Software Architecture and System Design News
Latest curated articles from top engineering blogs
Shopify
AWS23 articles
Architectural Implications of AI in Software Engineering
This article explores the evolving role of AI in software development, highlighting its impact on organizational practices, cognitive load, and the changing landscape of software engineering roles and systems. It delves into the architectural considerations for integrating AI agents, emphasizing principles like least privilege and structured agentic engineering patterns to mitigate security risks and improve development workflows.
Architecting Secure AI-Assisted Development: Google Conductor AI's Approach to Code Quality and Compliance
This article discusses Google Conductor AI, an extension for Gemini CLI that aids developers in creating formal specifications and reviews AI-generated code. It highlights the architectural considerations for integrating AI into the development workflow, focusing on maintaining human oversight, ensuring code quality, and mitigating security risks associated with AI-generated code and dependencies. The core philosophy revolves around 'control your code' and building an 'organizational intelligence layer' for AI.
Designing Shared File Storage with Azure Files for Geo-Distributed Offices
This article outlines the architecture and deployment of a highly available and secure shared file storage solution using Azure Files for geographically dispersed corporate offices. It emphasizes balancing performance with security, leveraging Azure's Zone-Redundant Storage (ZRS) for resilience, snapshots for data integrity, and Virtual Networks for zero-trust access control.
Designing Fine-Grained API Authorization with AWS Verified Permissions
This article details how Convera implemented a fine-grained API authorization system using Amazon Verified Permissions for their global cross-border payments platform. It highlights the architecture, policy definition using Cedar language, and integration with AWS services like Cognito and API Gateway to enforce attribute-based and role-based access control for both customer-facing and internal applications, as well as service-to-service communication.
Azure Sovereign Cloud: Designing for Disconnected, Highly Regulated Environments
Microsoft's Sovereign Cloud offers a unique architecture for highly regulated, sensitive, and potentially disconnected environments. It extends Azure's governance and productivity capabilities, including support for large AI models, to on-premises deployments that can operate completely isolated from the public cloud. This approach emphasizes maintaining operational continuity, data sovereignty, and consistent management in challenging connectivity conditions.
Uber's Attribute-Based Access Control (ABAC) System: Charter
Uber developed Charter, a centralized Attribute-Based Access Control (ABAC) system, to manage complex authorization decisions across its thousands of microservices. This system allows for granular control based on dynamic attributes like user location or time of day, addressing the limitations of traditional role-based access control in a large-scale, distributed environment. Charter leverages a policy distribution mechanism and a local evaluation library (authfx) to ensure high performance and consistency.
Integrating Swagger UI with Backend-for-Frontend (BFF) Architectures
This article addresses the architectural challenge of integrating Swagger UI with modern Backend-for-Frontend (BFF) architectures that prioritize security by avoiding tokens in the browser. It introduces a Swagger UI plugin designed to enable native communication with the BFF, respecting HTTP sessions, HttpOnly cookies, and CSRF protection, thus allowing Swagger UI to function as a first-class frontend client without compromising security.
Enhancing WhatsApp Security with Rust for Media Handling
WhatsApp has integrated Rust into its media handling library, "Kaleidoscope," to enhance security against sophisticated malware and memory-related vulnerabilities. This transition from C++ to Rust for a critical, cross-platform component demonstrates a strategic shift towards memory-safe languages for client-side application security at a global scale. The article highlights the architectural decision to build this library in parallel and the challenges involved in its massive rollout across billions of devices.
Securing AI Agent Infrastructure Automation with a Least-Privilege Gateway
This article details the architecture for an AI Agent Gateway designed to enable secure, governed infrastructure automation. It addresses the risks of autonomous agents with broad permissions by introducing a control plane that validates intent, enforces policy as code with OPA, and isolates execution in ephemeral environments. The gateway ensures least privilege, auditability, and containment, treating agents as untrusted requesters.
Implementing Post-Quantum Encryption in SASE and WAN Services
This article discusses Cloudflare's integration of modern post-quantum (PQ) encryption, specifically hybrid ML-KEM, into its Cloudflare One SASE platform. It highlights the architectural considerations and challenges of migrating network traffic to PQ cryptography, emphasizing key agreement and the need for crypto agility in large-scale network infrastructure like IPsec.
System Design Considerations for AI-Driven Systems and Agent Security
This article discusses several key system design and operational considerations for building and integrating AI-driven systems, particularly focusing on security for high-permissioned agents and the critical role of observability in non-deterministic environments. It also touches on the evolving landscape of bespoke software enabled by AI.
Architecting AI Agents for Security Investigations at Slack
This article details Slack's architectural approach to building an AI-powered agent system for streamlining security investigations. It focuses on breaking down complex tasks into chained, single-purpose model invocations with structured outputs, and orchestrating multiple AI personas (Director, Expert, Critic) to enhance control, reduce hallucinations, and improve the consistency of investigation results. The design leverages a 'knowledge pyramid' to optimize model cost and an event-driven service architecture for real-time observation and integration.