Chef has teamed up with Israeli security vendor Rezilion to further automate secure application delivery and get developers, security teams and operators working together.
Traditionally, development teams start building a project and, independent of that, the security team writes policies and at some later point, they’re expected to mesh the two together. More likely, “they’re clashing,” as Rezilion CEO Liran Tancman put it.
As development teams get ready to push to production, they have to go through security checkpoints in which they’re sent back to make fixes or changes to the application itself out of security concerns.
That not only slows the process down, but “we’re building automation on one side, and then we’re sort of retracting the automation on the other side,’ explained Corey Scobie, chief technology officer of Chef.
With the volume and velocity of deployments in modern DevOps environments, security teams “are lost,” according to Tancman.
“The whole reason we can get to those very big and very dynamic environments is because of technologies like Chef, which can automate [much of the] day-to-day for the deployment and operations groups. But security is still manual,” he said. “Rezilion is trying to bring security up to speed and automatically secure those production environments.”
Rezilion is coming out of stealth with the Chef announcement.
Tancman, whose background includes security work with the Israeli Defense Forces, sold his previous security company, CyActive, to PayPal in 2015.
At the core of the Rezilion technology is the ability to reverse-engineer application artifacts to production. It relies on a static analysis approach, rather than machine learning, which requires human tuning, retraining as soon as you think it’s trained, and too many false positives, according to Tancman.
“We’re talking about a self-healing system. So we have the ability to automatically understand, taking the code that developers push to production, what every instance of an application should be doing,” Tancman said.
It monitors three things: the code the incident is executing, the commands it’s using and the connections involved. Then is compares the actual behavior with the intended behavior.
“We automatically create a policy based on the artifact pushed to production — we turn your CI/CD into a white list. Number two, we monitor in real-time code commands and connections to see what’s actually happening. And number three, in case of a deviation, we use existing IT automation tools to bring you back to a known good state and allow you to continue to run,” he said.
In a Kubernetes instance, the way to remediate some anomaly could be to execute a Chef cookbook to kill that container instance and replace it with a new fresh one out of the artifact repository, Scobie explained.
The two companies came together through mutual customers, Scobie said.
“[Often a] customer has CI/CD and other code artifacts that can be used to build that baseline policy, that whitelist. And so often, a lot of those artifacts come from the world of Chef, whether it’s Chef, infrastructure automation stuff, potentially Habitat plans and files,” he said.
“And then the second part of it is that there needs to be some remediation automation capabilities that the customer implements as a result. And that often comes from automation platforms like Chef.”
Chef announced it was going all-in on open source earlier this year, rather than an open core business model, and has been touting its relevance in a Kubernetes world. It’s been promoting its Enterprise Automation Stack, a subscription bundle of its automation services covering the entire application development lifecycle.
With the growing importance of security and compliance, it has focused its efforts in that vein on its InSpec product as the best way to secure applications.
Rezilion and InSpec are complementary technologies that provide a defense-in-depth approach for security, according to Scobie.
InSpec is focused on making sure that systems and software are created and deployed as defined by enterprise security and compliance policies. InSpec allows you to check the formation and configuration at systems for consistency in the various stages of a DevOps pipeline. It requires someone to define or write those policies for static evaluation.
Rezilion comes into the picture when the application is ready for deployment and creates a runtime security policy specific to the system and application. Then it monitors the system/app in runtime and alerts or triggers action when anything happens on the system that is outside of the policy. If the system or app is breached, it detects that and triggers and automatic remediation.
They foresee improved collaboration as the result of the new partnerships. Developers want to focus on building their applications and security people want to reduce the attack surfaces.
“And we allow both sides to do that. Developers get to push their code and … the policy we create is really the tightest you could build without breaking that application,” said Tancman. “So the CSO, the security officer, gets a dramatic reduction on the attack surface. But he doesn’t fight developers in the process.”