As part of Falco’s participation in the Cloud Native Computing Foundation, we are excited to announce we will be mentoring students in this year’s Google Summer of Code. Google Summer of Code (GSoC) provides students from around the world a unique opportunity to contribute to a number of open source projects. Throughout the years, GSoC has helped contribute over 35,000,000 lines of code to open source projects.
How to Participate
GSoC provides a detailed guide for students on how to participate. Students interested in contributing to Falco should follow the below process:
- Apply to participate through the Google Summer of Code site.
- Browse the project ideas for Falco over on the CNCF Github repo.
- Join the Sysdig OSS slack and our #gsoc channel. This provides a centralized location where you can chat with the Falco mentors (@ducy, @mstemm, and @loris are their Slack handles).
- Submit your project proposal (through the GSoC site) on how you’d implement one of Falco’s project ideas. You can read what makes a great proposal over on the GSoC website.
Improved Falco Outputs
Falco currently supports some standard outputs (stdout, syslog, files, programs, and HTTP). We’d like to explore being able to push Falco alerts to a variety of different locations such as NATS, Kafka, gRPC, and more. This will provide users more flexibility in creating event processing streams to react to alerts, store alerts for long term storage, integrate with other systems, etc.
Additional Event Sources
Falco currently consumes events from a kernel module, eBPF probe, or embedded web server. Currently events are focused on system calls (via the kernel module or eBPF probe), or Kubernetes Audit Log events. Falco can be extended to consume additional events via it’s embedded web server. We’d like to have additional sources of events and accompanying rules to detect abnormal behavior in these event sources.
Layer 7 Inspection and Detection
Web Application Firewalls provide capabilities to detect abnormal activities at Layer 7 of the TCP/OSI stack. With the concept of zero trust networking and edge based firewalls becoming the predominant pattern in the world of Kubernetes, we’d like to see how Falco can be used to detect malicious payloads at the edge or container level. This could include work to decrypt HTTPs traffic as it passes through the kernel stack.
Falco integration with AI/ML platforms
One common use case Falco users ask us about is integration with AI or ML platforms to better detect abnormal behaviors. This project idea would explore the various AI/ML platforms available, and how models can be built to detect abnormal activity in an environment where Falco is used for auditing.
Prometheus Metrics Exporter
Prometheus has become the defacto standard for metrics in the Cloud Native stack. This idea would implement a Prometheus metrics exporter to allow platform administrators and security teams to collect metrics on Falco performance, rules triggered, and more.
Performance Analysis and Optimization
Deploying a detection engine such as Falco to a large environment can be fraught with performance considerations. For this GSoC idea we’d like the student to deploy Falco to a large Kubernetes cluster running 10’s of thousands of containers and provide benchmarks for performance. We’d also expect that any bottlenecks would be identified, along with fixes to improve throughput and performance.
Falco rules profiles for applications and security benchmarks
Falco ships with several rules out of the box focused on common container best practices, as well as rules for the Kubernetes api server. We’d like this idea to focus on building best practices around profiling application containers to determine normal behavior, as well as being able to automatically generating rules from this baselining.
We hope you’re excited as we are that Falco is a participant in this year’s Google Summer of Code. We can’t wait to start getting project proposals from students, and can’t wait to see what the next generation of open source engineers build!