Amir Jerbi

Aqua Security, the pure-play cloud-native security solutions company, has announced the availability of its new Aqua Platform, with a unified console to ease the journey from scanning and visibility to workload protection in cloud-native environments. Aqua Platform The new Aqua platform reduces administrative burden and allows security teams to start with scanning and cloud security posture management (CSPM) capabilities, then add in sandboxing capabilities and workload protection as needed. The experience is streamlined regardless of scale and is available as a SaaS or self-hosted deployment. “Scaling our cloud-native security needs is a priority for us,” said Thomas Ornell, Senior Systems Engineer at ABAX, adding “We have been working with Aqua to secure our cloud-based Kubernetes environments and improve visibility of our current risk. The tooling provided by Aqua is making it a lot easier to navigate our way through our cloud-native security strategy.” Cloud Workload Protection Platform capabilities The unified approach lowers management overhead for advanced run time features The unified approach lowers management overhead for advanced run time features, in an industry where scanning during development and CSPM are easier for teams to understand and deploy as a first step, but critical Cloud Workload Protection Platform (CWPP) capabilities are sometimes left behind. It also enables customers to benefit from better context and prioritization in identifying risks and threats, adopting a full-lifecycle approach to securing cloud-native applications. In a recent survey of cloud-native security practitioners, only 32% of respondents were confident in protecting against attacks in-progress in their cloud-native environments. CNAPP integrates cloud security tools In a recent report, Gartner notes that CNAPP is an emerging capability that brings together cloud security tools, including CWPP and CSPM. CNAPP tools will integrate information from both CWPP and CSPM, in order to provide more detailed insights into security behaviors in CIPS (cloud infrastructure and platform services) deployments. Aqua is also seeing a growing trend within its customer base for the adoption of both CWPP and CSPM capabilities in a unified platform. “In the past year, Aqua has seen a 3x increase in CSPM customers who have also purchased Aqua’s CWPP capabilities,” said Amir Jerbi, Co-Founder and Chief Technology Officer (CTO) at Aqua Security. Protecting workloads at run time Amir Jerbi adds, “Organizations recognize the need to protect workloads at run time, and Aqua is keeping pace with that demand, bringing more unification without compromising scalability. While other solutions require multiple screens and consoles, or just provide visibility without options for workload protection, Aqua offers the industry’s only comprehensive unified platform.” This recent release of the Aqua Platform also includes dozens of new features and capabilities, including: Automatic discovery and onboarding of CSPM within GCP environments. Scanning Google Cloud Functions for vulnerabilities and sensitive data, extending prior support for AWS Lambda and Microsoft Azure Migrating from the now deprecated Kubernetes PSP (Pod Security Policy) to the new PSS (Pod Security Standard) using new assurance policies and Aqua’s open-source Rego Enhancing run time protection with file integrity monitoring for containers, and threat response policies that specifically block reverse shell attempts and crypto-mining. Defining custom severities for specific vulnerabilities to conform with the customers’ internal standards. Finding, provisioning, and managing Aqua within AWS environments using AWS CloudFormation templates. New certified RedHat OpenShift Operator to automate Aqua deployments and upgrades.

