An observability-based assurance model for non-functional properties

In the constantly evolving landscape of continuously integrated cloud-native applications, the process of security assurance has a consistently increasing importance. In order to ensure that systems are secure and behave as expected, the assurance process has to be included in the whole software lifecycle, from development to operations.

Verifying non-functional security properties on assurance targets requires extracting significant evidence in the form of metrics. Most existing assurance models rely on ad-hoc probes to perform evidence collection, limiting their applicability to specific types of systems and use cases.

The goal of this thesis is to prove that it’s possible to create a security assurance model that uses an observability backed as a target-agnostic source of evidence. In the proposed model, non-functional properties are verified on targets through the definition of contracts based on metrics extracted from the observability backend.

An implementation of the model has been developed for experimentation purposes, relying on the observability software Prometheus for the collection of metrics. The results showed that this architecture provides a simple and efficient process for defining and evaluating contracts for non-functional properties, for any target that exports relevant metrics to the observability backend.