Modal Title
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
4 Factors to Consider When Choosing a Cloud Native App Platform
Jun 2nd 2023 10:00am, by Guilherme (Gui) Alvarenga
How GitHub Uses GitHub to Be Productive and Secure
May 31st 2023 10:30am, by Loraine Lawson
Top 3 Application Security Must-Haves
May 26th 2023 7:59am, by Guilherme (Gui) Alvarenga
Cloud Native Skill Gaps are Killing Your Gains 
May 22nd 2023 7:15am, by Victoria Wright
A Boring Kubernetes Release
May 19th 2023 12:23pm, by Alex Williams
Chainguard Improves Security for Its Container Image Registry
May 31st 2023 6:30am, by Steven J. Vaughan-Nichols
How to Protect Containerized Workloads at Runtime
May 30th 2023 4:00am, by Kevin Casey
How to Containerize a Python Application with Paketo Buildpacks
May 29th 2023 5:00am, by Sylvain Kalache
Can Rancher Deliver on Making Kubernetes Easy?
May 27th 2023 7:00am, by Jack Wallen
Red Hat Podman Container Engine Gets a Desktop Interface
May 23rd 2023 7:30am, by Joab Jackson
Creating an IoT Data Pipeline Using InfluxDB and AWS
Jun 5th 2023 10:25am, by Jason Myers
Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods
May 31st 2023 11:00am, by Chris J. Preimesberger
Gothenburg, Sweden Used Open Source IoT to Drastically Cut Water Waste
May 23rd 2023 6:58am, by Alex Handy
Building a Plant Monitoring Tool with IoT
May 8th 2023 9:27am, by Zoe Steinkamp
How to Choose and Model Time Series Databases
Apr 28th 2023 3:00am, by Robert Kimani
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by Susan Hall
RabbitMQ Is Boring, and I Love It
May 15th 2023 6:30am, by Josh Long
How OpenSearch Visualizes Jaeger's Distributed Tracing
May 11th 2023 10:00am, by Derek Ho and Jonah Kowall
Spring Cloud Gateway: The Swiss Army Knife of Cloud Development
May 8th 2023 6:47am, by Juergen Sussner
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
WithSecure Pours Energy into Making Software More Efficient
Jun 1st 2023 7:14am, by Joe Fay
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
How to Decide Between a Layer 2 or Layer 3 Network
Apr 25th 2023 10:00am, by Gino Dion
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
Wireshark Celebrates 25th Anniversary with a New Foundation
Mar 28th 2023 5:00am, by Joab Jackson
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by Andrew Brust
Forrester on WebAssembly for Developers: Frontend to Backend
May 17th 2023 6:00am, by Loraine Lawson
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
IBM's Quiet Approach to AI, Wasm and Serverless
May 4th 2023 6:00am, by Loraine Lawson
Cloud Control Planes for All: Implement Internal Platforms with Crossplane
Apr 13th 2023 10:00am, by Bassam Tabbara
The Architect’s Guide to Storage for AI
Jun 1st 2023 7:44am, by Keith Pijanowski
8 Real-Time Data Best Practices
Jun 1st 2023 5:00am, by Jennifer Riggins
Raft Native: The Foundation for Streaming Data’s Best Future
May 30th 2023 9:44am, by Doug Flora
Why the Document Model Is More Cost-Efficient Than RDBMS
May 25th 2023 9:24am, by Rick Houlihan
Amazon Aurora vs. Redshift: What You Need to Know
May 25th 2023 6:27am, by Casey Samulski
Frontend Development Software Development Typescript WebAssembly Cloud Services Data Machine Learning Security
Dev News: A New Rust Release and Chrome 114 Updates
Jun 3rd 2023 9:00am, by
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by
LangChain: The Trendiest Web Framework of 2023, Thanks to AI
Jun 1st 2023 10:57am, by
30 Non-Trivial Ways for Developers to Use GPT-4
Jun 1st 2023 9:39am, by
Bluesky vs. Nostr — Which Should Developers Care About More?
May 30th 2023 7:51am, by
Can DevEx Metrics Drive Developer Productivity?
Jun 7th 2023 3:00am, by
SRE vs. DevOps? Successful Platform Engineering Needs Both
Jun 6th 2023 10:53am, by
API Management Is a Commodity: What’s Next?
Jun 6th 2023 9:59am, by
The Art of Platform Marketing: You’ve Gotta Sell It
Jun 6th 2023 6:05am, by
How Adobe Uses OpenTelemetry Collector
Jun 5th 2023 10:02am, by
Dev News: A New Rust Release and Chrome 114 Updates
Jun 3rd 2023 9:00am, by
Dev News: New Microsoft Edge Tools and Goodbye Node.js 16
May 27th 2023 6:00am, by
Dev News: Angular v16, plus Node.js and TypeScript Updates
Apr 22nd 2023 4:00am, by
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by
TypeScript 5.0: New Decorators Standard, Smaller npm
Mar 24th 2023 11:25am, by
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by
Python and WebAssembly: Elevating Performance for Web Apps
Jun 5th 2023 3:00am, by
Demystifying WebAssembly: What Beginners Need to Know
Jun 2nd 2023 5:35am, by
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by
New Image Trends Frontend Developers Should Support
May 25th 2023 6:00am, by
Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods
May 31st 2023 11:00am, by
Cloud Dependencies Need to Stop F---ing Us When They Go Down
May 25th 2023 10:00am, by
