OpenClarity: A Community-Led Approach to Cloud-Native Application Security

By: Tim Miller

Oct 27 2022

Developing decentralized applications is simultaneously freeing and scary. The freedom comes from being able to develop, release, and upgrade application components without being bound by a huge, monolithic release cycle. And if something goes wrong, it (theoretically) won’t bring the whole system to its knees, causing outages and resulting in gazillions of angry customer calls. At the same time, maintaining hundreds of microservices can be like a jigsaw puzzle with dozens of glass pieces: you have to keep careful track of them all, make sure they fit together, and hope that if one piece breaks, you’ll have enough visibility to recognize it and track it down.

Everything has tradeoffs, right?

The evolving challenges of cloud-native security

Cloud-native security has changed along with its application architecture. Because bolting on security after building an application is always risky and tedious, security is increasingly “shifting left” and earlier in the software development lifecycle (SDLC). And simplified, comprehensive application security solutions (like Cisco’s Panoptica) are just starting to emerge. Developers need flexible tools that allow them to get ahead of microservices security risks at all layers of the application stack (code, containers, API, serverless) and at all stages of the CI/CD pipeline and runtime—without being a security or a Kubernetes expert. That’s where products like Panoptica come to the rescue for developers and cloud platform engineers.

To understand why there’s a need for a new type of open-source security solution, let’s talk a little more about the security challenges that businesses face.

To start, modern applications are highly complex and distributed in nature. They contain a litany of moving pieces, and many layers that can be attacked.

On top of this, DevOps teams depend on a range of different tools for different purposes. For example, the CI/CD suite includes source-code management platforms, CI servers, test-automation frameworks, deployment tools, and so on. The environment may also include multiple container runtimes, hypervisors, orchestration services, and cloud platforms. Each of these components presents a possible vector for attack, as well.

The bottom line is that there is no simple way to secure cloud-native application stacks. Instead, developers need very flexible and extensible microservices security tools. And because no one knows more about what developers need than developers, it makes sense to come together as a community and create them.

What cloud-native security must do

These tools should be capable of answering four key questions to ensure security, visibility, and actionability across any environment:

  1. Which software components are in place? You must know this in order to understand which supply-chain risks you may face, as well as which vulnerabilities could impact the specific platforms you use.
  2. What are your “hidden” vulnerabilities? When you know what you have running, the next step is to determine which vulnerabilities exist within your resources—even if those vulnerabilities aren’t easy to detect.
  3. How can you automate vulnerability scanning? Detecting vulnerabilities manually isn’t feasible in complex, multi-layered application stacks. You need to determine how to scan automatically and continuously.
  4. How can you consolidate security tools? Juggling numerous security tools is impractical. Instead, developers need a consistent security toolchain that can address all of their risks through a centralized, consolidated approach, without siloing data or teams

OpenClarity: A community approach to cloud-native and microservices security

The challenges detailed above were the genesis of OpenClarity, an open-source umbrella project from Cisco’s Emerging Technologies and Incubation (ET&I) group. In an interview with SDxCentral last May, Cisco’s Head of Open Source, Stephen Augustus, talked about how a cluster (or a set of clusters) running in multiple environments is both fluid and evolving. It stands to reason that solutions should mirror that same fluidity. How better to help these solutions evolve than through open source? We intend for OpenClarity to be the place for that collaboration to happen, building the tools for cloud-native security that developers have been sorely lacking.

We also thought it was important to give developers open-source tools they could tailor for the specific needs of their unique environments. For example, we wanted to open the door for developers to add support for their preferred container orchestration framework..

By developers, for developers

We plan to continue building tools under the OpenClarity umbrella to address cloud-native security risks at all stages of the CI/CD pipeline. This isn’t just another monitoring dashboard that flags vulnerabilities (although that functionality exists in the project). It’s about creating a place for the continuing development of tools that you can embed deeply into your CI/CD operations to detect any and all cloud-native security vulnerabilities.

So far, OpenClarity includes two mature projects: APIClarity, a cloud-native visibility tool for APIs that can capture, analyze, and test API traffic and identify potential risks, and KubeClarity, a universal scanner for both pipeline and runtime analytics.

We’ll be sharing more about a third project— FunctionClarity, which focuses on serverless security—at KubeCon/CloudNativeCon 22 in Detroit. This project allows you to sign and upload code/images before the function is created in the cloud repository.

These are the types of tools developers need to get ahead of risks such as the Log4j-level vulnerability, which became worldwide news in December of 2021. Cloud-native security tools that address only specific types of risks—or that work only on certain platforms—aren’t enough to stay ahead of modern threats. What development and security teams need today is an extensible, comprehensive solution like OpenClarity, whose open source nature creates opportunities lacking in proprietary cloud-native security products.

Please stop by and see us at our booth (D3) at KubeCon/CloudNativeCon in Detroit, Michigan from October 24-28 and stay tuned for our announcement about FunctionClarity there. We look forward to meeting you and welcome your contributions!