I not too long ago took the chance to debate open supply and safety challenges with Itay Shakury of Aqua Security. What follows is an enchanting dialogue about present points, the long run, and particular cloud-native instruments that handle the considerations of as we speak’s Chief Information Security Officers (CISOs).
Itay, might you please introduce your self to our readers?
Itay Shakury, Director of Open Source at Aqua Security. I’ve almost 20 years of expertise in tech, spent throughout engineering, software program structure, IT, product administration, consulting, and extra. In latest years, my profession path has led me to cloud-native applied sciences and open supply software program.
Tell us about Aqua Security and what issues is it making an attempt to deal with?
Aqua is pioneering cloud safety with its built-in cloud-native utility safety platform (CNAPP) that gives prevention, detection, and response automation throughout the complete utility lifecycle. Our suite of options allows organizations to safe the provision chain, cloud infrastructure, and operating workloads. Aqua’s household of open supply initiatives is an accessible entry-point that enables anybody to get began with cloud-native safety instantly and for gratis whereas on the identical time driving innovation for our business choices.
As Director of Open Source at Aqua Security, what are your main tasks?
My major accountability is creating and executing on open supply technique. The technique contains refining the OSS initiatives’ roadmap, figuring out group initiatives for engagement, and making open supply viable for business use. As an engineering supervisor, I’m main Aqua’s open supply groups. Our OSS group is globally distributed and remote-first. This group of gifted open supply engineers is popping our OSS imaginative and prescient into actuality, and I’m lucky sufficient to have been a part of it.
What challenges do firms face in securing Kubernetes? How ought to they method this downside?
One problem is addressing safety throughout the entire utility lifecycle. In the previous few years, increasingly more tasks have been put in builders’ arms, particularly with Kubernetes and cloud-native applied sciences. We are seeing this throughout totally different fields like high quality, operations, help, and safety. This “shift left” method is introducing safety controls early (or “left”) within the growth lifecycle, which clearly is a welcome change, however it leaves the group with the problem of bridging these newly added controls with preexisting manufacturing safety (or “right” aspect).
[ Download the free eBook: A guide to implementing DevSecOps ]
Aqua Security has quite a lot of widespread open supply initiatives. Can you inform us about them?
We have a portfolio of instruments and options throughout three domains: safety scanning, Kubernetes safety, and runtime safety.
For safety scanning, our open supply challenge Trivy is main the best way. Trivy scans container pictures and code repositories for identified vulnerabilities in packages and libraries. In addition to that, Trivy scans Infrastructure as Code recordsdata for misconfigurations and customary safety points. Trivy could be very effectively acquired within the business and has a sturdy and supportive group of contributors, which makes it so profitable. We not too long ago celebrated a milestone of crossing 10,000 GitHub stars!
In Kubernetes safety, Aqua’s Starboard assesses your Kubernetes clusters’ safety posture. It is powered by our different challenge, kube-bench, which is already a staple of Kubernetes safety. Since Starboard is a Kubernetes operator, it should repeatedly and mechanically detect adjustments to the cluster and utility state and preserve an up-to-date report of your safety posture.
Runtime safety is about detecting and stopping suspicious conduct throughout manufacturing. Our challenge Tracee achieves that by leveraging cutting-edge know-how–eBPF—and is main the best way for the way that know-how may be utilized on this use case.
The use of the eBPF know-how is rising in safety functions and tooling (tracee). Has it reached some extent the place it will possibly go mainstream?
eBPF has been round for some time and has seen real-world utilization in among the greatest know-how firms on this planet. The know-how is strong (particularly its latest editions), however it’s nonetheless not so accessible for builders who’re programming with it, nor for customers who’re adopting it. One of the most important challenges presently is with constructing and distributing eBPF-powered functions. Unlike “normal” functions, which the seller would construct after which ship the ensuing artifact to customers, eBPF-based functions are way more delicate to environmental nuances and subsequently are generally shipped as supply code that the consumer must compile on-site. We have been working with the group and business colleagues to resolve these challenges upstream in order that eBPF may be extra extensively out there and accessible. This really resulted in one other open supply challenge we launched known as “btfhub.”
Supply chain safety is presently one of many topmost objects for CISOs worldwide. What different safety points do you suppose want our collective focus and a spotlight?
Supply chain is certainly getting numerous consideration. At Aqua, we recognized the safety gaps that many organizations face, and we acquired an organization specializing in provide chain safety–Argon Security. Aqua and Argon are working collectively to deal with these challenges, and I’m positive that our open supply household will quickly profit from it.
Most provide chain options depend on implementing instruments and practices early within the software program growth lifecycle. This is a part of the motion to “shift left,” shifting safety from manufacturing to the builders. I believe this motion is nice, however stitching collectively the totally different instruments that the group adopts throughout the “left” and “right” aspect of the home continues to be a problem, and that is normally subsequent on a CISO’s desk.
Security is a rising area, with many eager to make it a profession. What are the highest abilities/traits that you simply prioritize whereas hiring?
Curiosity is one thing that I believe helps folks in engineering however particularly in InfoSec. Being intrinsically curious and having the drive to research and perceive how issues work could be very useful for a safety engineer.
In open supply particularly, we’re searching for engineers with a further layer of abilities on high of the core technological proficiency. In specific, we worth softer abilities that contribute to our method that the open supply engineers not solely write the code but additionally plan the product roadmap, discuss it, put it up for sale, and construct a group round it.
What does Itay get pleasure from doing in his free time?
Technology is a giant a part of my life, and I’m additionally drawn to it in my free time. But apart from that, spending time with my spouse and son, hikes, and good meals. I additionally by no means miss my morning yoga routine.
I’d prefer to thank Itay for taking the time to debate the safety considerations all of us face in as we speak’s cloud-native, containerized world. He has supplied some nice insights and exhibits simply what number of options open supply software program gives.