The future of cloud security is open – and Kubernetes shows why, says Sysdig founder

'With open source, your users become your partners and co-developers'

Sponsored Amidst the unending cybersecurity woe of the last two decades, a significant but easy-to-miss bright spot has been the steady rise of open source security tools. Looking back, what’s interesting is how early a lot of these tools were, from Marty Roesch’s Snort intrusion prevention in the late 1990s, to Gordon Lyon’s Nmap network mapper around the same time. By the time HD Moore’s Metasploit turned from a vulnerability scanner utility into a hugely popular pen-testing framework, it was clear something was up, but what?

These tools hit a wide seam of user need that wasn’t being addressed by proprietary tools, and not simply because they came with an easy-to-try open source license. As with open source itself, this was a bottom-up insurgency because the top-down proprietary model had failed to deliver the security smarts developers and their customers needed, fast enough.

Today, nobody would think twice about the expanding shelf of open source security tools, some seeded by large tech companies such as Google and Facebook whose engineers grew up with the assumption that security tools were best started as DIY before being developed collaboratively. Even the once icily remote National Security Agency (NSA) in 2019 unexpectedly threw in its reverse-engineering platform, Ghidra.

If the interest in open source tools isn’t new, the nature of their use is changing rapidly as the industry moves into new and more complex environments, for example, deploying containerised cloud applications using platforms such as Kubernetes. Here, the security demands are challenging, requiring many layers of security to cope with numerous problems developers can’t always see, assuming they even have the time to look.

Tools remains the basic unit of work, then, but a lot has changed around them. Now the problem is so complex that just using tools in an ad-hoc way to solve bits of the problem no longer cuts it, hence the appearance of a new generation of companies integrating security through software-as-a-service (SaaS).

One outfit jumping on this trend is California-based Sysdig. Founded in 2013, the company has spent the intervening years building its Sysdig Secure DevOps Platform from a series of carefully interlocking Lego blocks – Falco, Anchore engine, Prometheus, and a fourth named after the company itself, Sysdig – each designed to do a different security job for Kubernetes customers.

“The beauty of our approach is that it’s completely open source,” emphasises Sysdig CTO and founder, Loris Degioanni, a veteran who cut his teeth in the industry as one of the creators of the legendary Wireshark network analysis tool in the late 1990s. This is more than a marketing spiel. Most startups go into business to build a core of IP to fuel their growth. Instead Sysdig did something different, making some tools to give away as open source projects, actively contributing to others, using a fusion of the two as the foundation for its own services and extensions running on top.

The first of these, sysdig/Sysdig Inspect, which appeared from 2014 onwards as a pair of command line/GUI troubleshooting and forensic tools for monitoring container performance, resource usage and activity down to kernel level. The second, Falco, is a container runtime security tool for Kubernetes which a year later became the first project of this type to be incubated as part of the Cloud Native Computing Foundation (CNCF), which by early 2020 had 80 contributors and 8.5 million downloads and by the end of 2020, more than 10 million downloads.

In addition, Sysdig extends Prometheus, a monitoring tool for servers, applications and databases running inside Kubernetes clusters on Docker containers also adopted by the CNCF. A fourth and final open source component is Anchore engine, a container image scanning engine designed to spot known vulnerabilities as part of a vulnerability management system which can integrate with code integration/continuous (CI/CD) delivery tools. Now featuring numerous extensions and modules beyond Kubernetes, that too has grown into a thriving project used across different environments.

The business model is simple: combine and extend these tools with inhouse services, support, and extensions that make up the Sysdig Secure DevOps Platform. Available either as SaaS or an on-premises backend for server, private cloud, the major public clouds, bundles include Sysdig Monitor, a container cloud monitoring system combining and integrating the above tools in a seamless whole, and Sysdig Secure, a SaaS container security product, that handles scanning, runtime detection and response, and compliance..