Aqua Security, the pure-play cloud native security provider, announces the acquisition of tfsec, an open source security scanner for Infrastructure as Code (IaC). The acquisition brings an immediate integration of tfsec into Aqua Trivy, adding IaC security scanning capabilities, with additional Aqua platform integrations planned later this year. Tfsec’s co-founders will join Aqua following the acquisition. Essential security capabilities “Tfsec is the known leader in Terraform code scanning, and we’re thrilled to bring its capabilities and intelligence under Aqua’s open source and commercial umbrella,” said Amir Jerbi, CTO and co-founder of Aqua Security. “Aqua is committed to investing in open source cloud security tools and to providing users a frictionless way to assimilate essential security capabilities into their cloud native applications where they need them most.” IaC security scanning is a critical step in helping users secure the configurations of the environments IaC security scanning is a critical step in helping users secure the configurations of the environments in which they deploy their applications. The integration of Aqua Trivy and tfsec helps teams to shift left, combining the ease of use and scanning speed of Trivy with the enhanced IaC coverage with tfsec, without additional management overhead and as part of a unified workflow. Run security checks With its run anywhere design, tfsec provides a download and run scanning solution that is fast, accurate, and flexible. The unique approach tfsec takes to loading the code ensures that your IaC is interpreted exactly as Terraform does; meaning that regardless of complexity, one gets the best possible view of any vulnerabilities before it is deployed. “We saw a need in the market for a more intelligent form of Terraform scanning,” said Liam Galvin, tfsec co-founder. “Building tfsec from community input, we were able to deliver on developers’ needs for a quicker, more efficient way to run security checks.” Simple user experience By integrating tfsec and Trivy, our users can scan code repositories and container images" “Aqua Trivy has become the industry standard for open source vulnerability scanning thanks to its simple user experience and rich functionality. Now Trivy brings the same superior experience into Infrastructure as Code scanning to provide even more value to container and code scanning,” says Itay Shakury, Director of Open Source at Aqua Security. “By integrating tfsec and Trivy, our users can scan code repositories and container images for vulnerabilities and IaC configuration issues – all using a single tool, that can integrate into their CI tool or even be used as a Github action.” While tfsec will remain a standalone project, in addition to its integration into Trivy, it will also be added to Aqua Security’s suite of open source cloud security tools, including Tracee, Starboard, Kube-bench and Kube-hunter. Open source community With this portfolio, users can also perform penetration tests of Kubernetes clusters, integrate disparate Kubernetes security tools into an aggregate security dataset that is available natively in Kubernetes, view runtime and forensics data for Linux, and more. Tfsec Co-Founders Liam Galvin and Owen Rumney will join the Aqua team as Cloud Engineer Tfsec Co-Founders Liam Galvin and Owen Rumney will join the Aqua team as Cloud Engineers bringing deep experience in both software and open source. Galvin is an experienced full stack engineer with more than 15 years of building software and contributing to the open source community. His most recent experience has been rooted in security, and he joins Aqua from FORM3 where he was a Lead Security Engineer. Building cloud infrastructure Galvin built tfsec having used Hashicorp’s Terraform to build cloud infrastructure for multiple startups after recognizing the security gap. He also maintains many other open source projects, such as traitor: a local privilege escalation framework for Linux which has recently garnered significant attention from the community. Rumney is a seasoned software engineer with experience in building repeatable, consistent deployments in large-scale, ephemeral data processing environments. In addition to his work with tfsec, most recently he served as Senior Platform and Security Engineer at FORM3, and he has held prior roles as a Lead Data Engineer at BP and Holland & Barrett. He has combined his background in IaC with a focus on cloud security risks, working to help individuals and organizations to intercept potential issues before they make it to production.

Aqua Security, the pure-play cloud native security solutions provider, has announced the appointment of Darkbit Co-Founders, Brad Geesaman and Josh Larsen to the Aqua team. Brad Geesaman will serve as the Director of Cloud Security and Josh Larsen as the Director of Cloud Product at Aqua Security. Their expertise will be leveraged to further strengthen Aqua’s Cloud Security Posture Management (CSPM) solution and Kubernetes offerings. Cyber and information security experts Geesaman and Larsen have been singularly focused on cyber and information security for over 20 years and working with Kubernetes, since its inception. With an emphasis on cloud native security, they will bring their approach of context-aware prioritization and automation to Aqua and help customers strengthen their cloud security posture.  “We’re very excited to welcome Josh and Brad to the team,” said Amir Jerbi, Co-Founder and Chief Technology Officer (CTO) for Aqua Security. Visibility into enterprise cloud environments’ security needs We’re eager to build their insights into something tangible and scalable for Aqua’s customers" Amir Jerbi adds, “The deep, hands-on experience they’ve garnered with Darkbit offers unparalleled visibility into the security needs and priorities of enterprise cloud environments, eliminating risk across multiple layers and avoiding blind spots. We’re eager to build their insights into something tangible and scalable for Aqua’s customers.” “We started Darkbit laser focused on cloud native security, and we couldn’t be more aligned with Aqua’s overall mission,” said Josh Larsen, adding “The opportunity to join a company that’s pushing the boundaries in cloud native and empowering its customers to innovate, while balancing security and compliance is a natural evolution of our previous work.” Enhancing security and scalability of enterprises Josh Larsen, Co-Founder and former Chief Executive Officer (CEO) of Darkbit, is a serial entrepreneur with experience building security companies and teams for over 20 years. He is passionate about improving the security and scalability of technology-driven enterprises. Prior to launching Darkbit, Larsen was Founder and CEO of Blackfin Security Group. At Blackfin, he led overall company direction and product launch strategy. Josh Larsen ultimately led the company to a successful acquisition by Symantec Corporation (AVGO). At Symantec, Josh led the Emerging Technologies Group, focused on threat simulation platform development. Cloud infrastructure veteran Prior to Darkbit, Brad Geesaman was Chief Technology Officer of Blackfin Security Brad Geesaman, Co-Founder and former Chief Security Architect of Darkbit, is a respected security researcher with deep understanding of cloud infrastructure and container orchestration platforms. His work has been featured in security publications, security podcasts, and at events such as RSA, KubeCon, and Black Hat. Prior to Darkbit, Brad Geesaman was Chief Technology Officer of Blackfin Security. At Blackfin, he led the technology and development teams responsible for building immersive threat simulation environments on top of Kubernetes to train cyber security analysts at enterprise scale. Active member of Cloud Native Computing Foundation Brad Geesaman is also active in the Cloud Native Computing Foundation and open source community and was drawn to Aqua’s contributions. “Aqua truly embraces open source,” said Brad Geesaman, adding “The authenticity and number of open source software projects are a testament to the company’s dedication. I am eager to contribute my expertise in hacking and hardening Kubernetes and building security tools and frameworks to the great work Aqua is already doing.”

