Defines and explains the concept of Runtime Analysis.
Shows how Runtime Analysis integrates into the DevOps life cycle.
Provides pointers to Red Hat partners that can help with Runtime Analysis
September is “runtime analysis” month in Red Hat’s monthly Security series! Since March 2021, the Red Hat Security Ecosystem team has published monthly articles and videos on DevOps Security topics to help you learn how Red Hat can help you master the practice called DevSecOps.
Runtime Analysis defined
Runtime analysis methods are only found in a running Kubernetes cluster, and the goal is to provide a defense-in-depth approach to protecting a running Kubernetes cluster. The following security methods make up the runtime analysis category:
Admission control: functions as a Kubernetes workload gatekeeper that governs and enforces security policies on what is allowed to run on the cluster or not.
Runtime application behavioral analysis: examines system activity and intelligently detects suspicious or malicious actions in real time.
Threat defense, Runtime application self-protection (RASP): responds to detected threats, like blocking cyberattacks in real time. Threat defense shouldn’t be confused with threat detection, which is part of behavioral analysis. While most vendors in the runtime analysis category have capabilities in both, we’ve broken these two terms up to highlight their distinct functions.
While the runtime analysis security category may seem a bit light in security functions, it serves as a centerpiece in DevSecOps by consuming or integrating with other security category methods. For example, admission controllers and behavioral analysis typically assess data from vulnerability or compliance scans.
With this in mind, it’s important to note that Red Hat security partners in this category typically also play in several other categories, like vulnerability and configuration management and compliance.
Runtime Analysis integrated in DevSecOps
As pictured in the DevSecOps framework figure here, Runtime Analysis integrations are found on the right side of the DevSecOps life cycle in a running cluster. The table details some, but not all, of the common integrations to consider for Runtime Analysis.
Admission control functions intercept requests to the Kubernetes API to validate resource requests, like a pod creation. By default, Red Hat OpenShift Container Platform comes with a default set of admission plug-ins, which do things like enforce security policies, resource limitations, or config requirements.
One such admission plug-in is the Security Context Constraint (SCC), which specifically controls permissions for pods. Eight SCCs exist in Red Hat OpenShift, and by default, the restricted SCC is applied to each new running pod. A couple of the permissions you’ll see with the restricted SCC are that pods cannot run as privileged, nor can they mount host directory volumes.
Red Hat Partners extend and enhance OpenShift admission control by using the webhook admission plug-in. For example, characteristics or policies about the image, like vulnerabilities, configs, and provenance, can be used to pass or fail admission before the pod is created.
Behavioral analysis is a generic method that spans a good amount of security functions with the intent of detecting threats to the running cluster. Monitoring running containers, network traffic, and configuration drift are some examples of what to include when implementing behavior analysis functions on the cluster.
Red Hat Advanced Cluster Security for Kubernetes (RHACS) provides capabilities to monitor system-level events and processes within containers to detect suspicious activity. RHACS uses prebuilt policies to detect crypto mining, privilege escalation, and various exploits.
Threat defense is both about a response to what behavioral analysis may discover, and proactive protection of any possible malicious activity. While automated remediation responses seem ideal, sometimes it is not practical when it comes to affecting a critical production application.
Another technology to mention in regards to proactive protection is Runtime application self-protection (RASP), which has emerged as a technology that takes defense a step further than a traditional firewall by understanding more about the application inputs. The RASP market is definitely interesting, but still seems to be in its infancy.
Both Red Hat and our security ISV ecosystem provide capabilities in this category to add to a defense-in-depth approach to DevSecOps.
Enhance and extend Runtime Analysis with Red Hat partners
As Red Hat Advanced Cluster Security for Kubernetes does strengthen the layered approach to container and Kubernetes security for Red Hat OpenShift Container Platform, Red Hat continues to work closely with its certified ecosystem of partners to enhance and extend Runtime Analysis capabilities for our customers.
Ultimately, Red Hat remains committed to a broad and deep ecosystem that provides customer choice and facilitates innovation in order to help your organization's DevSecOps practice.
If you are looking to enhance and extend Red Hat’s security capabilities in Runtime Analysis, take a look at the following Red Hat Partners:
For similar blog posts on Red Hat’s DevSecOps Framework, search for previous months’ categories (Network Controls, Data Controls, Compliance, Identity and Access, and Vulnerability and Configuration Management) and stay tuned for upcoming posts.
About the author
Dave Meurer currently serves as a Principal Solution Architect on the Red Hat Global Partner Security ISV team, where he owns technical relationships and evangelism with security independent software vendor partners of Red Hat. Before joining Red Hat, he spent nine years in the Application Security industry with Synopsys and Black Duck, where he served in similar roles as the director of technical alliances and sales engineering.