Engineering Blog


Falco, Cloud-Native Security Tool for Kubernetes, Graduates from CNCF

The Cloud Native Computing Foundation (CNCF) recently announced a major milestone: the graduation of Falco, a powerful open-source tool designed for real-time threat detection in Kubernetes and cloud-native environments. This graduation signifies Falco’s maturity, stability, and growing importance within the cloud-native security landscape.

From Sandbox to Graduation: A Journey of Security Innovation

Falco’s journey began in 2016 with its creation by Sysdig. Recognizing the critical need for runtime security in cloud-native deployments, Sysdig contributed Falco to the CNCF Sandbox program in 2018. After undergoing rigorous evaluation, Falco graduated to the Incubation level in 2020. During this incubation period, Falco demonstrated its capabilities and garnered significant community support.

Falco’s success hinges on its ability to provide deep visibility into container activity, Kubernetes deployments, hosts, and cloud services. This visibility is achieved through the use of a Linux kernel module and eBPF technology, enabling real-time threat detection and analysis.

Falco’s Architectural Powerhouse: Rules, Filtering, and Openness

Falco empowers users to define custom rules that leverage Sysdig’s powerful filtering expressions. These rules allow for pinpointing potentially malicious activity within containers. For instance, a rule can be created to detect attempts to launch a Bash shell process, a common tactic used by attackers.

Further enhancing its flexibility, Falco introduced a robust plugin system in 2022. This system empowers developers to create plugins for integrating additional event sources and extractors. Falco’s openness extends to the supported programming languages for plugin development. While Go and C++ are preferred, developers can leverage nearly any language as long as the required functionalities are met.

Falco’s Graduation: A Stepping Stone for the Future of Cloud-Native Security

The graduation of Falco is not just a recognition of its past achievements, but a springboard for future advancements. Loris Degioanni, Falco’s creator and CTO of Sysdig, emphasizes the importance of Falco’s plugin system in expanding its use cases within the ever-evolving cloud-native landscape.

Chris Aniszczyk, CNCF’s CTO, highlights the significance of Falco’s real-time threat detection capabilities for securing cloud-native deployments at scale. He anticipates continued advancements in cloud-native runtime security with Falco at the forefront.

Falco’s graduation from the CNCF signifies a significant step forward in securing cloud-native environments. With its powerful features, open architecture, and thriving community, Falco is poised to play a vital role in the future of cloud security.

Reference to the Article

Previous Post
Next Post