Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Research Topic

Application Containers and Microservices

Latest ResearchWorking Group
Microservices Architecture Pattern
Microservices Architecture Pattern

Download

Research Topics
About Topic
Working Group
Discussion Community
Publications
Home
Research
Application Containers and Microservices
Application containers and microservices architecture, as defined in NIST SP 800-180, are being used to design, develop and deploy applications leveraging agile software development approaches such as DevOps. The security of application components needs to be considered throughout the Software Development Life Cycle. The use of containers and microservices have been increasingly implemented in organizations. This increase in popularity can be attributed to the ease with which they move through a lifecycle allowing for efficient restart, scale-up, or scale-out of applications across clouds. However, these unique characteristics also mean there are distinct security ramifications which must be considered.

What are microservices? 
The next evolution of the application architecture is the “service-oriented architecture” (SOA). In SOA, the entire gamut of solutions (e.g. supporting a business process) is broken up into multiple parts or components called services. The design of a microservices architecture is intended to address the limitations of SOA by enabling the individual microservices to communicate with each other using lightweight protocols such as Representational State Transfer (REST). Furthermore, the individual microservices can be developed in platforms best suited for them, allowing for heterogeneity in addition to independent scalability and deployment due to loose coupling between individual microservices. 

What are the security risks associated with microservices?
This new approach presents new security challenges such as an increased attack surface due to an increase in the number of components and secure service discovery as a result of the dynamic nature of service instances due to location changes.

Who should read the research produced by this group?
This group assumes that readers have some knowledge of operating systems, networking, and security expertise, as well as expertise with application containers, microservices, and agile application development approaches such as DevOps. 

Please note that this project is a subgroup of the DevSecOps working group. To participate you can join our DevSecOps community and let the leaders know you are interested in this particular area of DevSecOps.

Application Containers and MicroservicesDevSecOpsServerless

Discuss this topic in Circle

View discussion community

Participate

View the working group

Press MentionSourceDate
Will Contraction in Revenues Affect IBM's Earnings in Q4?Yahoo!MoneyJanuary 19, 2023
Podcast: Containers, Kubernetes, data protection and complianceComputer WeeklyJune 15, 2023
Fortifying the future: A blueprint for securing cloud-native DevOps pipelines Digital JournalSeptember 23, 2024
View all

Securing Application Containers and Microservices

CSA Research crowd-sources the knowledge and expertise of security experts and helps address the challenges and needs they’ve experienced, or seen others experience, within the cybersecurity field. Each publication is vendor-neutral and follows the peer review process outlined in the CSA Research Lifecycle. We recommend getting started by reading the following documents.

Microservices Architecture Pattern

Microservices Architecture Pattern

This document serves to propose a repeatable approach to architecting, developing and deploying Microservices as a “MAP” (Microservices Architecture Pattern). The proposed MAP contains all the information necessary for a microservice to operate independently and communicate with other microservices which, in aggregate, become capabilities which, in turn, become the components of an application. This paper describes the key elements of the MAP, how they should be designed and deployed, shifting security & compliance left via a continuous compliance-as-code approach. 

Learn more
Best Practices for Implementing a Secure Application Container Architecture

Best Practices for Implementing a Secure Application Container Architecture

Learn CSA’s recommendations and best practices to address the challenges in securing application containers in the engineering of trustworthy secure systems. This document is intended to be a companion document to Challenges in Securing Application Containers and Microservices as it provides recommendations and best practices to address those challenges. Recommendations were developed through extensive collaboration among a diverse group with strong knowledge and practical experience in information security, operations, application containers, and microservices.

Download best practices
Best Practices in Implementing a Secure Microservices Architecture

Best Practices in Implementing a Secure Microservices Architecture

Learn best practices for securing microservices in the engineering of trustworthy secure systems. This paper provides the background for the evolution of the microservices architecture, its advantages compared with the previous architectures and the new challenges posed in terms of configuration and security. It also describes the benefits of microservices architecture and provides specific use cases where it enjoys advantages over “service-oriented architecture” (SOA. The security and configuration challenges identified for microservices architecture forms the basis for the issues addressed in the rest of this document.

Download best practices
View All Research

Webinars

Reducing the Attack Surface in the Cloud
Reducing the Attack Surface in the Cloud

October 14 | Online

Learn more

Impact of Digital Transformation on Security Strategy
Impact of Digital Transformation on Security Strategy

October 28 | Online

Learn more

Security-as-Code: What's Real and What's Possible with Self-Service and Developer Speed Governance
Security-as-Code: What's Real and What's Possible with Self...

October 26 | TBD

Learn more

Key Considerations to Get Buy-in for a SaaS Data Security Program
Key Considerations to Get Buy-in for a SaaS Data Security Pr...

November 3 | Online

Learn more

View All Webinars

Blog Posts

Elevating Application Security Beyond “AppSec in a Box”
Read Now
Five Levels of Vulnerability Prioritization: From Basic to Advanced
Read Now
Bridging the Gap: How to Ensure Seamless Collaboration Between Security & Development Teams
Read Now
View All Blog Posts