Aqua Security, the premier platform provider for securing container-based and cloud-native applications, announced version 3.2 of its cloud-native security platform, featuring deep runtime protection capabilities and extended security and compliance controls across the cloud-native stack.
Runtime protection against “Zero Days”
Sophisticated attacks often exploit unknown vulnerabilities in the application or operating system, also known as “zero days”, to either escalate privileges, run arbitrary code, or exfiltrate data. Doing this at the OS level requires the use of system calls (syscalls), core functions that applications use to request the OS perform anything from opening files, creating network connections, to rebooting the system.
To reduce this risk, the Linux community has created seccomp profiles, a utility that allows developers to disable unneeded syscalls
The large number (more than 330) of available syscalls present a significant attack surface that can lead to OS-level kernel exploits, even though for any given application, only a small subset of syscalls is actually being used. To reduce this risk, the Linux community has created seccomp profiles, a utility that allows developers to disable unneeded syscalls and apply those profiles per application. Docker, for example, has disabled 50 syscalls in its default seccomp profile for running Docker containers.
Aqua Container Security Platform
However, this still leaves more than 250 syscalls enabled, most of which would not be necessary for a specific application, and best practices are for developers to disable them. The challenge is that creating custom profiles for an application is difficult because it requires a deep low-level understanding of how the application uses syscalls – which is why most organisations often rely on the weak default.
The release of Aqua Container Security Platform makes custom syscall filtering possible by dynamically analysing a running container’s syscall use, white-listing those being used, and creating a custom seccomp profile to prevent the use of all other syscalls. Since a typical container only uses between 40-70 syscalls, this results in a dramatic reduction in the number of available syscalls for a given service, reducing the attack surface by as much as 90%. Any attempt by an attacker to use a non-whitelisted syscall will be blocked by Aqua and generate an alert.
Securing cloud-native deployments
Aqua is committed to making cloud-native applications more secure while minimising any disruption to business continuity"
“Aqua is committed to making cloud-native applications more secure while minimising any disruption to business continuity,” says Amir Jerbi, CTO and co-founder of Aqua Security. “Dynamically profiling system calls is the kind of modern application security we can enable with containers that was difficult to do well with monolithic applications, providing a fully automated and accurate method of blocking malicious activity and preventing exploits.”
Modes of cloud-native app deployment are constantly expanding to cater for varying needs. Today, in addition to running containers on VMs, organisations can deploy “serverless” code, whether as on-demand containers using services such as AWS Fargate or Azure Container Instances, or as serverless functions.
New capabilities for full-stack security
Aqua 3.2 adds new capabilities for full-stack security across this spectrum, extending Aqua’s MicroEnforcer technology released earlier this year:
- AWS Lambda function scanning: Aqua’s extensive vulnerability, hard-coded secrets and malware scanning is now available for scanning AWS Lambda functions.
- CRI-O and containerd support: Aqua’s runtime protection controls are now available in environments using the CRI-O and containerd container engines.
- “Thin OS” protections: Aqua Monitors hosts that run containers for successful and failed login attempts and provides discovery and scanning for container images stored on the host.
Additional compliance and platform features
Aqua 3.2 also introduces numerous new features based on customer requirements:
- Aqua’s Container Firewall now allows the use of rules based on domain names, in addition to container/cluster IP addresses, making it easier to create application network rules.
- New out of the box compliance templates for runtime protection, applying best practices for meeting NIST, PCI, HIPAA, and GDPR requirements.
- Integration with the Azure Container Registry quarantine feature, preventing vulnerable images from being pulled from the registry.
- Enhanced SAML support, allowing Federated Single Sign-On from Microsoft ADFS, Okta, and Google Apps, among others.