It’s a sure bet that containers and microservices will become new security vulnerabilities for cloud-native applications without discussions about best practices and standards. Credit: CalypsoArt / Getty In doing postmortems on breaches of applications and data sets in the cloud, problems are often traced back to communication. Frequently, it’s not issues with computer-to-computer communication, but communications with the humans designing the cloud-based systems and those who are charged with its security. The applications using modern mechanisms such as containers, Kubernetes, and microservices are often missing security vulnerabilities that they are exposing. The analogy I like to use is that architects are designing the best smart building known to the world but not installing locks. The locks needed to be engineered into the building during the design and not be an afterthought, as they often are in the world of cloud system security. The essence of this problem is a lack of best practices and standards that the people engineering these cloud-native solutions can depend on. We’re beginning to see some guidance emerge that allows both the architecture and security teams to better coordinate around standards and best practices. An example of emerging best practices and standards would be the ones developed by the Application Containers and Microservices Working Group of the Cloud Security Alliance. They give application developers and architects, as well as anyone responsible for application containers and microservices security, a repeatable approach to designing, developing, and deploying a microservices architecture pattern. In short, this set of guidance tells you how to have a microservice operate independently and communicate with other microservices. Microservices have evolved to become a common application component of net-new cloud-based systems. Of course, application components should not become attack vectors from some hacker who has found out how to exploit microservices. Design meets security. The idea here is to have close coordination between those who are designing and building cloud-native applications (with or without microservices) and those who are responsible for security. Much of this has fallen away from IT culture as security teams feel blindsided by the adoption of new technology, such as microservices. At the same time, development teams feel the pressure to come up with more innovative and valuable uses of cloud-native technology in support of the business. We need to do both. Create a culture of tight coordination and communication with the cloud architecture and cloud security teams. Encourage the use of standards and best practices for architecture and security. Promote ongoing, continuous improvement of both cloud-native architecture and best-of-breed security practices and technology. Pretty simple if you ask me. I suspect I’ll be breaking up fights between the application and security teams for the next few years, though. You guys need to help me out. Related content feature 14 great preprocessors for developers who love to code Sometimes it seems like the rules of programming are designed to make coding a chore. Here are 14 ways preprocessors can help make software development fun again. By Peter Wayner Nov 18, 2024 10 mins Development Tools Software Development feature Designing the APIs that accidentally power businesses Well-designed APIs, even those often-neglected internal APIs, make developers more productive and businesses more agile. By Jean Yang Nov 18, 2024 6 mins APIs Software Development news Spin 3.0 supports polyglot development using Wasm components Fermyon’s open source framework for building server-side WebAssembly apps allows developers to compose apps from components created with different languages. By Paul Krill Nov 18, 2024 2 mins Microservices Serverless Computing Development Libraries and Frameworks news Go language evolving for future hardware, AI workloads The Go team is working to adapt Go to large multicore systems, the latest hardware instructions, and the needs of developers of large-scale AI systems. By Paul Krill Nov 15, 2024 3 mins Google Go Generative AI Programming Languages Resources Videos