First Runtime Container Security Project joins CNCF, helping to make cloud-native architectures more secure
SAN FRANCISCO, October 10, 2018 – Sysdig, Inc., the cloud-native intelligence company, today announced Falco, the open source project for runtime container security from Sysdig, has joined the Cloud Native Computing Foundation® (CNCF®) as a Cloud Native Sandbox project and is the first runtime security technology to enter the Cloud Native Sandbox. The CNCF is a Linux Foundation® organization dedicated to advancing the development of cloud-native technologies. By accepting Falco, the CNCF is bringing awareness to runtime security and making it easier for the CNCF community to build more secure cloud-native applications.
Falco is designed to give DevSecOps visibility into the behavior of containers and applications. As cloud native becomes the default operating model for many organizations – large and small – new approaches are required to secure the containers and platforms application developers rely on. The highly dynamic nature of cloud-native environments demands security tooling with the ability to immediately detect and protect new containerized application instances. By tapping into the Linux kernel, Falco is able to provide near real-time detection of abnormalities and platform intrusions.
What Falco Brings to Cloud-Native Applications
Falco is able to shorten the security incident detection and response cycle in container and microservices architectures by providing runtime security that detects abnormal behavior at the application, file, system, and network levels. By tapping into the Linux kernel, Falco creates a stream of system call events, which enables Falco to apply rules and take action if a rule is violated, reducing the risk of a security breach.
Falco is an industry-trusted tool, most recently being awarded the InfoWorld Best of Open Source Software Award in the cloud computing category. By accepting Falco, the CNCF gains a single sensor with the ability to apply rules to a variety of different event sources. Coupled with other CNCF projects – Fluentd, Nats, and Kubernetes – Falco provides expanded visibility into potential security events and has the ability to take immediate actions like killing offending containers, notifying teams, and isolating Kubernetes nodes. Falco also provides metadata from sources such as the Kubernetes API server to enhance the data provided by the Linux kernel. This allows end users to create rules based on Kubernetes metadata, which can include rules applied to particular Kubernetes namespaces, deployments, or individual pods.
History of Open Source sysdig and Falco
Sysdig launched in 2013 with sysdig, an open source monitoring technology, and in 2016, Sysdig used the same core instrumentation technology to launch Falco. Open source technologies are at the root of Sysdig, and this step further builds on the commitment by Sysdig to the open source community.
With more than a million users relying on Sysdig open source security and troubleshooting tools, there is a broad community actively working together to define and share rule sets for common security exploits. This open approach provides the opportunity for faster response times to newly discovered exploits by providing the ability to share new rules for these exploits as they are discovered. By becoming a CNCF Sandbox Project and expanding the reach of Falco, the community behind the project will have access to a broader community to collaborate with and learn from.
“We’re proud to be able to contribute to the open source community in a larger way,” said Loris Degioanni, chief technology officer and founder of Sysdig. “Adding Falco to the Cloud Native Sandbox gives developers, operations, security, and other IT professionals access to our market-leading runtime security technology, which has more than 1.5 million downloads to date. Acceptance by the CNCF further reaffirms Falco’s approach to runtime container security.”
The Falco Roadmap
The Falco team will continue to work with the CNCF to build stronger integrations with the other CNCF technologies – current and future – with a major focus on three key areas: expanding the contributor base, increasing awareness of cloud-native security concerns, and providing a high-quality experience for the end-user community. The Falco roadmap includes expanded Kubernetes integrations, including the addition of Kubernetes audit events as a Falco event source, as well as Kubernetes network policy support. The roadmap also includes a Prometheus integration that enables Falco to expose detailed metrics using the OpenMetrics format.
- Read the blog post, “Runtime Container Security – How to Implement Open Source Container Security (Part 1)” for more information on securing environments with open source technologies.
- For more information on how Falco integrates with other CNCF projects, read the blog posts:
- Follow Sysdig on Twitter to learn about upcoming meetups, Container Troubleshooting Workshops, and conference presentations.