Bridging the Developer-Security Gap: Secure API Connectivity with Architecture as Code

2026-03-223 min read
#api#security#architecture-as-code#devsecops#json-schema

In today's complex, interconnected software landscape, especially within highly regulated industries, ensuring secure API connectivity is a monumental task. Jim Gough, Distinguished Engineer and API Platform Lead Architect at Morgan Stanley, recently presented an innovative solution to this challenge: the Common Architecture Language Model (CALM). His insights, shared at an InfoQ presentation, highlight a critical need to bridge the "developer-security gap" and streamline the path to secure, compliant API deployments.

The Challenge: Gaps and Gates

Gough meticulously outlined the hurdles faced by many organizations:

  • API Deployment Complexity: Modern microservice architectures and diverse deployment environments make API deployments inherently intricate.
  • Developer-Infrastructure Gap: Developers often struggle with the nuances of infrastructure provisioning and configuration.
  • Developer-Security Gap: Crucially, security often acts as a late-stage "gate" rather than an early, integrated guide. This reactive approach leads to significant delays, rework, and potential vulnerabilities. Security becomes a blocker, not an enabler.

To overcome these, Gough proposes CALM as an "architecture as code" framework, designed to make "doing the right thing" the easiest path for developers.

Introducing CALM: Architecture as Code for Secure APIs

CALM is an open-source framework built to define, validate, and deploy secure API architectures programmatically. Its core components are:

  • Core Model in JSON Schema: At its foundation, CALM uses JSON Schema to define architectural components (called "nodes"), their relationships, and interfaces. This provides a standardized, machine-readable language for describing an entire system's architecture.
  • Architecture Patterns: CALM leverages the power of patterns. Architects can define secure, compliant architectural blueprints that encapsulate best practices and critical security controls. Developers can then select and instantiate these patterns, ensuring they inherit a secure foundation.
  • Integrated Controls: A key innovation of CALM is its ability to model non-functional requirements, particularly security controls, directly within the architecture definition. For instance, micro-segmentation policies, derived from threat modeling techniques like STRIDE, can be embedded. This shifts security left, embedding it from the design phase.
  • CLI and Hub: A user-friendly Command-Line Interface (CLI) allows developers to interact with CALM, generating architectures from patterns, validating their configurations, and integrating these definitions into their existing CI/CD pipelines. A "CALM Hub" acts as a centralized repository for sharing and discovering these validated patterns and architectures.
  • Automated Deployments & Documentation: By generating infrastructure-as-code (e.g., Kubernetes configurations, network policies) and comprehensive documentation directly from CALM definitions, organizations can achieve remarkable efficiency gains. This automation leads to faster, more consistent deployments and significantly simplifies regulatory compliance and auditing.

The Impact: From Months to Hours

Gough provided a compelling example: a review cycle that traditionally took six months could be transformed into an automated two-hour deployment using CALM. This dramatically accelerates development cycles while simultaneously enhancing security posture.

CALM particularly shines in environments demanding high levels of assurance and reuse, such as regulated industries. It creates clear, "paved roads" for developers, offering fast feedback loops and enabling self-service deployments, all while effectively managing the inherent complexity of modern systems.

Conclusion: Embrace Complexity with Code

Jim Gough's CALM framework offers a compelling vision for the future of secure API connectivity. By codifying architecture and integrating security controls at the design phase, organizations can move beyond the reactive "security gate" model. It empowers developers to build securely by default, fosters collaboration between security and development teams, and ultimately enables faster, more resilient, and compliant software delivery.

Reference: Secure Connectivity API Architecture as Code