Falco leaves sandbox, steps into CNCF Incubator

Falco leaves sandbox, steps into CNCF Incubator

Cloud-native runtime security project Falco has joined the incubator of the Cloud Native Computing Foundation, after frolicking in the organisation’s sandbox since October 2018.

Falco is meant to reduce the risk of security incidents by informing about unexpected behaviour at runtime. It was started at container security company Sysdig, which is still the driving force of the project. The company’s chief open source advocate Kris Nova sees the promotion as an official reaffirmation of Falco’s vendor neutrality, which is a must for CNCF projects, as well as its general health, though.

Moving on, she has high hopes for the project. “Now that Falco is an incubation-level hosted project, we expect that Falco will become a standardized component for folks with runtime security concerns” she told DevClass in an e-mail. “We hope that we can use this new support to help tell a comprehensive cloud-native security story, in partnership with preventive tooling like OPA, and access control mechanisms, such as Kubernetes RBAC. We also expect that adoption will significantly increase our ability to generate and maintain contributions to the project.”

Falco’s new status also mirrors the growing importance of security projects in the CNCF. It was just a couple of weeks ago that The Update Framework became the foundation’s first security-related graduate project. While Sysdig’s CTO Loris Degioanni is surely happy about the interest, he also sees the issues connected to it.

“One of the biggest issues we continue to see is platform and cloud teams waiting to introduce security late in their adoption of cloud native. There is a fear that getting security involved early will slow the move to new environments. Therefore, we see that they first figure out how to deploy their application, then they worry about how to make it available. Their last step is tackling security and compliance. The thought is that security and compliance are not necessary until the application is available, so they do not focus on it until it’s needed.”

This, however, can get very costly, especially when issues come up with an already deployed solution. Finding the cause at that stage “requires a deeper investigation that takes more time and could require extensive changes to code. Using legacy security and compliance processes reduces the agility benefits of cloud native.” 

To make open source security projects for the cloud native space more appealing, stability is as important as the signaling effect of a foundation home. Which is only one of the reasons why work on the first major Falco release is in full swing right now. According to Nova, version 1.0 “will include a new TLS encrypted gRPC API, as well as other features enabling the consumption of Falco with other cloud-native tooling”. 

Other aspects the team is currently working on are the move of Falco components to an API-first architecture and new rules for the project’s security hub. After that, it’s back to working on the items of the CNCF’s todo list for graduating the process, which include receiving a best practice batch and completing security audits.