Anyone thinking of pairing cloud-native software development with the security solution they bought nine years ago? Then a lesson in tech matchmaking is due. Boxy old security with fixed parameters will likely shackle the agility of cloud-native computing. The swift mobility of cloud-native operations needs an agile security solution to move in step with it.

“Cloud native has this notion of immutability and being able to take the same artifact from development to staging to production,” said John Morello (pictured, left), chief technology officer of Twistlock Ltd., a cloud-native cybersecurity company. “That enables us to do things in a security fashion that you really haven’t been able to do in the past.”

Security built for cloud-native developer operations scans for vulnerabilities out of the gate. It doesn’t wait around until it’s in production to alert teams to its cracks. This enables a smoother ride from development to production, and reduces the likelihood of ugly surprises, according to Morello.

As a Kubernetes Technology Partner, Twistlock supports cloud-native security for users of the open-source container orchestration platform. “Not only do we protect the platform, but we just are part of [Kubernetes],” he said. “There’s nothing abnormal that you have to do. You deploy it and manage it like you would any other Kubernetes application.”

Morello and Nanda Kumar (pictured, right), digital technology transformation, global technology Services, at Verizon, spoke with John Furrier (@furrier) and Stu Miniman (@stu), co-hosts of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the KubeCon + CloudNativeCon event in Seattle, Washington. They discussed the benefits of cloud-native, app-centric security for use cases, including Kubernetes, and why Verizon chose Twistlock to secure its own Kubernetes deployments. (* Disclosure below.)

An ounce of pre-production prevention

In the old world, developers would give an app to the operator for deployment. Then, maybe weeks later, someone would scan it for bugs, glitches and other vulnerabilities. Finally, someone would have to spend precious time untangling the glitches and patching things up.

“There’s a lot of time where you’re exposed; there’s a lot of cost to that operation,” Morello said.

The Twistlock security platform is watching for issues at all stages. “As the developer builds the application, every build they do, Twistlock can scan that and see the vulnerabilities, and actually enforce that as a quality gate, and say, ‘If you’ve got critical vulnerabilities, you have to fix them before you progress,'” Morello stated.

Rather than blacklisting behaviors deemed “bad,” Twistlock automatically learns what’s “good” and allows only that.

Verizon is in year three of a five-year transformation plan. It is modernizing its application stack with cloud-native technologies, including Kubernetes. It’s using Twistlock in its Kubernetes deployment.

“When we rolled out our solution for our Kubernetes platform, we certainly wanted to make sure that … we can shift left and really look at security holistically,” Kumar said. “The only way you can do that is you need to … integrate security as the product is being built.”

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of the KubeCon + CloudNativeCon event. (* Disclosure: Twistlock Ltd. sponsored this segment of theCUBE. Neither Twistlock nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE