Wiz has published a full explainer of the ‘worst you can imagine’ vulnerability it found with Azure Cosmos DB this week (November 10) – and it does not make for pretty reading. (The ‘ChaosDB’ was reported at the time in CloudProfs issue 5). Wiz discloses a six step process which enabled the researchers to ‘gain administrative access to some of the magic that powers Azure’, in the company’s words.

The six steps were: set up a Jupyter Notebook container on Azure Cosmos DB; 2) run any C# code to obtain root privileges; 3) remove firewall rules set locally on the container in order to gain unrestricted network access; 4) query WireServer to obtain information about installed extensions, certificates and their corresponding private keys; 5) connect to the local Service Fabric, list all running applications, and obtain the Primary Key to other customers’ databases; 6) access Service Fabric instances of multiple regions over the internet. You can read the full walkthrough here.

Docker has hailed strong performance through the Covid-19 pandemic, with a 15.4 million strong active developer community with 13.7 million apps shared per month. In what media types call a ‘momentum release’ – in other words, a blog post saying how great we all are – the statistics were nevertheless interesting, showing resilience for a tool and company which had struggled.  “In these last two years since our refocusing on developers, we’re humbled by the non-stop growth in the Docker community, the enthusiastic feedback and adoption of the new features we’ve shipped, and the positive support for the business changes we’ve made to enable us to sustainably scale Docker to tens of millions more developers,” wrote CEO Scott Johnston.

New features include products at both ends of the supply chain, from Docker Official Images, to Docker Desktop. In September 2019, ZDnet reported that Docker was struggling for investment. Unsurprisingly, the rise of Kubernetes helped – or hindered, whichever way one looks at it. An InfoWorld article from just two months ago argued that Docker ‘is still alive, but a fraction of the company it might have become.’ Source.

The latest release from Pulumi is a public registry which ‘enables developers and infrastructure teams to apply share and reuse software principles to the modern cloud.’ The registry aims to be a ‘living collection’ of cloud and SaaS integrations and cloud architecture implementations. Pulumi says the goal is to ‘make cloud infrastructure as easy to consume as software packages from popular repositories like npm.’

Pulumi, which is cloud-neutral and has various integrations with AWS, Azure, Google Cloud and Kubernetes among others, is gaining momentum. In ThoughtWorks’ Tech Radar vol. 25, as cited by Jack Roper, the technology is worth keeping an eye on as it ‘fills a gaping hole in the infrastructure coding world. While Terraform is a tried-and-true standby, its declarative nature suffers from inadequate abstraction facilities and limited testability. Pulumi distinguishes itself [with] no markup language or templating required [and] tightly focused on cloud-native architectures.’ Source.

Gartner has proclaimed that more than 85% of organizations will embrace a ‘cloud-first principle’ by 2025, adding laggards will not be able to fully execute their digital strategies without use of cloud-native architectures and technologies. At the Gartner IT Symposium/Xpo EMEA this week, the company added that by the same year, more than 95% of new digital workloads will be deployed on cloud-native platforms. This is up from 30% by the end of this year.

The ramp up in cloud-native platforms is connected to the rise of SASE, cloud-delivered secure access service edge technologies. Gartner describes this as the fastest growth opportunity in the networking and network security market. The company added that end user spending on SASE will total $6.8 billion in 2022, up from $4.8bn this year. Source.