Aqua Security, a pure-play cloud native security pioneer, announces that its cloud native security platform now protects containers and Virtual Machine (VM) workloads at runtime on Arm®-powered devices. This enables Aqua customers to take advantage of the high density and cost-effectiveness provided by Arm-powered hosts and devices across cloud infrastructure, edge and IoT platforms, including the new AWS Graviton2 instances from Amazon Web Services (AWS). As the number of Arm-powered services in the cloud native and IoT compute spaces increases, Aqua customers will enjoy continued choice for optimizing the cost and performance of their cloud native applications, while enjoying unified, consistent security across all architectures. Cloud-Native applications Arm is at the forefront of an ongoing shift in the processor industry toward custom silicon that allows customers to create innovative and differentiated services. For example, AWS uses Arm technology to make the processors that power AWS Graviton2, its latest AWS cloud compute service, which offers a 20% increase in speed, 20% decrease in cost, and a 40% improvement in price for performance over comparable x86-based instances. AWS uses Arm technology to make the processors that power AWS Graviton2 “Full lifecycle security is a critical component for cloud-native applications and customers should not be constrained when making compute platform choices,” said Eddie Ramirez, senior director of Marketing, Infrastructure Line of Business, Arm. “Our collaboration with Aqua ensures broader security support for a wide range of Arm-based infrastructure solutions from the cloud to the edge.” Enforcing security policies The Aqua Cloud Native Security Platform provides a complete solution to secure cloud native applications, from the build phase, through to protecting the infrastructure they run on, to runtime protection of workloads in production. The platform protects the full spectrum of technologies from VMs to containers, Kubernetes, and serverless functions, across all platforms and clouds. Aqua customers are among the largest organizations in the financial services, telecom, energy, and automotive sectors, and are early adopters of Arm-based architecture. “Our customers will be able to continue and accelerate their cloud native journey with Aqua’s support for Arm-based architectures. Through our commitment to supporting the full range of cloud native deployment options, Aqua has collaborated with Arm and AWS to afford our shared customers the freedom of choosing innovative cloud native architectures and propel better efficiencies and scale, while enforcing security policies and adhering to compliance mandates,” says Amir Jerbi, Aqua’s Co-founder and CTO.

