As open source becomes ever-more central to enterprise IT operations, open source projects need to figure out a way to handle security vulnerabilitiesView in browser »
The New Stack Update

ISSUE 204: Still A Long Way to Go in Open Source Security

Talk Talk Talk

“Even though we want developers to mostly stay away from handling Kubernetes directly, they still need to have an innate understanding of what they’re running on.”

Pratik Wadher, vice president of product development at Intuit.
Add It Up
Ingress Control and API Gateways Outpace Service Meshes as Services that Control Traffic

Network management services for modern architectures, such as service mesh and the API gateway, are increasingly on IT professionals’ roadmaps, especially within public cloud environments. Notably, 37% of IT professionals expect to start using service meshes in the public cloud in the next year, but actual adoption rates may be significantly lower if the technology’s hype bubble bursts. Those are two of our takeaways from F5 Networks’ “2020 State of Application Services,” which is based on a survey of over 2,500 IT professionals, 34% of which are in a networking-related role.

According to the survey, 51% are currently using ingress control services in a public cloud, with 41% using API gateways and 19% using service meshes. Those figures are significantly lower for on-premises environments. However, the adoption of more traditional services, such as SSL VPN and common security services (e.g., firewall, antivirus) are more likely to be used in on-premises environments. For example, 81% use SSL VPN on-premises as compared to 67% in the public cloud. It’s a different pattern. Although we don’t have access to specific data, newer categories of app services are less likely to be needed on-premises because workloads running on-premises are less likely to have been refactored to take advantage of cloud native architecture.

Tell Us About Your Service Mesh Usage

The New Stack has published over 65 service mesh articles and podcasts since 2017. In preparation for the next 65, we created a three-question poll that needs your input. Take this three-question survey by clicking on the following button.


What's Happening

No matter what you call the role — developer community manager, developer evangelist, developer advocate, developer relations, or, cheekily, developer avocado — it’s got two things in common: It’s one of the most expensive, travel-heavy roles in a tech org and it’s one of the hardest to measure. That combination means metrics often make or break your job.

But first, what is this role? That’s a good question to which there are many, many answers. In this episode of The New Stack Makers podcast, Camunda’s Director of Developer Relations Mary Thengvall talked about her definition. And she should know, she wrote the book on the business case for developer relations (“DevRel” for short).

Mary Thengvall - The Value of Developer Relations

Still A Long Way to Go in Open Source Security

A year ago, Aspen Mesh engineering lead and architect Neeraj Poddar lobbied the open source community around Istio to develop an early disclosure process for dealing with freshly-unearthed security bugs. And they agreed it was a good idea, and so now anytime a major vulnerability is found, vendors participating in the Istio development process are given a two-week notice before the fix is issued publicly – to prepare their own releases for an update as soon as the news goes public.  

And that initiative is paying off. As it turned out, Aspen Mesh itself found a severe security hole in the service mesh software about a month ago. The process worked as planned. Poddar submitted a fix, which was examined by the Istio community, who agreed it was indeed a serious problem. 

Overall, it took about two weeks to get Istio major stakeholders to sign off on Aspen Mesh’s fix before it could be submitted as a pull request, whereupon the two-week early disclosure period kicked in. While the system is effective, it would be nice to shorten the time from discovery to disclosure down to two weeks or less, Poddar suggested. He admitted this is a challenge with so many major stakeholders, which in Istio’s case includes Google, IBM/Red Hat, VMware and many others.

As open source becomes ever-more central to enterprise IT operations, open source projects need to figure out a way to handle security vulnerabilities in such a way as to keep vendor clients safe, but at the same time keep the contributors in the loop as well. 

This does not always work so smoothly. In a technical session from the last KubeCon + CloudNativeCon in San Diego, Weaveworks’ Bryan Boreham described a tricky situation he, as a core contributor of the Container Network Interface (CNI), got into when a vulnerability was found in CNI. The Kubernetes security team has a similar early disclosure process in place, and so he had gotten word of the vulnerability, which was easily fixable. But the CNI team was hampered from developing a fix because all work on CNI is typically done through a public GitHub repository: Working on a fix would have meant breaking the embargo. The delays had angered the Tribal Elders of Kubernetes security, from Boreham’s description. 

The Cloud Native Computing Foundation, which provides support to projects like Kubernetes and CNI might need to think about a way to extend support for managing sensitive vulnerabilities, a solution that might include private repositories and greater communication across projects. It’s a challenge that awaits the entire open source community. 

How Microsoft’s Dapr Simplifies Developing and Deploying Microservices

Late last year, Microsoft announced a new approach to developing modern applications based on Distributed Application Runtime (Dapr), which is a platform and language agnostic runtime for microservices and cloud native applications. This post is the first part in a series exploring how this technology works, and how it could ease the task of scaling distributed applications.

Why Even Bother to Move to the Cloud, Anyway?

There has been an explosion in articles, blog posts and related content about different technologies that support the move to the cloud. However, most assume the organization is in the process of or has already made the shift. So, in fact, the issue for many organizations is why they should invest in such a major and often disruptive project to begin with. In this post, Humio’s John Porcaro describes the reasons why your organization should even mull over making the shift. There are many good reasons to make the move to the cloud. Among these are scaling efficiently for growth; reducing the need to manage and support the IT infrastructure; and boosting speed to market.

eBay Tweaks Mobile and Web Platforms for Faster Performance

A lot of little tweaks can yield big improvements. That’s the major takeaway from eBay’s year-long initiative to improve the site’s performance across all platforms — iOS, Android and the web. EBay’s online presence was already performant, but it was not improving. In the world of the web, this meant the e-commerce giant was falling behind. So it implemented a lot of small improvements to help — reducing payload, Native app parsing improvements, path optimization for services  to get above-the-fold content loaded quickly, image optimizations. And predictive prefetch of static assets. With these changes, the company found a 10% improvement on the web and 28% on Android the efforts.

Party On

Congratulations to Antonio Granjo, the winner of our 2020 reader survey sweepstakes drawing. Antonio works as an enterprise architect at Profile Software Services, a technology consultancy in Madrid (Spain). He focuses on helping dev teams in large companies adopt DevOps practices with the help of container platforms like Kubernetes and OpenShift, and public clouds like AWS and Azure, along with any useful tool he can find. He's worked in the past developing software for companies in almost every sector with languages like Java, .Net, PHP, Javascript, Go or even Visual Basic 6. He enjoys spending time with his lovely wife and son and practicing sports like CrossFit and golf.
Thanks again to everyone who took The New Stack's reader survey last year!

On The Road
KubeCon + CloudNativeCon Europe 2020 // APRIL 1, 2020 // AMSTERDAM, THE NETHERLANDS @ RAI AMSTERDAM


KubeCon + CloudNativeCon Europe 2020

Cloud native security is now everyone’s responsibility. Come learn the importance of DevOps with security in mind at our pancake breakfast at KubeCon + CloudNativeCon in Amsterdam for a discussion about all things DevSecOps. You’ll learn a lot while eating pancakes, too. Thanks to Palo Alto Networks for sponsoring. Come join us for a short stack with The New Stack, pancakes await! 15% off with code KCEU20TNS15 for the first 50 people. Register now!

The New Stack Makers podcast is available on: — Pocket CastsStitcher — Apple PodcastsOvercastSpotifyTuneIn

Technologists building and managing new stack architectures join us for short conversations at conferences out on the tech conference circuit. These are the people defining how applications are developed and managed at scale.
Copyright © 2020 The New Stack, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp