Software Architecture and System Design News
Latest curated articles from top engineering blogs
Shopify
AWS176 articles
Designing a Stateless JWT Authentication Microservice with Redis Sentinel
This article details the architecture of a stateless JWT authentication microservice built with Spring Boot 3, focusing on high availability and performance. It emphasizes a cache-first approach using Redis to reduce database load and integrates Redis Sentinel for robust failover capabilities, ensuring the authentication service remains highly available in a microservice ecosystem.
Stripe Radar's AI-Powered Fraud Prevention System Enhancements
Stripe Radar has significantly expanded its AI-powered fraud prevention capabilities, moving beyond traditional credit card fraud to address new vectors like multi-account abuse, pay-as-you-go fraud, and malicious bots across various payment methods and processors. The system leverages global network data, custom models, and real-time evaluation to provide comprehensive risk assessment and dispute management. These enhancements highlight the evolving complexity of fraud detection in distributed payment systems.
Designing AI Write-Back: Boundaries for Safe Integration into Internal Systems
This article discusses critical system design considerations for integrating AI write-back capabilities into internal systems. It emphasizes defining clear boundaries for AI's ability to modify data, particularly distinguishing between read-only assistance, human-confirmed suggestions, and direct write-back, to mitigate risks related to accountability, data integrity, and operational trust.
Application-Level Envelope Encryption for SOC 2 Compliance
This article details an architectural strategy for implementing application-level envelope encryption to achieve robust data security and SOC 2 compliance, moving beyond basic RBAC and database encryption. It outlines a hybrid cryptographic solution using AES for content and RSA for key wrapping, and presents the data modeling and service contracts necessary for a Symfony application. The focus is on cryptographic isolation at the record level and secure handling of encryption keys.
AWS API Gateway Authentication Bypass Due to Trailing Slash Misconfiguration
This article highlights a critical security vulnerability found in AWS API Gateway, where a trailing slash in a URL could bypass authentication. While the original content has moved, the finding underscores the importance of stringent API gateway configuration and validation in system design to prevent unauthorized access.
GitLab 19.0: Enhancing DevSecOps with Granular Secrets Management and AI-Driven Workflows
GitLab 19.0 introduces significant advancements in DevSecOps, focusing on reducing the 'AI paradox' through improved automation and security. Key architectural updates include a new Secrets Manager that enforces least privileged access for CI/CD variables and an expanded Developer Flow that leverages AI agents for project-specific workflow automation, enhancing overall software supply chain security and efficiency.
AWS MCP Server: Secure and Governed AI Agent Access to AWS APIs
The AWS Model Context Protocol (MCP) server is now generally available, providing a standardized, secure, and auditable way for AI coding agents to interact with AWS services. It leverages IAM-based access controls, CloudWatch metrics, and CloudTrail logging to enable fine-grained governance over agent activities, addressing critical security concerns when exposing AWS APIs to AI.
Self-Hosted vs. Cloud-Hosted AI Agents: Architectural Trade-offs and Control
This article explores the fundamental architectural divergence between self-hosted (e.g., OpenClaw) and cloud-hosted (e.g., Google Spark) personal AI agents. It highlights the trade-offs between control, privacy, convenience, and structural advantages inherent in each deployment model. The core argument revolves around the 'substrate'—where the agent lives—and its implications for data ownership, credentials, and future terms of service.
Enhancing API Security with Advanced Authentication Detection
This article discusses improving API security by leveraging Datadog's enhanced authentication detection and customizable rules. It focuses on the architectural benefits of fine-grained control over authentication anomaly detection and the ability to distinguish legitimate user and bot traffic, thereby reducing false positives and strengthening API protection within a broader observability and security platform.
Securing AI Agents: Guardrail Placement in Self-Orchestrated vs. Managed Solutions
This article explores the architectural decision of where to place security guardrails in AI agent systems, comparing Amazon Bedrock Agents (managed) with self-orchestrated agents using custom solutions like Datadog AI Guard. It highlights the trade-offs between tightly coupled, vendor-managed guardrails and flexible, custom-implemented ones, particularly in mitigating indirect prompt injection.
AWS Architecture Blog·6d agoDesigning Cyber-Resilient Architectures on AWS for Ransomware Recovery
This article outlines an architectural approach for achieving cyber resilience on AWS, specifically focusing on recovery from ransomware and destructive events. It details a multi-account strategy that isolates recovery environments and backups from production, ensuring that compromised credentials or infrastructure do not jeopardize the ability to restore. Key elements include logically air-gapped backup vaults, a robust validation pipeline for restored data, and a framework for selecting safe recovery points.
Cloud-Native Identity for Azure Files SMB: Simplifying Access with Entra-Only Identities
This article discusses the general availability of Entra-Only identities for Azure Files SMB, a significant advancement for cloud-native storage. It enables secure, identity-based access to SMB file shares directly via Microsoft Entra ID, eliminating the need for on-premises Active Directory or hybrid synchronization. This simplifies architecture, reduces operational overhead, and enhances security posture by aligning with Zero-Trust principles for VDI, general-purpose file sharing, and remote workforces.