IEEE Computer Society."},{"key":"ref_7","unstructured":"Newman, S. (2015). Building Microservices, O\u2019Reilly. [1st ed.]."},{"key":"#cr-split#-ref_8.1","unstructured":"Lewis, G., Batista, T., and Bure\u0161, T. (2022). Proceedings of the Software Architecture"},{"key":"#cr-split#-ref_8.2","unstructured":"Gerostathopoulos, I (ECSA 2022), Prague, Czech Republic, 19-23 September 2022, Springer International Publishing."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Chondamrongkul, N., Sun, J., and Warren, I. (2020, January 16\u201320). Automated Security Analysis for Microservice Architecture. Proceedings of the 2020 IEEE International Conference on Software Architecture Companion (ICSA-C), Salvador, Brazil.","DOI":"10.1109\/ICSA-C50368.2020.00024"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"111722","DOI":"10.1016\/j.jss.2023.111722","article-title":"Automatic extraction of security-rich dataflow diagrams for microservice applications written in Java","volume":"202","author":"Schneider","year":"2023","journal-title":"J. Syst. Softw."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3532183","article-title":"Microservice Security Metrics for Secure Communication, Identity Management, and Observability","volume":"32","author":"Zdun","year":"2023","journal-title":"ACM Trans. Softw. Eng. Methodol."},{"key":"ref_12","unstructured":"Dorai, G., Karastoyanova, D., and Osmani, A. (2022). Proceedings of the 4th International Conference on Microservices, (Microservices 2022), Paris, France, 10\u201312 May 2022, Microservices Community. Available online: https:\/\/www.conf-micro.services\/2022\/papers\/paper_11.pdf."},{"key":"ref_13","unstructured":"Bultan, T., and Whittle, J. (2019). Proceedings of the 2019 IEEE\/ACM 41st International Conference on Software Engineering (ICSE 2019), Montreal, QC, Canada, 25\u201331 May 2019, IEEE Computer Society."},{"key":"ref_14","unstructured":"(2023, May 03). Kubesec.io: Security Risk Analysis for Kubernetes Resources. Available online: https:\/\/kubesec.io\/."},{"key":"ref_15","unstructured":"(2023, May 03). Checkov: Policy-as-Code for Everyone. Available online: https:\/\/www.checkov.io\/."},{"key":"ref_16","unstructured":"(2023, May 03). Kube-Bench. Available online: https:\/\/github.com\/aquasecurity\/kube-bench."},{"key":"ref_17","unstructured":"(2023, May 03). Kube-Hunter. Available online: https:\/\/github.com\/aquasecurity\/kube-hunter\/."},{"key":"ref_18","unstructured":"(2023, May 03). OWASP Zed Application Proxy. Available online: https:\/\/www.zaproxy.org\/."},{"key":"ref_19","unstructured":"(2023, May 03). OpenAPI Fuzzer\u2014Black-Box Fuzzer That Fuzzes APIs Based on OpenAPI Specification. Available online: https:\/\/github.com\/matusf\/openapi-fuzzer."},{"key":"ref_20","unstructured":"(2023, May 03). SonarQube. Available online: https:\/\/www.sonarqube.org\/."},{"key":"ref_21","unstructured":"(2023, May 03). CIS Kubernetes Benchmark. Available online: https:\/\/www.cisecurity.org\/benchmark\/kubernetesCISKubernetesbenchmark."},{"key":"ref_22","unstructured":"OWASP (2023, May 03). Top 10 Web Application Security Risks. Available online: https:\/\/owasp.org\/www-project-top-ten\/."},{"key":"ref_23","unstructured":"(2023, May 03). OpenAPI Specification v3.1.0, Version 3.1.0. Available online: https:\/\/spec.openapis.org\/oas\/latest.html."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Walker, A., Das, D., and Cerny, T. (2020). Automated Code-Smell Detection in Microservices Through Static Analysis: A Case Study. Appl. Sci., 10.","DOI":"10.3390\/app10217800"},{"key":"ref_25","unstructured":"(2023, May 03). Kubernetes Documentation: Authentication. Available online: https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/authentication\/."},{"key":"ref_26","unstructured":"(2023, May 03). Kubernetes Documentation: Service. Available online: https:\/\/kubernetes.io\/docs\/concepts\/services-networking\/service\/."},{"key":"ref_27","unstructured":"(2023, May 03). Kubernetes Documentation: Ingress. Available online: https:\/\/kubernetes.io\/docs\/concepts\/services-networking\/ingress\/."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"1565","DOI":"10.1093\/comjnl\/bxr035","article-title":"Surveying Port Scans and Their Detection Methodologies","volume":"54","author":"Bhuyan","year":"2011","journal-title":"Comput. J."