I recently took the opportunity to discuss open source and security challenges with Itay Shakury of Aqua Security. What follows is a fascinating discussion about current issues, the future, and specific cloud-native tools that address the concerns of today's Chief Information Security Officers (CISOs).
Itay, could you please introduce yourself to our readers?
Itay Shakury, Director of Open Source at Aqua Security. I have nearly 20 years of experience in tech, spent across engineering, software architecture, IT, product management, consulting, and more. In recent years, my career path has led me to cloud-native technologies and open source software.
Tell us about Aqua Security and what problems is it trying to address?
Aqua is pioneering cloud security with its integrated cloud-native application protection platform (CNAPP) that provides prevention, detection, and response automation across the entire application lifecycle. Our suite of solutions enables organizations to secure the supply chain, cloud infrastructure, and running workloads. Aqua's family of open source projects is an accessible entry-point that allows anyone to get started with cloud-native security immediately and at no cost while at the same time driving innovation for our commercial offerings.
As Director of Open Source at Aqua Security, what are your major responsibilities?
My primary responsibility is developing and executing on open source strategy. The strategy includes refining the OSS projects' roadmap, identifying community initiatives for engagement, and making open source viable for commercial use. As an engineering manager, I am leading Aqua's open source teams. Our OSS group is globally distributed and remote-first. This group of talented open source engineers is turning our OSS vision into reality, and I'm fortunate enough to have been part of it.
What challenges do companies face in securing Kubernetes? How should they approach this problem?
One challenge is addressing security across the complete application lifecycle. In the past few years, more and more responsibilities have been put in developers' hands, especially with Kubernetes and cloud-native technologies. We are seeing this across different fields like quality, operations, support, and security. This "shift left" approach is introducing security controls early (or "left") in the development lifecycle, which obviously is a welcome change, but it leaves the organization with the challenge of bridging these newly added controls with preexisting production security (or "right" side).
[ Download the free eBook: A guide to implementing DevSecOps ]
Aqua Security has a variety of popular open source projects. Can you tell us about them?
We have a portfolio of tools and solutions across three domains: security scanning, Kubernetes security, and runtime security.
For security scanning, our open source project Trivy is leading the way. Trivy scans container images and code repositories for known vulnerabilities in packages and libraries. In addition to that, Trivy scans Infrastructure as Code files for misconfigurations and common security issues. Trivy is very well received in the industry and has a robust and supportive community of contributors, which makes it so successful. We recently celebrated a milestone of crossing 10,000 GitHub stars!
In Kubernetes security, Aqua's Starboard assesses your Kubernetes clusters' security posture. It is powered by our other project, kube-bench, which is already a staple of Kubernetes security. Since Starboard is a Kubernetes operator, it will continuously and automatically detect changes to the cluster and application state and maintain an up-to-date report of your security posture.
Runtime security is about detecting and preventing suspicious behavior during production. Our project Tracee achieves that by leveraging cutting-edge technology–eBPF—and is leading the way for how that technology can be applied in this use case.
The use of the eBPF technology is growing in security applications and tooling (tracee). Has it reached a point where it can go mainstream?
eBPF has been around for a while and has seen real-world usage in some of the biggest technology companies in the world. The technology is solid (especially its recent editions), but it's still not so accessible for developers who are programming with it, nor for users who are adopting it. One of the biggest challenges currently is with building and distributing eBPF-powered applications. Unlike "normal" applications, which the vendor would build and then ship the resulting artifact to users, eBPF-based applications are much more sensitive to environmental nuances and therefore are commonly shipped as source code that the user needs to compile on-site. We have been working with the community and industry colleagues to solve these challenges upstream so that eBPF can be more widely available and accessible. This actually resulted in another open source project we released called "btfhub."
Supply chain security is currently one of the topmost items for CISOs worldwide. What other security issues do you think need our collective focus and attention?
Supply chain is definitely getting a lot of attention. At Aqua, we identified the security gaps that many organizations face, and we acquired a company specializing in supply chain security–Argon Security. Aqua and Argon are working together to address these challenges, and I'm sure that our open source family will soon benefit from it.
Most supply chain solutions rely on implementing tools and practices early in the software development lifecycle. This is part of the movement to "shift left," moving security from production to the developers. I think this movement is great, but stitching together the different tools that the organization adopts across the "left" and "right" side of the house is still a challenge, and this is usually next on a CISO's desk.
Security is a growing field, with many wanting to make it a career. What are the top skills/traits that you prioritize while hiring?
Curiosity is something that I think helps people in engineering but especially in InfoSec. Being intrinsically curious and having the drive to investigate and understand how things work is very helpful for a security engineer.
In open source specifically, we are looking for engineers with an additional layer of skills on top of the core technological proficiency. In particular, we value softer skills that contribute to our approach that the open source engineers not only write the code but also plan the product roadmap, speak about it, promote it, and build a community around it.
What does Itay enjoy doing in his free time?
Technology is a big part of my life, and I'm also drawn to it in my free time. But besides that, spending time with my wife and son, hikes, and good food. I also never miss my morning yoga routine.
I'd like to thank Itay for taking the time to discuss the security concerns we all face in today's cloud-native, containerized world. He has provided some great insights and shows just how many solutions open source software provides.