订阅内容

This post:

  • Defines and explains the concept of Runtime Analysis. 

  • Shows how Runtime Analysis integrates into the DevOps life cycle. 

  • Provides pointers to Red Hat partners that can help with Runtime Analysis


September is “runtime analysis” month in Red Hat’s monthly Security series! Since March 2021, the Red Hat Security Ecosystem team has published monthly articles and videos on DevOps Security topics to help you learn how Red Hat can help you master the practice called DevSecOps. 

By explaining how to assemble Red Hat products and introducing our security ecosystem partners, we aim to aid in your journey to deploying a comprehensive DevSecOps solution.

Runtime Analysis defined

Runtime analysis methods are only found in a running Kubernetes cluster, and the goal is to provide a defense-in-depth approach to protecting a running Kubernetes cluster. The following security methods make up the runtime analysis category:

  • Admission control: functions as a Kubernetes workload gatekeeper that governs and enforces security policies on what is allowed to run on the cluster or not.

  • Runtime application behavioral analysis: examines system activity and intelligently detects suspicious or malicious actions in real time.

  • Threat defense, Runtime application self-protection (RASP): responds to detected threats, like blocking cyberattacks in real time. Threat defense shouldn’t be confused with threat detection, which is part of behavioral analysis. While most vendors in the runtime analysis category have capabilities in both, we’ve broken these two terms up to highlight their distinct functions. 

While the runtime analysis security category may seem a bit light in security functions, it serves as a centerpiece in DevSecOps by consuming or integrating with other security category methods.  For example, admission controllers and behavioral analysis typically assess data from vulnerability or compliance scans. 

With this in mind, it’s important to note that Red Hat security partners in this category typically also play in several other categories, like vulnerability and configuration management and compliance.

Runtime Analysis integrated in DevSecOps

As pictured in the DevSecOps framework figure here, Runtime Analysis integrations are found on the right side of the DevSecOps life cycle in a running cluster. The table details some, but not all, of the common integrations to consider for Runtime Analysis.  Figure 1.

Integration Point

Description

Container orchestration

Admission control functions intercept requests to the Kubernetes API to validate resource requests, like a pod creation. By default, Red Hat OpenShift Container Platform comes with a default set of admission plug-ins, which do things like enforce security policies, resource limitations, or config requirements. 

One such admission plug-in is the Security Context Constraint (SCC), which specifically controls permissions for pods. Eight SCCs exist in Red Hat OpenShift, and by default, the restricted SCC is applied to each new running pod. A couple of the permissions you’ll see with the restricted SCC are that pods cannot run as privileged, nor can they mount host directory volumes. 

Red Hat Partners extend and enhance OpenShift admission control by using the webhook admission plug-in. For example, characteristics or policies about the image, like vulnerabilities, configs, and provenance, can be used to pass or fail admission before the pod is created.

Running cluster

Behavioral analysis is a generic method that spans a good amount of security functions with the intent of detecting threats to the running cluster.  Monitoring running containers, network traffic, and configuration drift are some examples of what to include when implementing behavior analysis functions on the cluster.

Red Hat Advanced Cluster Security for Kubernetes (RHACS) provides capabilities to monitor system-level events and processes within containers to detect suspicious activity. RHACS uses prebuilt policies to detect crypto mining, privilege escalation, and various exploits.  

Threat defense is both about a response to what behavioral analysis may discover, and proactive protection of any possible malicious activity. While automated remediation responses seem ideal, sometimes it is not practical when it comes to affecting a critical production application.  

Another technology to mention in regards to proactive protection is Runtime application self-protection (RASP), which has emerged as a technology that takes defense a step further than a traditional firewall by understanding more about the application inputs. The RASP market is definitely interesting, but still seems to be in its infancy. 

Both Red Hat and our security ISV ecosystem provide capabilities in this category to add to a defense-in-depth approach to DevSecOps.

Enhance and extend Runtime Analysis with Red Hat partners

As Red Hat Advanced Cluster Security for Kubernetes does strengthen the layered approach to container and Kubernetes security for Red Hat OpenShift Container Platform, Red Hat continues to work closely with its certified ecosystem of partners to enhance and extend Runtime Analysis capabilities for our customers. 

Ultimately, Red Hat remains committed to a broad and deep ecosystem that provides customer choice and facilitates innovation in order to help your organization's DevSecOps practice.  

If you are looking to enhance and extend Red Hat’s security capabilities in Runtime Analysis, take a look at the following Red Hat Partners:

For more information, visit "Modernize and secure applications with DevSecOps," or begin your discussion with us on enhancing container security and adopting DevSecOps. 

For similar blog posts on Red Hat’s DevSecOps Framework, search for previous months’ categories (Network Controls, Data Controls, Compliance, Identity and Access, and Vulnerability and Configuration Management) and stay tuned for upcoming posts.


关于作者

Dave Meurer currently serves as a Principal Solution Architect on the Red Hat Global Partner Security ISV team, where he owns technical relationships and evangelism with security independent software vendor partners of Red Hat. Before joining Red Hat, he spent nine years in the Application Security industry with Synopsys and Black Duck, where he served in similar roles as the director of technical alliances and sales engineering.

Meurer also worked for Skyway Software, HSN.com, and Accenture in various management and application development roles. When he’s not thinking about Kubernetes, security, and partners, he enjoys being the VP Sales of North Central Tampa for his wife (the CEO) and 5 kids (Inside Sales).

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

按频道浏览

automation icon

自动化

有关技术、团队和环境 IT 自动化的最新信息

AI icon

人工智能

平台更新使客户可以在任何地方运行人工智能工作负载

open hybrid cloud icon

开放混合云

了解我们如何利用混合云构建更灵活的未来

security icon

安全防护

有关我们如何跨环境和技术减少风险的最新信息

edge icon

边缘计算

简化边缘运维的平台更新

Infrastructure icon

基础架构

全球领先企业 Linux 平台的最新动态

application development icon

应用领域

我们针对最严峻的应用挑战的解决方案

Original series icon

原创节目

关于企业技术领域的创客和领导者们有趣的故事