June 6, 2023

Last Updated on January 14, 2024

Security and Development Must Work Closely to Secure Microservices

What’s the magic formula for securing microservices? It starts with security teams working very closely with development teams to create controls that don’t impact application performance, scalability, or time to value.

“These [microservice] architectures are now very dynamic and fast-moving,” says Laura Bell Main, CEO at SafeStack. “How long does it take for messages to get through my network? What’s the performance and scaling of that? How many requests per second can I handle? Those are all very pertinent questions to a development team right now—especially if they’re decomposing into services.”

So, if you’re proposing putting a security control in place, be mindful that this new operating space has different rules from traditional monolithic application environments.

Looking closely at cost/benefit

Security teams analyzing tools and approaches need to hear from developers about the impacts of proposed security controls, including what before/after metrics to measure. Putting a source code analysis tool or logging and monitoring tool in place might be useful for security. But if it slows down or interrupts the connections between services or impedes performance and scalability, it’s not likely to fly.

Laura advises: “For every [security] change you want to make, be clear on what am I trying to achieve with this? What’s the outcome? What’s the benefit for security? And then try to understand what the impacts would be in the Dev world and find that middle ground.”

It’s already difficult to dynamically secure software applications, whatever their architecture. If security and development don’t come together to plan security controls, it’s only going to get harder as the software development lifecycle (SDLC) accelerates.

Becoming bilingual

One of the challenges orgs face with application security is that developers and security teams lack a common language to talk about problems and solutions. Understanding terms like microservice architecture, API gateway and service mesh is a positive step for security practitioners.

But as new programming frameworks and tools continue to evolve at light speed, asking good questions could be even more valuable for security teams than trying to keep up with what’s new. Dev and Sec working together has to happen if application security is going to happen in the age of DevOps.

What’s next?

For more guidance on this topic, listen to Episode 119 of The Virtual CISO Podcast with guest Laura Bell Main, CEO at SafeStack.

Considering hiring a Virtual Chief Information Officer?

There are many benefits to bringing in outside information security talent into your organization, but it must be done right to realize success.
Download our vCISO Roadmap now!