New Kubernetes security posture management (KSPM) and agentless runtime protection empower organizations to defend K8s-based applications against multiple threats Aqua Security announced a suite of new Kubernetes-native security capabilities, providing a holistic approach to securing applications that run on Kubernetes across the development, deployment, and runtime phases of the application lifecycle. The company also announced significant new features in its Cloud Security Posture Management (CSPM) solution. These new capabilities are integrated into Aqua’s cloud native security platform, covering the spectrum of deployment options across containers, VMs, and serverless functions. In a recent research note, Michael Isbitski and Frank Catucci from Gartner asserts that “Kubernetes’ inherent complexity often leads to outdated versions and misconfiguration by organizations, making clusters susceptible to compromise. Though some security mechanisms are included by design, K8s by itself is not a security offering, and security settings aren’t always enabled by default. Protecting a K8s cluster is a significant undertaking, requiring both substantial understanding of the underlying technology and engineering expertise to configure it all.” Kubernetes Security Posture Management (KSPM) KSPM automates set of policies and controls to secure configuration and complianceAqua’s new Kubernetes security solution addresses the complexity and short supply of engineering expertise required to configure Kubernetes infrastructure effectively and automatically by introducing KSPM - Kubernetes Security Posture Management, a coherent set of policies and controls to automate secure configuration and compliance. Additionally, Aqua now offers new agentless runtime protection capabilities that use Kubernetes itself to deploy security controls into pods, leveraging and extending the native capabilities built into Kubernetes. “The large-scale use of Kubernetes, as well as developments in the threat landscape, necessitate a comprehensive approach to securing applications that goes beyond generic benchmarks, providing seamless workload protection in runtime,” noted Amir Jerbi, CTO and co-founder at Aqua. “We’ve been working with our enterprise customers to make it easier to securely deploy and seamlessly protect applications that run on Kubernetes, while complementing our existing capabilities in Kubernetes and container security.” KSPM new and innovative capabilities Kubernetes Assurance Policies: With more than 20 predefined rules available out of the box, and the ability to use OPA (Open Policy Agent) Rego rules, these policies define which Pods may be deployed in a cluster based on multiple parameters. These policies work in conjunction with Aqua’s Image Assurance Policies to control which containers run in one's cluster based on both their image contents and configuration, as well as Pod configuration. Kubernetes Roles and Subjects Assessment: Reduces administration overhead of maintaining Kubernetes user and service account privileges by identifying risks and suggesting their remediation. This addresses the least privilege security gaps while diminishing the need for Kubernetes security expertise, which is in short supply. These new capabilities join Aqua’s existing certified CIS benchmark testing (powered by Aqua’s open source Kube-Bench), and penetration testing (powered by Aqua’s open source Kube-Hunter), providing enterprises with comprehensive insight into the security posture of their Kubernetes cluster, and the ability to address gaps efficiently with no need for specialized expertise. Enhanced security extensions            With its new Kubernetes Runtime Protection module, Aqua introduces a new model for deploying security runtime controls in a Kubernetes cluster, complementing its existing container runtime security deployment options. This new model leverages Kubernetes Admission Controllers to deploy and govern sidecar containers within Pods, in a similar fashion to other cloud native tools such as Envoy. This mode of deployment enables greater automation of deployment and does not require any privileges on the node’s host OS while providing dynamic runtime controls such as container drift prevention, behavioral controls, and network controls. In addition to the extensions to Kubernetes security capabilities, the latest release adds many new features and enhancements including: New Customisable Dashboard: Provides a clear view of the overall security status of your cloud native environment with dedicated widgets for key areas, such as host and image/container security, and drag & drop design. The new dashboard supports Aqua’s RBAC model to filter viewable data according to user role permissions. AWS Bottlerocket Support: The new AWS operating system for running containers is now available as a protected workload platform. Auto-Remediation for Azure in Aqua CSPM: Aqua CSPM now provides remediation advice and auto-remediation options for Azure cloud services, previously available for AWS. New Compliance Reports in Aqua CSPM: Aqua CSPM now provides out-of-the-box compliance reports for additional compliance reporting, including SOC 2 Type 2, ISO27001, NIST SP 800-53, and NIST CSF. VM Security: Now allows flexible scan scheduling, scan history review, and malware scans on mounted NFS shares.

