Microservices Rising, Legacy Security Falling Short
August 15, 2016

Amir Sharif
Aporeto

The software industry has accelerated its shift towards microservices and has fully embraced distributed, cloud native apps. Because existing application security models were designed for a different era, they are woefully inadequate, exposing both consumers and companies. By (mis)matching where software is going with what application security has been, and as evidenced by several recent high-profile leaks, we are all at risk.

Finding their roots in the 90s, “microservices are a more concrete and modern interpretation of service-oriented architectures used to build distributed software systems.” The 90s marked the dawn of the distributed application era as it exists today. Precisely and not surprisingly, it was also the time that defined data center security with the ubiquitous use of firewalls, ACLs, NAT, etc.

Given distributed applications’ history and coexistence with erstwhile proven security methods, the central question is what has changed to render these applications less secure? The answer is feature velocity, application scalability, and shifting topology.

Microservices and DevOps have enabled companies to be faster and more agile, delivering more features in less time. One of the “features” of cloud-native applications is scalability. Take the latest app craze, Pokemon Go, and notice its download patterns from a single mirror site.


There was a 6X download demand increase from May to June and a commensurate drop in July. As the game grew (and apparently shrank) in a short time, it put tremendous stress on the underlying infrastructure because of its constantly changing topology.


Before the cloud and the elasticity of its underlying infrastructure, and before microservices and the current-day distributed applications, change was infrequent, planned for, and required proactive provisioning. Accordingly, resource usage – or rather "reservations" – were predictable and resembled a step function (see “Your Father’s Oldsmobile” in the chart above). In contrast, distributed apps like Pokemon Go have unpredictable user demand curves and seem more like a random function. As the elastic infrastructure responds to the distributed application’s need for scale by provisioning more computation, storage, and network resources, the application topology changes. These rapid changes are disproportionately (quadratically) difficult to respond to when network communications are central to application security, making this precisely a mismatch between distributed application needs and existing security methods.

Existing security methods were designed when Your Father’s Oldsmobile was in vogue and change was more predictable and less frequent. Change request submissions tickets were issued to someone, approved manually, and rolled into production slowly. A bevvy of automation tools and startups are attempting to solve this problem through automation and machine learning; however, there are real technological and operational limitations that inhibit scaling. In the process, the application and, by extension, the user is left exposed to real security vulnerabilities.

Distributed applications require distributed security and a departure from the old-fashioned world of perimeter-based or network-enforced design models.

Amir Sharif is Co-Founder of Aporeto.

Share this

Industry News

October 06, 2022

Platform.sh announced it has partnered with MongoDB.

October 06, 2022

Veracode announced the enhancement of its Continuous Software Security Platform to include container security.

This early access program for Veracode Container Security is now underway for existing customers.

The new Veracode Container Security offering, designed to meet the needs of cloud-native software engineering teams, addresses vulnerability scanning, secure configuration, and secrets management requirements for container images.

October 06, 2022

Mirantis announced that Mirantis Container Runtime – latest generation of the Docker Enterprise Engine, the secure container runtime that forms the foundation of Mirantis Container Cloud and Mirantis Kubernetes Engine and is used at the heart of many other Kubernetes deployments – is now available in the Microsoft Azure Marketplace.

October 05, 2022

Perforce Software announced enhanced support for automated testing with the release of Helix ALM 2022.2.

October 05, 2022

Parasoft announced the latest releases of its API and microservices testing tools, including SOAtest, Virtualize, CTP, and Selenic.

October 05, 2022

Vaadin announced the release of four Acceleration Kits designed to make it faster and easier to build and modernize Java applications for enterprise use.

October 04, 2022

Pegasystems announced the latest release of Robot Studio, the robotic process automation (RPA) low-code authoring environment for Pega's intelligent automation platform.

October 04, 2022

EvolveWare announced the Agile Business Rules Extraction (Agile BRE) solution on its Intellisys platform.

October 04, 2022

Mabl announced new features that empower quality professionals to easily validate APIs as part of their integrated end-to-end tests.

October 03, 2022

Spectro Cloud announced a major new release of its Palette Edge platform.

October 03, 2022

Arcion announced agentless change data capture (CDC) for all of its supported databases and applications.

September 29, 2022

CloudBees announced the acquisition of ReleaseIQ to expand the company’s DevSecOps capabilities, empowering customers with a low-code, end-to-end release orchestration and visibility solution.

September 29, 2022

SmartBear continues expanding its commitment to the Atlassian Marketplace, adding Bugsnag for Jira and SwaggerHub Integration for Confluence.

Bugsnag developers monitoring application stability and documenting in Jira no longer need to interrupt their workflow to access the app. Developers working in SwaggerHub can use the macro to push API definitions and changes directly to other teams and business stakeholders that work within Confluence. By increasing the presence of SmartBear tools on the Atlassian Marketplace, the company continues meeting developers where they are.

September 29, 2022

Ox Security exited stealth today with $34M in funding led by Evolution Equity Partners, Team8, and M12, Microsoft's venture fund, with participation from Rain Capital.

September 29, 2022

cnvrg.io announced that the new Intel Developer Cloud is now available via the cnvrg.io Metacloud platform, providing a fully integrated software and hardware solution.