Falco, the open source cloud native runtime security project, was the first runtime security project to join the Cloud Native Computing Foundation (CNCF) sandbox in October 2018, and can now claim the same precedent for joining the incubation stage. Originally created by Sysdig, Falco detects and alerts on unexpected behavior at runtime, taking a different approach from the other security projects in the CNCF today, said Kris Nova, chief open source advocate at Sysdig and Falco maintainer.
“We come from a traditional introspective background. Now that we’re in a cloud native ecosystem, we’ve taken that a step further and we’re now using the kernel as a way of trying to understand more about what’s going on in the system at runtime,” Nova told The New Stack. Falco can be used as part of a set of checks and balances, alongside CNCF’s Open Policy Agent and Role-Based Access Control (RBAC) or other prevention techniques to secure IT infrastructure.
Other security projects in the CNCF, Nova explained, currently protect against intrusion, but Falco differs in that it instead responds when there is a breach. “There’s no such thing as truly secure software,” said Nova, “so we just use observability to try to gain as much information as we can at runtime in the case that something gets through the prevention techniques that we’ve applied to our system.”
Falco provides runtime security with an implementation of the Extended Berkeley Packet Filter (eBPF), which allows the tool to capture system calls at the level of the Linux kernel, without impacting performance. Falco takes the information it gets from eBPF and combines it with information from container runtimes and Kubernetes to create a definition of normal against which it can compare. Currently, the project does this using an eBPF implementation provided by Sysdig, said Nova, but the plan moving forward is to bring forward an open source eBPF implementation.
“The deeper technology that Falco is built on comes from Sysdig technologies and we’re looking at moving that into the open and at rebuilding the eBPF solution for kernel tracing. eBPF is a protocol, so it’s like HTTP or gRPC. It’s something that anyone can use or build to — it’s a standard, basically. We’re looking at moving our implementation of how we’re using eBPF today into the Falco project,” said Nova. “We have a lot of work ahead of us. The number one thing I would want to stress here other than eBPF would be that we’re introducing a mutually authenticated, TLS encrypted, gRPC API for Falco. The intent here is to make Falco more composable and more modular so that we can start to integrate with other tools like OPA, Prometheus, like Kubernetes RBAC.”
With the introduction of the gRPC API, said Nova, the project is committing to a guarantee of backward compatibility to other projects looking to integrate with Falco, which is looking at a breaking change in the near future with Falco 1.0. As part of reaching the incubation stage, demonstrating a wide contributor community is part of the process, and Falco boasts more than 50 contributors and a 100% increase in commits year-over-year. Now, Nova said, they are hoping the API leads to more integrations with other security tools in the space.
“We hope to enable other folks to start to depend on Falco so that they can integrate with it and so they can start plumbing their own security information through Falco. We have some production users right now who have already started doing that, which was part of the inspiration for this whole idea of building out an API around it,” said Nova. “You can see success with this with Kubernetes, with Envoy, with other tools that have made it to graduation with the CNCF, where they took an API-first approach, which is something that we’re very committed to with Falco. Contributions accepted. Pull requests accepted.”
The Cloud Native Computing Foundation is a sponsor of The New Stack.