DEVOPSdigest

Aqua Security announced version 3.2 of its cloud-native security platform, featuring deep runtime protection capabilities and extended security and compliance controls across the cloud-native stack.

Sophisticated attacks often exploit unknown vulnerabilities in the application or operating system, also known as "zero days", to either escalate privileges, run arbitrary code, or exfiltrate data. Doing this at the OS level requires the use of system calls (syscalls), core functions that applications use to request the OS perform anything from opening files, creating network connections, to rebooting the system.

The large number (more than 330) of available syscalls presents a significant attack surface that can lead to OS-level kernel exploits, even though for any given application, only a small subset of syscalls is actually being used. To reduce this risk, the Linux community has created seccomp profiles, a utility that allows developers to disable unneeded syscalls and apply those profiles per application. Docker, for example, has disabled 50 syscalls in its default seccomp profile for running Docker containers. However, this still leaves more than 250 syscalls enabled, most of which would not be necessary for a specific application, and best practices are for developers to disable them. The challenge is that creating custom profiles for an application is difficult because it requires a deep low-level understanding of how the application uses syscalls - which is why most organizations often rely on the weak default.

The newest release of Aqua Container Security Platform makes custom syscall filtering possible by dynamically analyzing a running container's syscall use, white-listing those being used, and creating a custom seccomp profile to prevent the use of all other syscalls. Since a typical container only uses between 40-70 syscalls, this results in a dramatic reduction in the number of available syscalls for a given service, reducing the attack surface by as much as 90%. Any attempt by an attacker to use a non-whitelisted syscall will be blocked by Aqua and generate an alert.

"Aqua is committed to making cloud-native applications more secure while minimizing any disruption to business continuity," says Amir Jerbi, CTO and co-founder of Aqua Security. "Dynamically profiling system calls is the kind of modern application security we can enable with containers that was difficult to do well with monolithic applications, providing a fully automated and accurate method of blocking malicious activity and preventing exploits."

Modes of cloud-native app deployment are constantly expanding to cater for varying needs. Today, in addition to running containers on VMs, organizations can deploy "serverless" code, whether as on-demand containers using services such as AWS Fargate or Azure Container Instances, or as serverless functions.

Aqua 3.2 adds new capabilities for full-stack security across this spectrum, extending Aqua's MicroEnforcer technology released earlier this year:

- AWS Lambda function scanning: Aqua's extensive vulnerability, hard-coded secrets and malware scanning is now available for scanning AWS Lambda functions.

- CRI-O and containerd support: Aqua's runtime protection controls are now available in environments using the CRI-O and containerd container engines.

- "Thin OS" protections: Aqua Monitors hosts that run containers for successful and failed login attempts and provides discovery and scanning for container images stored on the host.

Aqua 3.2 also introduces numerous new features based on customer requirements:

- Aqua's Container Firewall now allows the use of rules based on domain names, in addition to container/cluster IP addresses, making it easier to create application network rules.

- New out of the box compliance templates for runtime protection, applying best practices for meeting NIST, PCI, HIPAA, and GDPR requirements.

- Integration with the Azure Container Registry quarantine feature, preventing vulnerable images from being pulled from the registry.

- Enhanced SAML support, allowing Federated Single Sign-On from Microsoft ADFS, Okta, and Google Apps, among others.