Aqua Security, global security platform provider for securing container-based and cloud native applications, has announced the availability of version 4.0 of the Aqua cloud native security platform, introducing new security and compliance controls for serverless functions and Linux hosts. As enterprise development and deployment of cloud native microservices-based applications continue to accelerate, Aqua enables security teams to manage and enforce security policies across a blend of VM-based containers, Containers-as-a-Service (CaaS) and Function-as-a-Service (FaaS) spanning both multi-cloud and on-premises environments. Gartner Distinguished VP Analyst, Neil MacDonald, notes that “securing serverless will force information security and risk professionals to focus on the areas we retain control over. Specifically, the integrity and assurance of the code, identities of the code and developers, permissioning, and serverless configuration, including network connectivity.” Serverless Security Solutions Aqua’s comprehensive serverless security solution now includes a full chain of controls to discover functions across multiple cloud accounts Aqua’s comprehensive serverless security solution now includes a full chain of controls to discover functions across multiple cloud accounts, scan them for vulnerabilities, detect excessive permissions and configuration issues, and provide function assurance – preventing the execution of untrusted or high-risk functions based on defined policies. The key controls for serverless environments include: Functions discovery: Creating an inventory of functions stored across cloud accounts. Vulnerability scanning: Deep scanning of a functions packages and dependencies for known vulnerabilities (CVEs), based on multiple sources and supporting multiple programming languages. CI/CD Integration: “Shifting left” beyond scanning existing functions, Aqua provides development teams with plug-ins for Continuous Integration environments to detect security issues as functions are being built. Permissions Assessment: Identifying use of excessive or over-provisioned permissions specific to the serverless cloud environment, and monitoring for unused permissions –reducing the potential attack surface of a function. Sensitive Data Assessment: Detecting secrets and hard-coded keys within the functions themselves, or within environment variables, specific to the cloud environment – for instance AWS credentials or Azure Authentication keys. Function assurance: Security teams can set policies to determine the risk threshold to allow or disallow function execution, based on a variety of factors including CVE severity, CVSS score, sensitive data, and permissions. Function anomaly detection: Monitoring of function usage patterns and alerting on sudden spikes in the frequency or duration of function execution. Enhanced Security Controls Another significant addition to the Aqua platform is tighter controls to secure the Linux hosts that run containers. This addresses potential risks from vulnerabilities such as the one discovered earlier this year when a severe new vulnerability (CVE-2019-5736) was disclosed in runc, a component used in most container runtimes which is part of Linux OS distributions, highlighting the need for securing the container stack at both the workload and host levels. The new technologies supporting cloud native applications require a holistic approach to security and compliance" “The new technologies supporting cloud native applications require a holistic approach to security and compliance, across the application lifecycle as well as up and down the stack, and this has become more evident in recent months with significant vulnerabilities discovered in Kubernetes and runc for example,” notes Amir Jerbi, CTO and co-founder at Aqua Security. “With this new release from Aqua, our customers can protect their applications against those, as well as yet undiscovered vulnerabilities by implementing tight compliance and whitelisting-based zero-trust security.” Aqua 4.0 Security Platform Aqua 4.0 builds on previous Aqua host protections that already included testing hosts according to CIS (Center for Internet Security) benchmarks, scanning hosts for known vulnerabilities, and monitoring user logins, to provide: Malware Scanning: Detecting malware in the host OS, or any of its components. Vulnerability scanning: Scanning for CVEs found in the host OS, or any of its components. Whitelisted and Blacklisted Users and OS Packages: Security teams can specify which types of users and OS packages are either allowed or forbidden from being used on a host. User Activity Monitoring: Aqua now logs all user commands on the host OS for security and compliance tracking (in addition to the previously available user logins and login attempts tracking) CIS Benchmarks Testing: Having achieved CIS certification for its Kubernetes benchmark, Aqua now provide detailed information on each benchmark test success/failure to provide teams with remediation information. Custom Benchmark Scripts: Enabling the upload of scripts that customize benchmarks to account for configurations that aren’t supported in the standard CIS benchmarks, including Kubernetes clusters on Red Hat OpenShift. Host Assurance: Allowing to set policies that will determine a threshold for host compliance and security risk based on the results of the above scans and checks and generate alerts and audit events upon policy violations. Aqua CSP v4.0 will be generally available in mid-March for existing customers and new deployments.

Aqua Security, the platform provider for securing container-based and cloud native applications, announced the integration of its platform with Datadog’s cloud monitoring and analytics platform. With this integration, Aqua provides real-time visibility into the security posture of cloud native applications to Datadog users, including information on vulnerable images, untrusted running containers, and security anomalies found by Aqua in the runtime environment. For DevOps teams that continuously monitor applications for operational parameters such as performance, bug tracking, and errors, security events are often a blind spot that is handled elsewhere although they may directly affect application uptime and resiliency. The integration of Aqua’s granular security information into Datadog’s comprehensive monitoring makes it possible to identify issues quickly and analyze their impact on application availability. Bridging The Gap Between Application And Security Teams We are helping organizations bridge the gap between these traditionally siloed teams" "As organizations shift to more dynamic infrastructure through cloud and container technologies, communication between application and security teams is more important than ever,” said Ilan Rabinovitch, VP Product and Community at Datadog. “By combining Datadog's deep insights into containerized application performance with Aqua Security’s enforcement of security best practices, we are helping organizations bridge the gap between these traditionally siloed teams.” The integration between Datadog and Aqua CSP features pre-built Datadog dashboards that display: Container images currently in Aqua’s scan queue Known vulnerabilities and security issues found in existing images Containers running from unauthorized images Aqua runtime policy violations and audit events Detecting And Fixing Security Issues Additionally, Datadog users can use the data provided in the Aqua dashboards to set up their own alerts, aggregate data streams from different applications, and customize how data is displayed. “We are excited to be partnering with Datadog to deliver a more complete security view to DevOps teams,” said Amir Jerbi, CTO and co-founder of Aqua Security. “In the cloud native era, ensuring security can no longer be the exclusive burden of security teams, and instead should be part of the overall operational soundness of applications throughout their lifecycle. Our integration with Datadog creates a valuable shortcut that allows security issues to be detected early and fixed quickly, preventing escalated security incidents in production.” 

