TMCnet News
Aqua Introduces Runtime Protection Against "Zero Day" Vulnerabilities for Containerized ApplicationsBOSTON, July 18, 2018 /PRNewswire/ -- Aqua Security, the market-leading platform provider for securing container-based and cloud-native applications, today announced version 3.2 of its cloud-native security platform, featuring deep runtime protection capabilities and extended security and compliance controls across the cloud-native stack. Runtime Protection Against "Zero Days" The large number (more than 330) of available syscalls presents a significant attack surface that can lead to OS-level kernel exploits, even though for any given application, only a small subset of syscalls is actually being used. To reduce this risk, the Linux community has created seccomp profiles, a utility that allows developers to disable unneeded syscalls and apply those profiles per application. Docker, for example, has disabled 50 syscalls in its default seccomp profile for running Docker containers. However, this still leaves more than 250 syscalls enabled, most of which would not be necessary for a specific application, and best practices are for developers to disable them. The challenge is that creating custom profiles for an application is difficult because it requires a deep low-level understanding of how the application uses syscalls - which is why most organizations often rely on the weak default. The newest release of Aqua Container Security Platform makes custom syscall filtering possible by dynamically analyzing a running container's syscall use, white-listing those being used, and creating a custom seccomp profile to prevent the use of all other syscalls. Since a typical container only uses between 40-70 syscalls, this results in a dramatic reduction in the number of available syscalls for a given service, educing the attack surface by as much as 90%. Any attempt by an attacker to use a non-whitelisted syscall will be blocked by Aqua and generate an alert. "Aqua is committed to making cloud-native applications more secure while minimizing any disruption to business continuity," says Amir Jerbi, CTO and co-founder of Aqua Security. "Dynamically profiling system calls is the kind of modern application security we can enable with containers that was difficult to do well with monolithic applications, providing a fully automated and accurate method of blocking malicious activity and preventing exploits." Securing the Spectrum of Cloud-Native Deployments Aqua 3.2 adds new capabilities for full-stack security across this spectrum, extending Aqua's MicroEnforcer technology released earlier this year:
Additional Compliance and Platform Features
About Aqua Security Press inquiries: View original content:http://www.prnewswire.com/news-releases/aqua-introduces-runtime-protection-against-zero-day-vulnerabilities-for-containerized--applications-300682406.html SOURCE Aqua Security |