},{"key":"ref_29","unstructured":"(2023, May 03). Nmap. Available online: https:\/\/nmap.org\/."},{"key":"ref_30","unstructured":"(2023, May 03). Kubernetes Documentation: Configure a Security Context for a Pod or Container. Available online: https:\/\/kubernetes.io\/docs\/tasks\/configure-pod-container\/security-context\/."},{"key":"ref_31","unstructured":"(2023, May 03). Kubernetes Documentation: Managing Service Accounts. Available online: https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/service-accounts-admin\/."},{"key":"ref_32","unstructured":"(2023, May 03). Kubernetes Documentation: Network Policies. Available online: https:\/\/kubernetes.io\/docs\/concepts\/services-networking\/network-policies\/."},{"key":"ref_33","unstructured":"(2023, May 03). Kubernetes Documentation: Secrets. Available online: https:\/\/kubernetes.io\/docs\/concepts\/configuration\/secret\/."},{"key":"ref_34","unstructured":"Richards, M. (2015). Software Architecture Patterns, O\u2019Reilly Media, Inc.. [1st ed.]."},{"key":"ref_35","unstructured":"OMG (2023, May 03). Unified Modeling Language (UML). Available online: https:\/\/www.omg.org\/spec\/UML."},{"key":"ref_36","unstructured":"Gift, N., Behrman, K., Deza, A., and Gheorghiu, G. (2020). Python for DevOps: Learn Ruthlessly Effective Automation, O\u2019Reilly Media. [1st ed.]."},{"key":"ref_37","unstructured":"(2023, May 03). Detect-Secrets. Available online: https:\/\/github.com\/Yelp\/detect-secrets."},{"key":"ref_38","unstructured":"(2023, May 03). Kubernetes Documentation\u2014Services, Load Balancing, and Networking. Available online: https:\/\/kubernetes.io\/docs\/concepts\/services-networking\/."},{"key":"ref_39","unstructured":"Kristijan, M. (2023, May 03). Learnk8s.io: Tracing the Path of Network Traffic in Kubernetes. Available online: https:\/\/learnk8s.io\/kubernetes-network-packets."},{"key":"ref_40","unstructured":"(2023, May 03). Kubernetes Documentation: Configure Liveness, Readiness and Startup Probes. Available online: https:\/\/kubernetes.io\/docs\/tasks\/configure-pod-container\/configure-liveness-readiness-startup-probes\/."},{"key":"ref_41","unstructured":"(2023, May 03). Ksniff. Available online: https:\/\/github.com\/eldadru\/ksniff."},{"key":"ref_42","unstructured":"Calcote, L., and Butcher, Z. (2020). Istio: Up and Running, O\u2019Reilly Media. [1st ed.]."},{"key":"ref_43","unstructured":"(2023, May 03). gRPC over HTTP2. Available online: https:\/\/github.com\/grpc\/grpc\/blob\/master\/doc\/PROTOCOL-HTTP2.md."},{"key":"ref_44","unstructured":"(2023, May 03). Sock Shop\u2014A Microservices Demo Application. Available online: https:\/\/microservices-demo.github.io\/."},{"key":"ref_45","unstructured":"(2023, May 03). Online Boutique. Available online: https:\/\/github.com\/GoogleCloudPlatform\/microservices-demo."},{"key":"ref_46","doi-asserted-by":"crossref","first-page":"100415","DOI":"10.1016\/j.cosrev.2021.100415","article-title":"Securing microservices and microservice architectures: A systematic mapping study","volume":"41","author":"Hannousse","year":"2021","journal-title":"Comput. Sci. Rev."},{"key":"ref_47","doi-asserted-by":"crossref","unstructured":"Washizaki, H., Xia, T., Kamata, N., Fukazawa, Y., Kanuka, H., Kato, T., Yoshino, M., Okubo, T., Ogata, S., and Kaiya, H. (2021). Systematic Literature Review of Security Pattern Research. Information, 12.","DOI":"10.3390\/info12010036"},{"key":"ref_48","unstructured":"(2023, May 03). OWASP Cheat Sheet Series: Microservice Security Cheat Sheet. Available online: https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Microservices_security.html."},{"key":"ref_49","unstructured":"(2023, May 03). User & Device Identity for Microservices @ Netflix Scale. QCon 2019. Available online: https:\/\/www.infoq.com\/presentations\/netflix-user-identity\/."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/15\/7\/228\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T20:01:14Z","timestamp":1760126474000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/15\/7\/228"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,6,26]]},"references-count":50,"journal-issue":{"issue":"7","published-online":{"date-parts":[[2023,7]]}},"alternative-id":["fi15070228"],"URL":"https:\/\/doi.org\/10.3390\/fi15070228","relation":{},"ISSN":["1999-5903"],"issn-type":[{"value":"1999-5903","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,6,26]]}}}