Aqua Security announced that its Aqua Container Security Platform (CSP) has been certified by CIS Benchmarks to compare the configuration status of Kubernetes clusters against the consensus-based best practice standards contained in the CIS Kubernetes Benchmark. Organizations that leverage Aqua CSP can now ensure that the configurations of their critical assets align with the CIS Benchmarks consensus-based practice standards. “We are thrilled to have our platform certified by the CIS for the Kubernetes Benchmark,” said Amir Jerbi, CTO and co-founder at Aqua. “This certification is a testament to the rigorous security testing performed by our platform, and our commitment to providing enterprise customers with solutions that enable them to meet CIS best practice standards and maximize the security posture of their Kubernetes clusters.” Aqua Container Security Platform (CSP) Aqua’s platform is used by more than 100 of Global 1000 companies, securing their container-based and cloud native applications, on-prem and in the cloud, supporting both Linux and Windows runtime environments, across Kubnernetes as well as other orchestrators. The Aqua platform drives DevSecOps automation and provides visibility and runtime protection for cloud native workloads, including both host-level and network-level controls. The CIS Benchmarks program is a trusted, independent authority that facilitates the collaboration of public and private industry experts This certification is issued by CIS (Center for Internet Security, Inc.) and reflects proven guidelines that are continuously refined and verified by a volunteer, global community of experienced IT professionals. “Cybersecurity challenges are mounting daily, which makes the need for standard configurations imperative. By certifying its product with CIS, Aqua Security has demonstrated its commitment to actively solve the foundational problem of ensuring standard configurations are used throughout a given enterprise,” said Curtis Dukes, CIS Executive Vice President of Security Best Practices & Automation Group. CIS Certified Security Software Products In order for a product to receive the CIS Benchmarks Certification, a vendor must adapt its product to accurately report to the security recommendations in the associated CIS Benchmarks profile. CIS Certified Security Software Products demonstrate a strong commitment by the vendors to provide their customers with the ability to ensure their assets are secured according to consensus-based best practice standards. The CIS Benchmarks program is a trusted, independent authority that facilitates the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions. CIS Benchmarks are recommended as industry-accepted system hardening standards and are used by organizations in meeting compliance requirements for Federal Information Security Management Act, PCI, Health Insurance Portability Accountability Act and other security requirements.