“Could we have built these in a proprietary way without having to do all this work? Yes, but the world is changing with a new operating system in Kubernetes,” says Degioanni, provocatively. “I call Kubernetes an operating system because it has many properties of an OS like Linux. It takes containers and runs them. It has become the de-facto layer for modern application development which is essentially community driven.”

First came virtualization and hypervisors, a way of allowing multiple copies of an OS to run on the same underlying hardware. Containers took this a step further by allowing one OS to run multiple apps and their dependencies in separate spaces, an infinitely more efficient and flexible architecture. This was powerful but it needed a final piece, Kubernetes, to deploy and manage these containers as microservices without soul-draining manual toil.

Degioanni pitches this as the biggest overhaul of computing since the invention of the PC, but one that is still missing the final piece of the puzzle in the need to secure it all. This, he says, is Kubernetes’ biggest party trick of all, namely the idea of accelerated co-development.

“If you want to add security to, say AWS, it's not trivial – you really have to be Amazon. With Kubernetes, it’s a community so you can propose an extension to do instrumentation. With open source, your users become your partners and co-developers.”

He cites Snort as an inspiration for the way it generated so many contributions from its user base. “There was a core set of developers but then everybody else could contribute a rule, policy, or class of attacks. Suddenly, the tool was amplified. It was impossible for anybody with a commercially-driven solution to have that kind of richness.”

Attack surface

The catch, as with the architectures that preceded it, is that Kubernetes brings with a lot of moving parts and that creates security concerns, some familiar to all DevOps, some specific to clusters and microservices. The first is the need to protect applications and images, which might be used to elevate privileges, crash servers, or exfiltrate data. Application libraries are a second worry because a vulnerability in any one element can compromise the entire service. Finally, the servers and VMs that underpin the whole environment must be barricaded. As with other software, the software can be littered with known CVEs before you even mention security policies.

“Moving from legacy applications to Kubernetes is like going from cattle to locusts. Instead of having 100 of them you have millions. They are small, fast, hard to control and if you’re not careful they’ll make a big mess,” says Degioanni. “An image that was totally fine when you deployed it is later discovered to have a vulnerability. But Sysdig runs the Anchore engine scanning constantly and can notify you and prevent that image from running.”

It’s an opaque problem that demands a convincing answer, which in Sysdig’s case is its SaaS security suite, Sysdig Secure with a second Prometheus PromQL-compatible service, Sysdig Monitor, to look after the performance of the underlying servers and applications.

Could this environment be addressed using non open source tools? It’s hard to imagine how. Given that the whole environment is community-driven, solving those problems would surely be somewhere between bewildering and unprofitable for any other software model. For example, had Google carried on with Kubernetes instead of sending it open source, it would have ended up as another silo, like AWS. As Degioanni points out, that would automatically require it to solve all the other problems, including security, something few vendors could possibly make pay without locking people into a stale release cycle.

“Our philosophy is to add value for the community but don’t stop there – have a rich platform on top of that. You get all the value of these open source products, but they are packaged, supported, integrated into a workflow with enterprise functionality such as Active Directory and will scale for the modern enterprise.”

Degioanni mentions the rapid growth not only of Falco, but other open source engines such as Open Policy Agent (OPA) as evidence of his contention that cloud architectures are shifting the balance of power away from legacy software companies and proprietary products. In community-driven software the opposition isn’t another vendor but the problem itself.

The market he describes is dynamic but also eerily unfamiliar, devoid of established names. “The players in this space are more like next-generation vendors focused specifically on Kubernetes security. We don’t have competition from the security dinosaurs. They are so far behind.”

Self-evidently this is a sector that wouldn’t exist without open source, even if some of its innovators end up being bought out by larger platform vendors plugging security gaps to mollify customer demand.

“With open source, our competitors are able to take advantage of our technology but that is OK. In the long term in this new ecosystem the winner will be the one that works best so that the community, customers, and competitors become partners developing it with you.”

Sponsored by Sysdig Inc

Biting the hand that feeds IT © 1998–2021