Workload: a concise definition In computing, a workload represents the unit of work an application or service performs and the resources required to perform it. In the cloud, it includes any app, function, or service running on VMs, containers, or serverless platforms. Workload vs. application vs. use case Application: the software that processes something (e.g., an order‑processing microservice). Workload: the processing being done and the resources consumed (e.g., 5k requests/min, 4 vCPU, 8 GB RAM). Use case: the business reason for running it (e.g., checkout and payment). Common workload types Transactional: latency‑sensitive APIs and web apps. Batch: scheduled reporting, ETL jobs. Streaming: event ingestion, real‑time analytics. AI/ML: model training and inference. Data processing: pipelines, warehousing, lakehouse jobs. Serverless & microservices: fine‑grained, autoscaled functions and services. How workloads are measured Key indicators include throughput and concurrency (RPS/QPS), resource consumption (vCPU, memory, I/O, network), latency and tail performance (p95/p99), and error rates/SLOs. Cloud workloads In the cloud, workloads span VMs, containers, and serverless functions and often compose into cloud‑native architectures.See also: Cloud Computing, Cloud‑Native, Container Security, CI/CD Security. Cloud Computing: https://checkmarx.com/glossary/cloud-computing/ Cloud‑Native: https://checkmarx.com/glossary/cloud-native/ Container Security: https://checkmarx.com/glossary/what-is-container-security/ CI/CD Security: https://checkmarx.com/glossary/what-is-cicd-security/ Kubernetes workloads (terminology) In Kubernetes (K8s), “workload” refers to applications deployed via workload resources such as Deployments (typically stateless), StatefulSets (stable identity and storage), DaemonSets (one per node), and Jobs/CronJobs for run‑to‑completion tasks.See: Kubernetes (K8s): https://checkmarx.com/glossary/kubernetes-k8s/ Why workloads matter for AppSec Workloads process code, data, and secrets – making them prime targets. Security should start in development and continue through deployment: Shift‑left testing: scan custom code with SAST and open‑source with SCA. SAST: https://checkmarx.com/cxsast-source-code-scanning/ SCA: https://checkmarx.com/cxsca-open-source-scanning/ Infrastructure as Code (IaC) hardening: https://checkmarx.com/product/iac-security/ Container image checks: https://checkmarx.com/product/container-security/ Secret hygiene: https://checkmarx.com/glossary/what-is-secrets-detection/ API exposure: https://checkmarx.com/product/api-security/ Program visibility & prioritization: ASPM on Checkmarx One ASPM: https://checkmarx.com/product/aspm/ Checkmarx One: https://checkmarx.com/product/application-security-platform/ For end‑to‑end coverage, see Code‑to‑Cloud Security and Software Supply Chain Security: Code‑to‑Cloud Security: https://checkmarx.com/glossary/what-is-code-to-cloud-security/ Software Supply Chain Security: https://checkmarx.com/glossary/what-is-software-supply-chain-security/ Checklist: Best practices to secure workloads Map critical workloads and owners; tag assets by environment and sensitivity. Continuously correlate & prioritize with ASPM to reduce noise and focus on real risk. Automate in the SDLC with SAST/SCA gating in CI/CD. Lock down IaC: least privilege, network policies, encryption by default. Harden containers: minimal base images, SBOMs, immutability. Protect secrets: remove hardcoded credentials; use a vault. FAQ What is a workload in computing? The work your app/service executes plus the compute, memory, storage, and network it consumes—tracked via throughput, latency, and SLOs. What are Kubernetes workloads? Apps represented by Deployments, StatefulSets, DaemonSets, and Jobs/CronJobs. How do developers measure workload health? RPS/QPS, p95/p99 latency, CPU/memory saturation, error rate, queue depth, and SLO adherence. How do I secure workloads in the SDLC? Automate SAST/SCA, IaC/K8s checks, and container scanning on every PR; enforce policy; manage secrets; correlate with ASPM.