Aqua Security, global platform provider for securing container-based and cloud native applications, has announced version 3.5 of its cloud native security platform, which now protects a wide range of cloud native technologies, including applications using serverless functions. Customers can deploy end-to-end security to establish a consistent policy enforcement layer spanning container, serverless containers (such as AWS Fargate) and serverless functions (such as AWS Lambda). Aqua CSP v3.5 In addition, driven by continued enterprise adoption of the Aqua platform in some of the largest global enterprises, Aqua CSP v3.5 raises the bar in terms of ease of management of complex, multi-application and multi-team enterprise environments by enabling flexible policy scopes and highly granular user role definitions, and adds container encryption for protection of intellectual property. Moving to a serverless model allows developers to prioritize simplicity and agility by abstracting infrastructure concerns to provide a straightforward execution environment for applications and microservices. However, serverless architectures also introduce new security risks. Attackers may leverage a weakness or vulnerability in the serverless function code itself or outsourced libraries; or attempt to take advantage of the complexity of cloud infrastructure permissions to reach services or networks that contain sensitive information. Building on Aqua’s experience in securing containers, Aqua CSP v3.5 addresses these serverless threat vectors and minimizes their potential impact. Security For Hybrid Cloud Deployments There is a growing need for scalable security that is easy-to-manage across multi-cloud and hybrid cloud deployments, covering both containers and serverless functions" “As the adoption of containers and serverless continues to expand within a greater number of enterprises, and to greater numbers of applications within those enterprises, there is a growing need for scalable security that is easy-to-manage across multi-cloud and hybrid cloud deployments, covering both containers and serverless functions,” said Amir Jerbi, CTO and co-founder of Aqua Security.\ “Our customers now run multiple cloud native applications and require a unified platform to manage security across teams, while providing security and DevOps teams segregation of duties coupled with the control they require.” Features And Capabilities Risk Assessment for Serverless functions: Checks functions for known vulnerabilities, embedded secrets (keys and tokens), and cloud permissions, to ensure that function privileges are secure and minimized. Serverless support is fully integrated with Aqua’s extensive controls for container runtime deployments and is managed via the same console. Container Encryption: Aqua now makes it possible to encrypt the entire contents of a container image, decrypting it with a key when it is instantiated as a container. This feature enables companies with sensitive intellectual property embedded in their container images to protect them against unauthorized use and prevents unauthorized access to code in case of a registry breach or when code is given under license to partners and customers. Greater Visibility through Workload Explorer: With a tabular and visual view of running workloads on Kubernetes and Docker environments, Workload Explorer provides visibility into large, distributed runtime environments, highlighting vulnerable or risky components (i.e., namespaces, deployments, pods, containers). Operations and security staff can easily filter the data and drill down to view detailed information quickly to ensure compliance. Contextual Runtime Policies: Based on feedback from some of Aqua’s largest customer implementations, Aqua runtime security policy models now allow the definition of a highly specific scope for each policy, to be applied to an application context. The scope can be defined according to dozens of parameters, including Kubernetes deployment and namespace, image registry prefix, environment variables, and many more. This flexibility allows customers to easily differentiate between multiple applications, for example by applying stricter policy to applications with higher trust requirements, such as mission critical applications, even if they use the same images as other applications. Fine-Grained Administrative Access Control: An enhanced RBAC engine enables fine-grained permissions for DevOps, security and compliance teams on the Aqua platform, enabling true segregation of duties between teams and roles. For example, different teams may be granted access to different sets of images or registries, while their ability to view or change Aqua policies for images, serverless functions, runtime, secrets, and compliance will vary according to their specific role.

Aqua Security, the premier platform provider for securing container-based and cloud-native applications, announced version 3.2 of its cloud-native security platform, featuring deep runtime protection capabilities and extended security and compliance controls across the cloud-native stack. Runtime Protection Against “Zero Days” Sophisticated attacks often exploit unknown vulnerabilities in the application or operating system, also known as “zero days”, to either escalate privileges, run arbitrary code, or exfiltrate data. Doing this at the OS level requires the use of system calls (syscalls), core functions that applications use to request the OS perform anything from opening files, creating network connections, to rebooting the system. To reduce this risk, the Linux community has created seccomp profiles, a utility that allows developers to disable unneeded syscalls The large number (more than 330) of available syscalls present a significant attack surface that can lead to OS-level kernel exploits, even though for any given application, only a small subset of syscalls is actually being used. To reduce this risk, the Linux community has created seccomp profiles, a utility that allows developers to disable unneeded syscalls and apply those profiles per application. Docker, for example, has disabled 50 syscalls in its default seccomp profile for running Docker containers. Aqua Container Security Platform However, this still leaves more than 250 syscalls enabled, most of which would not be necessary for a specific application, and best practices are for developers to disable them. The challenge is that creating custom profiles for an application is difficult because it requires a deep low-level understanding of how the application uses syscalls – which is why most organizations often rely on