Managing Security Issues with Microservices

In my new role, I'm managing a platform of microservices. This is the first time that I've worked with "real" microservices. By coincidence, the organization started logging software vulnerabilities and container vulnerabilities to ServiceNOW and it is expected that these issues are remediated in all environments.

This is great on paper, but the number of tickets is daunting. If I had a monolith, say one dev server, one test server, two staging servers, and two production servers, I'd get tickets in orders of six. With this container / microservice architecture, I'm getting thousands of vulnerability tickets. Now, technically, when I patch my code and containers, I'll also close hundreds or thousands of tickets, so it cuts both ways.

The limitation for my team right now is testing. The organization is risk-averse and we have a regimented change process. I can't just update containers & Java libraries and deploy directly to PROD. Managing all these tickets is putting extra pressure on the team and is distracting.

The solution we're working on is exciting! For the container vulnerabilities, we're working with AI tooling to extract a report from ServiceNOW, isolate the services, subtract the ones that have work in-flight by checking our git host, and then create the necessary pipelines. The heavy lift is automating the testing. The last hard part will be creating the change tickets. We create change tickets per service, so it can be daunting for the team to create all those. We're going to try a Copilot / ServiceNOW connector and see if we can automate that process, too.

More to come soon!

---

This post was proofread by an AI tool, but was written by a human, for humans. Enjoy!