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by
A Boring Kubernetes Release
May 19th 2023 12:23pm, by
Optimizing Mastodon Performance with Sidekiq and Redis Enterprise
May 18th 2023 10:30am, by and
Creating an IoT Data Pipeline Using InfluxDB and AWS
Jun 5th 2023 10:25am, by
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by
Bringing AI to the Data Center 
Jun 1st 2023 6:13am, by
8 Real-Time Data Best Practices
Jun 1st 2023 5:00am, by
MongoDB vs. PostgreSQL vs. ScyllaDB: Tractian’s Experience
May 31st 2023 6:10am, by and
API Management Is a Commodity: What’s Next?
Jun 6th 2023 9:59am, by
Meta-Semi Is an AI Algorithm That 'Learns How to Learn Better'
Jun 6th 2023 3:00am, by
Donald Knuth Asked ChatGPT 20 Questions. What Did We Learn?
Jun 4th 2023 6:00am, by
Maker Builds a ChatGPT DOS Client for a 1984 Computer
May 31st 2023 11:04am, by
Google’s Generative AI Stack: An In-Depth Analysis
May 31st 2023 7:59am, by
4 Factors to Consider When Choosing a Cloud Native App Platform
Jun 2nd 2023 10:00am, by
VeeamON 2023: When Your Nightmare Comes True
Jun 2nd 2023 7:47am, by
Compiled Python Code Used in a New PyPI Attack
Jun 2nd 2023 6:00am, by
Demystifying WebAssembly: What Beginners Need to Know
Jun 2nd 2023 5:35am, by
PyPI Strives to Pull Itself Out of Trouble
Jun 1st 2023 11:43am, by
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
Can DevEx Metrics Drive Developer Productivity?
Jun 7th 2023 3:00am, by Jennifer Riggins
SRE vs. DevOps? Successful Platform Engineering Needs Both
Jun 6th 2023 10:53am, by Paige Cruz
The Art of Platform Marketing: You’ve Gotta Sell It
Jun 6th 2023 6:05am, by Michael Coté
7 Core Elements of an Internal Developer Platform
Jun 5th 2023 6:41am, by Viktor Farcic
How to Host Your Own Platform as a Product Workshop
May 31st 2023 9:09am, by Jennifer Riggins
Can DevEx Metrics Drive Developer Productivity?
Jun 7th 2023 3:00am, by Jennifer Riggins
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by B. Cameron Gain
VeeamON 2023: When Your Nightmare Comes True
Jun 2nd 2023 7:47am, by B. Cameron Gain
The Cedar Programming Language: Authorization Simplified
Jun 2nd 2023 6:07am, by Alex Williams
How to Improve Operational Maturity in an Economic Downturn
May 31st 2023 8:30am, by Jonathan Rende
Is DevOps Tool Complexity Slowing Down Developer Velocity?
May 17th 2023 6:29am, by Heather Joslyn and Lawrence E Hecht
AI Has Become Integral to the Software Delivery Lifecycle
May 12th 2023 11:01am, by Richard MacManus
4 Core Principles of GitOps
May 11th 2023 2:17pm, by Alex Williams
5 Version-Control Tools Game Developers Should Know About
May 9th 2023 10:00am, by Sharone Zitzman
Mitigate Risk Beyond the Supply Chain with Runtime Monitoring
May 8th 2023 10:00am, by Mike Long
Can DevEx Metrics Drive Developer Productivity?
Jun 7th 2023 3:00am, by Jennifer Riggins
Donald Knuth Asked ChatGPT 20 Questions. What Did We Learn?
Jun 4th 2023 6:00am, by David Cassel
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by David Eastman
Defend Open Source from Trolls: Oppose Patent Rule Changes
Jun 2nd 2023 6:49am, by Michael Dolan
How to Build a DevOps Engineer in Just 6 Months
Jun 1st 2023 10:43am, by Keri Barnett-Howell
SRE vs. DevOps? Successful Platform Engineering Needs Both
Jun 6th 2023 10:53am, by Paige Cruz
The Art of Platform Marketing: You’ve Gotta Sell It
Jun 6th 2023 6:05am, by Michael Coté
7 Core Elements of an Internal Developer Platform
Jun 5th 2023 6:41am, by Viktor Farcic
Open Source Jira Alternative, Plane, Lands
Jun 2nd 2023 9:00am, by Darryl K. Taft
How to Build a DevOps Engineer in Just 6 Months
Jun 1st 2023 10:43am, by Keri Barnett-Howell
How Adobe Uses OpenTelemetry Collector
Jun 5th 2023 10:02am, by Susan Hall
7 Core Elements of an Internal Developer Platform
Jun 5th 2023 6:41am, by Viktor Farcic
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by B. Cameron Gain
My Further Adventures (and More Success) with Rancher
Jun 3rd 2023 7:00am, by Jack Wallen
How to Protect Containerized Workloads at Runtime
May 30th 2023 4:00am, by Kevin Casey
How Adobe Uses OpenTelemetry Collector
Jun 5th 2023 10:02am, by Susan Hall
Red Hat Ansible Gets Event-Triggered Automation, AI Assist on Playbooks
May 24th 2023 6:22am, by Joab Jackson
Observability: Working with Metrics, Logs and Traces
May 22nd 2023 8:23am, by Jessica Wachtel
Why Upgrade to Observability from Application Monitoring?
May 19th 2023 11:49am, by George Hamilton
Datadog’s $65M Bill and Why Developers Should Care
May 17th 2023 10:56am, by Loraine Lawson
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
How to Create Zero Trust Architecture for Service Mesh
Mar 27th 2023 7:00am, by Joe Fay
Ambient Mesh: Sidestepping the Sidecar
Mar 1st 2023 8:44am, by Jeff Goldman
Service Mesh Demand for Kubernetes Shifts to Security
Oct 27th 2022 11:04am, by B. Cameron Gain
Cloud Native Ecosystem / Kubernetes / Security

