Software Architecture and System Design News
Latest curated articles from top engineering blogs
Shopify
AWS208 articles
Automating Zero Trust Network Migration and Management with Agent-Powered Tools
Cloudflare One stack introduces an agent-powered toolkit designed to automate the evaluation, deployment, and management of Zero Trust environments. This system simplifies complex network security migrations by providing structured knowledge, decision trees, and API tools, enabling agents to interpret network diagrams, translate vendor concepts, and apply best practices for various security scenarios.
Access Control for AI Agent Workflows: Uber's Zero Trust Architecture
This article discusses the challenges of implementing robust access control for multi-agent AI workflows, where agents delegate tasks and interact with internal tools. It highlights Uber's internal architecture, which extends its Zero Trust model to propagate agent identity and provenance across these complex workflows, and aligns with Auth0's recommendations for capability-scoped permissions and task-scoped credentials. The core problem addressed is that AI agents don't fit traditional user or service account access models due to their autonomous, multi-step nature.
AWS Architecture Blog·18h agoArchitecting Fraud-Resistant Authentication with Network-Powered Identity Verification
This article outlines an architectural approach to enhance user authentication security and experience by integrating Vonage's real-time network-powered identity solutions with Amazon Cognito. It focuses on reducing SMS OTP fraud and user friction through silent authentication and pre-verification intelligence, leveraging direct mobile network operator data. The solution details a composable stack that uses AWS Lambda functions to orchestrate custom authentication flows within Cognito, addressing common attack vectors like SIM swaps and SMS pumping.
Governing AI in the Cloud: Securing AI Deployments with Discovery, Classification, and Policy-as-Code
This article provides a practical guide for architects on securing AI deployments in the cloud, addressing the challenges posed by "Shadow AI" and unapproved tool usage. It outlines strategies for discovering AI integrations, classifying data at creation, and enforcing policies using IAM and policy-as-code tools like OPA. The focus is on creating a robust governance framework to prevent data leaks and unauthorized AI usage while maintaining developer agility.
Encrypted Spaces: An Architecture for Trustworthy Collaborative Applications on Untrusted Servers
Encrypted Spaces proposes an architectural pattern for building collaborative applications where data confidentiality and user control are paramount, even when relying on untrusted cloud servers. It achieves this through careful application of cryptography, including change logs and zero-knowledge proofs, to ensure data is encrypted at rest and in transit, and server operations are cryptographically verifiable. The core idea is to shift trust from the server to cryptographic verification, enabling collaborative features without compromising sensitive user data.
Dropbox's AI-Powered System for Bridging Design-to-Code Security Gaps
This article details Dropbox's innovative system that uses Model Context Protocol (MCP) and Dash (their internal AI capabilities) to automatically retrieve and evaluate security requirements from threat models during code review. The system aims to close the 'design-to-code gap' by ensuring that security decisions made early in the design phase are actually implemented in the code, addressing a common challenge where security requirements become disconnected from development workflows over time. By leveraging semantic search and foundational models, it compares proposed code changes against documented security designs, identifying discrepancies that traditional methods often miss.
Securing the Software Supply Chain: Addressing Greyware in Open-Source Dependencies
This article discusses the emerging threat of "greyware" in open-source packages, a type of software that transparently performs unexpected or malicious actions, differing from traditional malware. It highlights how the rise of AI-driven agentic development exacerbates this problem by increasing the volume of open-source consumption without sufficient human oversight. Chainguard's new scanner offers a solution by analyzing packages pre-ingestion to detect these subtle threats, emphasizing a shift in software supply chain security strategy.
Microkernel Architecture for Durable AI Agents with WASM Sandboxing
This article explores a microkernel architecture pattern for building durable and modular AI agents. It emphasizes a "frozen core" that brokers capabilities to pluggable WebAssembly (WASM) modules, ensuring stability and isolation. The design focuses on explicit capability-based security, fault isolation, and agent permanence through embedded memory.
Cloudflare's Unified Application Services for Private Origins
Cloudflare is extending its security, performance, and programmability services to private applications, unifying how both public and private origins are protected. This new capability allows organizations to route public traffic to private IP addresses without exposing them to the public internet, eliminating the need for separate operational stacks and complex networking configurations. It leverages existing Cloudflare private network connectivity (like WAN or Mesh) to apply services such as WAF, rate limiting, and caching to internal APIs and services, ensuring consistent security and performance.
Platform for Cross-Domain Cloud Security Policy Verification
This article proposes a next-generation platform architecture for cloud security that moves beyond reactive configuration tracking to proactive, specification-driven verification. It addresses the complexity of multi-layered cloud permissions by introducing a three-layer architecture: a collector for resolving effective state, a specification language for defining safety invariants, and a provider-agnostic evaluation engine. The approach aims to bridge the gap between how engineers think about permissions and the underlying first-order logic of cloud configurations.
Salesforce's Agentic Enterprise Architecture for AI Agents
This article delves into Salesforce's Agentic Enterprise Architecture, a layered framework designed for building and deploying AI agents at scale within enterprise environments. It highlights the architectural components and operational lessons learned from over 20,000 deployments, emphasizing the shift in effort from pre-launch development to post-launch continuous improvement and the critical importance of robust trust and security layers for AI agents.
Cloudflare's Defense-in-Depth Architecture Against AI-Accelerated Cyber Attacks
This article details Cloudflare's multi-layered security architecture, built to defend against increasingly sophisticated and rapid cyber attacks powered by frontier AI models. It emphasizes a defense-in-depth strategy, moving beyond traditional signature-based detections to incorporate machine learning, positive security models, Zero Trust principles, and advanced bot management. The architecture highlights how different Cloudflare products are integrated to create a robust security posture, acting as 'customer zero' for its own security offerings.