Cloud Native Security - A Principal Security Developer's top picks on the security challenges for 2026

Tuomo Tanskanen writes:

"Walking out of KubeCon, the cloud-native security landscape for 2026 is coming into sharp focus. The Cyber Resilience Act (CRA) isn't theoretical anymore — it's driving real architectural decisions. Leading organizations are building automated pipelines that produce attestations and provenance data as a byproduct of development, but many organizations are struggling to generate consistent SBOMs or full attestation chains. The path forward is incremental, and those who have not started yet should do so now. Supply chain security goes beyond documenting what you have.

The real work is in the dependency hygiene — pruning bloated dependency trees and maintaining upstream relationships. For example, Kubernetes spent three years actively removing and fixing dependencies and still has the dependency tree going 21 levels deep. We have new tools to help visualize dependency health over time, but the fundamental challenge is that we've built systems with increasingly unsustainable supply chains. We learned little from the "left-pad" incident. In 2026, treating dependency depth as a first-class metric — not just vulnerability counts — will separate mature engineering organizations from those constantly firefighting CVEs in transitive dependencies they didn't know they had. Right now, 0-CVE container image vendors are having a field day, but it doesn't have to be that way. As manufacturers, we can and must do better to support our upstream dependencies.

The post-quantum crypto conversation was a wake-up call. The 2030-2035 migration window sounds distant, but every long-lived system we deploy in 2026 needs crypto agility built in. ML-KEM is ready for key exchange, and the signature schemes are maturing. This isn't a 2029 problem — it's a 2026 design constraint. The cloud-native ecosystem is getting ready — Go 1.26+ will include better support, and projects like Sigstore and Kubernetes are planning their transitions.

Zero-trust architectures have moved from aspirational to expected. The success stories at scale — like Uber's 7,000 microservices with universal mTLS and authorization — prove it's achievable. The pattern is clear: cryptographic identity for every workload, authentication for every connection, authorization for every request. The question is whether we build this into our platforms or keep asking developers to implement it correctly in every service.

AI security is moving fast from theoretical concerns to operational problems. Guardrail bypasses, data leaks, and nation-state weaponization of AI instances are real. In 2026, anyone running agents in production needs to have implemented answers to those problems, or risk getting burned."