Volume 21 of the Technology Radar from Thoughtworks is out. As expected, there are many interesting learnings from the industry. In fact, I now dare to say: How did we go by in tech without this paper ?

You can download the full paper from the Thoughtworks website

In here I’ve selected a few of topics with the original quotes from Thoughtworks. I think these are applicable for my areas of interest: Kubernetes, Containers, DevOps and IaC. Let’s take a look.

Techniques

  • Container security scanning - ADOPT “We prefer using automated scanning tools that run as part of the deployment pipeline.”

  • Pipelines for infrastructure as code - ADOPT “The use of pipelines for infrastructure as code lets you find errors before changes are applied to operational environments — including environments used for development and testing.”

  • Security policy as code - TRIAL “The complexity of the technology landscape today demands treating security policy as code: define and keep policies under version control, automatically validate them, automatically deploy them and monitor their performance.”

  • Sidecars for endpoint security - TRIAL “Sidecars for endpoint security minimize the trusted footprint to a local endpoint rather than the network perimeter.”

Platforms

  • Fission - ASSESS: “Fission lets developers focus on writing short-lived functions and map them to HTTP requests while the framework handles the rest of the plumbing and automation of Kubernetes resources behind the scenes.”

  • Kuma - ASSESS: “Kuma is a platform-agnostic service mesh for Kubernetes, VMs and bare metal environments.”

  • Rootless containers - ASSESS: “Ideally, containers should be managed and run by the respective container runtime without root privileges.[…] Docker 19.03 introduces rootless containers as an experimental feature.”

  • Teleport - ASSESS: “Teleport is a security gateway for remotely accessing cloud native infrastructures.”

Tools

  • Trivy - TRIAL: “Build pipelines that create and deploy containers should include container security scanning.”

  • Twistlock - TRIAL: “Twistlock is a commercial product with build-time and run-time security vulnerability detection and prevention capabilities.”

  • Docker Notary - ASSESS: “Docker Notary is an OSS tool that enables signing of assets such as images, files and containers. This means that the provenance of assets can be asserted which is super useful in regulated environments and better practice everywhere.”

  • Falco - ASSESS: “Falco leverages Sysdig’s Linux kernel instrumentation and system call profiling and lets us gain deep insights into system behavior and helps us detect abnormal activities in applications, containers, underlying host or Kubernetes orchestrator itself.”

  • Kubeflow - ASSESS: “[…] it provides a way to encode and version machine-learning workflows so that they can be more easily ported from one execution environment to another.”

  • Skaffold - ASSESS: “Google brings us Skaffold, an open-source tool to automate local development workflows, including deployment on Kubernetes.”