...then the best positioned apps are the ones that rely on internal security instead of or in addition to perimeter security. Like a bunch of microservices running inside a service mesh securing a few Kubernetes clusters in the clouds.
But the app had better be fully composable. Automatically. On demand. Pretty fast. Because you never know if you just patched this morning a security hole that someone exploited last night. And once they're in they're coming back for more. Unless you can find them and remove the back doors, rootkits, worms, and other malware they've hidden away, you might as well just reinstall from scratch.
Which is what Continuous Deployment is really about. If you're Doing It Right you can compose the whole app pretty quickly and move load balancers over to the new deployment. Now they've rooted machines that are about to disappear into thin air.
Unless they're already in the data layer.
Anyone know what the patch lag is for an RDS 0 day?
If you control your own storage, you're in the driver's seat. You can repave your databases, object stores, queue and cache software, all if it. Whenever. Live.
Of course you need to fully automate this, which is why it's nice to start with a Kubernetes platform that orchestrates the stateful components that you need to run your app. You'll end up being able to reinstall from scratch whenever you like, and just carry forward the data files that live in persistent volumes.
If only the real world were that simple. There's no silver bullet, wooden stake, or security appliance that's going to protect us all from the monsters, whether they're lurking beyond the dark or right under the bed. Repaving is just one of the weapons in an escalating battle. Continuous deployment is how you wield that weapon.