5 Things to Know About Secure Cloud Native Development

As many organizations move to cloud native development, they need to look at how they must do security differently.
Nov 4th, 2021 10:00am by
Featued image for: 5 Things to Know About Secure Cloud Native Development
Feature image via Pixabay.

Alex Chalkias
Alex is a product nanager for Kubernetes at Canonical.

Cloud native development — the shift away from monolithic applications toward nimble containerized apps that can run on public, private, or hybrid clouds — is a huge disruptive wave that many enterprises are riding in their digital transformation efforts.

Cloud native is the future of application development, with massive potential for business impact the ability to move an idea into production quickly and efficiently,” says an Accenture report.

According to the Cloud Native Computing Foundation (CNCF), there are now 6.5 million cloud native developers around the world, 1.8 million more than in mid-2019 and representing 44% of backend developers. A majority uses open-source Kubernetes, which has become the de facto choice for container orchestration.

However, while cloud native architectures make it easier for organizations to bring new digital solutions to market faster, those applications obviously need to be secure.

Recognizing this reality, Kubernetes committers beefed up security capabilities in version 1.22, released in August. A seccomp-by-default security layer was added on top of existing seccomp support — seccomp (short for secure computing mode) being a Linux kernel feature that can be used to restrict unauthorized actions within a container.

This new feature should be a powerful tool to help reduce the surface for intrusions such as sandbox escape attacks, which allow malicious code to be executed from a sandbox outside the container’s environment.

