Container security startup Sysdig Inc. said today its open-source, cloud-native runtime security tool Falco has been accepted as an incubation-level project by the Cloud Native Computing Foundation.

The CNCF is an organization that’s responsible for overseeing the development of numerous popular open-source, cloud-native software projects. The most famous open source project it houses is Kubernetes, which is used to manage and orchestrate software containers that host modern applications.

Falco is a runtime security tool that’s used to monitor unexpected or abnormal behavior in Kubernetes container deployments. It’s used to identify risks such as exploits of unpatched or newly discovered vulnerabilities, insecure configurations, leaked or weak security credentials, and insider threats.

Being able to detect such anomalous activity requires a full understanding of any unexpected service interactions between software containers, and that’s what Falco is designed to do. It works by tapping into the data produced by system calls generated in a container environment, which are requests that application components send to the operating system on which they run when certain key actions need to be performed.

Oftentimes, suspicious calls can be indicative of an intrusion. Falco looks for breaches by comparing activity data against a set of policies on what actions should and shouldn’t be performed. When a violation is detected, Falco quarantines or stops the offending process entirely, depending on the severity of the action. It also generates a detailed log of the incident that captures what files were modified, the user accounts involved and other relevant information.

“Runtime security is a critical piece in a cloud-native security story, said Kris Nova, Sysdig’s chief open source advocate. “Access control and policy enforcement are important prevention techniques, but runtime security is needed to detect threats that evade preventions.”

Falco’s elevation to the status of CNCF incubator project is important, as it means the software has become the de facto open-source standard for cloud-native runtime security, Sysdig said.

Sysdig also said it will work with the CNCF to further the adoption of Falco in the enterprise by making it easier to use and simpler to integrate with cloud-native computing environments. The plan is to move some of the key components of Falco to an “API-first architecture” in order to make it easier to develop integrations with other open source tools, including Kubernetes.

Photo: Pexels/Pixabay