The microservices philosophy and architectural approach have existed for a while in the form of a service-oriented architecture (SOA). A new set of sophisticated tooling makes this elegant architecture practical to deliver. The number of services, and their ephemeral nature, makes it virtually impossible to secure the environment using the tools and manually-driven processes of the past.
“It really forces you to change the approach that you take for security from human-designed and maintained with a lot of direct manipulation to a much higher degree of automation,” John Morello, Chief Technology Officer of Twistlock, said.
A new breed of security tools can understand and model an application’s typical traffic patterns, develop a reference model that reflects that known good state, and search for anomalies that violate that model. At the same time, new patterns and practices for developers, operations and security teams help integrate that security knowledge from the very beginning of the application development lifecycle.
“One of the more important, but less obvious, changes is the general shift in responsibility for finding — but more so for correcting — security vulnerabilities upstream left in the development lifecycle,” Morello said.
Morello, who helped author U.S. National Institute of Standards and Technology’s Application Container Security Guide, says it’s still possible to follow the same security patterns — with developers passing a build off to operations to scan and produce a bug report. But containers provide an opportunity to deploy and manage applications more efficiently and securely.
“A security team can actually have quality gates in the [dev] process to say if this build contains a critical vulnerability, fail the build and force the developer to fix it right then and there before it ever leaves the dev environment,” he said.
In The New Stack Makers podcast, learn how security considerations change with a microservices architecture, the new patterns and practices teams are following to secure containerized microservices, and how advanced tooling can help automate and streamline security for cloud-native applications.
In this Edition:
3:16: Container security and what best practices are in a microservices context
11:08: Getting to the heart of understanding monitoring
15:35: Distinguishing between best practices and security benchmarks when working with containers
22:20: The differences in microservices architectures and how they serve as the foundation for organizational security change
28:07: Infrastructure as a feedback loop
32:38: The evolution of DevOps over the next six months.
Twistlock is a sponsor of The New Stack.