But cloud native development security is a complex topic, and there are plenty of other important security considerations that developers should be aware of and take into account. Here are five:

1. Pick Your Dependencies Carefully

There is an abundance of resources that cloud native developers use to compose their applications. Knowing which resources to use or not to use is also an unprecedented security challenge. A recent Unit 42 study showed that 96% of third-party container images deployed on cloud infrastructure contain known vulnerabilities.

Whether it’s for OCI (Open Container Images) images on Docker Hub and elsewhere, Python packages on PyPI, Node.js packages on NPM, etc., it’s critical to continually consider what content can developers rely on and for how long. Is it of good quality? Does it contain security exposures or, worse, malicious malware code? Is it actively maintained and timely patched?

Now more than ever before, developers must exercise extreme caution and pick dependencies deliberately. Enterprises can help their developers by providing “sane defaults” for choosing software to underpin and support their applications.

2. Choose Secure and Stable Base Images

Software in container images comes in large part from the choice of a base image. Base images provide the necessary foundation for the applications to run, including shared libraries like SSL and libc, and enable developers to focus on their applications rather than the entire container.

Often, base images also tend to contain a lot more software than the applications added on top of it. And with more softwarecomes more security liability. Enterprises should approach the task of picking a secure and stable base image very carefully. Specifically:

  • Is the base image regularly updated? The software it contains, is it regularly vetted for security vulnerabilities or is it composed of seldom-used libraries? After all, “with enough eyes, every bug is shallow.”
  • Does the base image come with a large software ecosystem so that you can build on top of it easily by means of equally secure software? Or will you need to add to the base image from less-trusted sources?
  • Is the base image developer-friendly or does it make developers’ lives harder? Hard-to-use software will often lead to developers not using it properly or cutting security corners in the name of getting stuff done, and so creating even worse security liabilities.

3. Check out Cloud Native Buildpacks.

The Cloud Native Buildpacks project was initiated by Pivotal and Heroku in January 2018 and joined the CNCF that October. Borrowing from the best Platform as a Service (PaaS) offerings of the previous generation, cloud native buildpacks enable developers to effortlessly create hardened, optimized, safe containers for code.

Kubernetes is the de facto cloud native container orchestration, but leaves a lot of important aspects of running complex applications to its users, such as handling certificates or selecting and setting up ingresses. What end users want is a comprehensive, easy-to-use, reliable PaaS with good support for components of different sizes. Buildpacks provide that.

4. Patch Early, Patch Often

Software that goes into production without known vulnerabilities might have some discovered down the road. All running software must be kept up to date to prevent breaches. Updates need to come in a timely fashion, and rolling them out must be as easy and unobtrusive as possible. This is well understood with regard to operating systems and is every bit as true for containers.

Therefore, enterprises should always make sure containers are refreshed with the latest security patches. The same applies to the runtimes and the underpinning hosts under the containers: Hard-to-move software parts such as the kernel must be updated using technologies like live patching that reduce unplanned downtime and roll out seamlessly in production-critical security updates without disruption.

5. Embrace Automation

The harder it is to patch software, the less frequent that happens. And when a vulnerability is identified, the fix needs to be rolled out quickly, reliably, and everywhere, which requires thorough automation of the rollout process. Over the last decades, as an industry we have made great strides in automating the way we build software, the continuous integration (CI) part of CI/CD. Yet the continuous delivery (CD) is not always as continuous, due to gaps in automation, which has an impact on the time it takes to roll out security fixes to our applications.

As more organizations move to cloud native development, minimizing security issues becomes ever more important. Following these five steps can go a long way in helping enterprises meet the challenge.

Group Created with Sketch.
SHARE THIS STORY
RELATED STORIES
Rafay Backstage Plugins Simplify Kubernetes Deployments Cloud Native Skill Gaps are Killing Your Gains  RabbitMQ Is Boring, and I Love It A Boring Kubernetes Release 4 Ways to Enhance Your Dockerfiles
TNS owner Insight Partners is an investor in: Unit, Docker.
RELATED STORIES
RabbitMQ Is Boring, and I Love It OpenTelemetry Gaining Traction from Companies and Vendors Ease Kubernetes Deployments with Cloud Foundry’s Korifi Cloud Native Basics: 4 Concepts to Know  Kubernetes Security in 2023: Adoption Soars, Security Lags
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.