the weak default. The release of Aqua Container Security Platform makes custom syscall filtering possible by dynamically analyzing a running container’s syscall use, white-listing those being used, and creating a custom seccomp profile to prevent the use of all other syscalls. Since a typical container only uses between 40-70 syscalls, this results in a dramatic reduction in the number of available syscalls for a given service, reducing the attack surface by as much as 90%. Any attempt by an attacker to use a non-whitelisted syscall will be blocked by Aqua and generate an alert. Securing Cloud-Native Deployments Aqua is committed to making cloud-native applications more secure while minimizing any disruption to business continuity" “Aqua is committed to making cloud-native applications more secure while minimizing any disruption to business continuity,” says Amir Jerbi, CTO and co-founder of Aqua Security. “Dynamically profiling system calls is the kind of modern application security we can enable with containers that was difficult to do well with monolithic applications, providing a fully automated and accurate method of blocking malicious activity and preventing exploits.” Modes of cloud-native app deployment are constantly expanding to cater for varying needs. Today, in addition to running containers on VMs, organizations can deploy “serverless” code, whether as on-demand containers using services such as AWS Fargate or Azure Container Instances, or as serverless functions. New capabilities For Full-Stack Security Aqua 3.2 adds new capabilities for full-stack security across this spectrum, extending Aqua’s MicroEnforcer technology released earlier this year: AWS Lambda function scanning: Aqua’s extensive vulnerability, hard-coded secrets and malware scanning is now available for scanning AWS Lambda functions. CRI-O and containerd support: Aqua’s runtime protection controls are now available in environments using the CRI-O and containerd container engines. “Thin OS” protections: Aqua Monitors hosts that run containers for successful and failed login attempts and provides discovery and scanning for container images stored on the host. Additional Compliance And Platform Features Aqua 3.2 also introduces numerous new features based on customer requirements: Aqua’s Container Firewall now allows the use of rules based on domain names, in addition to container/cluster IP addresses, making it easier to create application network rules. New out of the box compliance templates for runtime protection, applying best practices for meeting NIST, PCI, HIPAA, and GDPR requirements. Integration with the Azure Container Registry quarantine feature, preventing vulnerable images from being pulled from the registry. Enhanced SAML support, allowing Federated Single Sign-On from Microsoft ADFS, Okta, and Google Apps, among others.

The Aqua Container Security Platform gives organizations total control over the security and compliance posture of software containers Aqua Security™ (formerly named Scalock) today announced the company’s formal launch and General Availability of the Aqua Container Security Platform, the industry’s most comprehensive solution for securing containerized environments. The Aqua Container Security Platform provides organizations with full control over the security and compliance posture of software containers at all times, enabling them to reap the agility, flexibility and efficiency benefits container-based application architectures provide. Challenges Posed By Containers “Containers bring tremendous benefits to the efficiency and speed of application development and delivery, but they also present new challenges in security,” said Raffi Margaliot, SVP & General Manager, Application Delivery Management, Hewlett Packard Enterprise.  “With Aqua's Container Security Platform we can help our customers automate and improve their container security and compliance posture, control user access and monitor usage in real-time – all via a fully automated, integrated solution.” "Containers bring tremendousbenefits to the efficiency andspeed of applicationdevelopment and delivery, butthey also present new challengesin security" “I’m extremely excited about Aqua. Software containers are taking the enterprise IT world by storm, but they present new security and control gaps that cannot be addressed using existing approaches and tools,” said Shlomo Kramer, Aqua Security founding investor.  “Aqua’s container security platform provides granular, context-aware container security while automating the entire process, allowing enterprises to focus on deploying and running applications.” Container-based Development Strategy Aqua was co-founded by CEO Dror Davidoff, former McAfee/Intel security, and by CTO Amir Jerbi, former Chief Architect of CA Technologies Security business unit, with more than 14 patents to his name. Aqua’s launch follows the completion of an extended beta program comprised of more than a dozen enterprise customers, the majority of them Fortune 500 companies, reluctant to move forward on a container-based development strategy without appropriate security measures in place.  Aqua's Comprehensive Security Solution The Aqua Container Security Platform delivers the most comprehensive security solution built for containerised environments, supporting Docker and Windows containers, and available for on-premises deployment. Providing development-to-production container lifecycle protection, its key features include: Image assurance that includes both passive as well as active scanning, and continuously assures images integrity and enforces correct use. Fine-grained, role-based user access control that limits user access and type of access to specific containers, hosts, and applications. Full visibility, monitoring and audit trail for container activity, user access and host configuration changes. Automated security policies that provide an optimal security wrapper for containers and does not require manual intervention. Runtime protection that includes both real-time detection as well as prevention when container behavior breaks policy. Integrations with a variety of image registries, CI/CD tools, SIEM and analytics tools. “At Aqua our goal is to provide a truly immersive security ‘envelope’ for containers, providing multiple layers that protect containers from multiple risks,” said Dror Davidoff, Co-founder and CEO, Aqua Security. “By providing a fully automated solution, we bridge the gap between DevOps and IT security, enabling container adoption while providing the necessary oversight and security policy enforcement that enterprises require.”