This is a guest blog written in collbaroation with the Snyk & Sysdigs teams.

 

Earlier this year Sysdig and Snyk announced a partnership, bringing together industry leading container runtime and developer security platforms. Together, Snyk and Sysdig are helping developers secure code and containers in development, protect the runtime Kubernetes environment, and deliver feedback and visibility from production back to developers, eliminating the noise of container vulnerabilities.  Oracle is embracing this partnership by publishing a Quick Start that will simplify the deployment of both solutions to an OKE (Oracle Kubernetes Engine) environment. 

 

Vulnerability overload undermines security and productivity

The advent of microservices and containerization has enabled developers to deliver code with an unprecedented rate of efficiency. As productivity volume increases and organizations deliver code at new levels of intensity, one of the greatest challenges in any containerized cloud environment is to ensure development cycles are not lost on identifying security vulnerabilities and code remediation. 

Sysdig and Snyk have partnered  to deliver integrated code to container runtime security that eliminates up to 95% of vulnerability alert noise, optimizes remediation, and protects runtime. Developers retain the ability to be fast without sacrificing security.

The accelerating pace of cloudnative development is enabling faster innovation, but it is also leaving behind an increasing vulnerability backlog. Developers are overwhelmed with vulnerabilities without knowing their actual risk and where to focus remediation efforts. Just trying to make sense of the noise already takes precious time away from coding. Not to mention the frustration of dedicating time to addressing vulnerabilities that don’t matter because they incur no real risk. 

Security and operations teams monitoring runtime environments are also awash in vulnerability alert noise. Wasting resources on triaging vulnerabilities has a high price. It takes attention away from real threats. 

The Sysdig 2022 Cloud-Native Security and Usage Report revealed that as much as 75% of containers with “high” or “critical” patchable vulnerabilities run in production. Vulnerability overload clearly makes remediation unmanageable, resulting in organizations having to deal with an uncomfortable average of about six months to remediate. This leaves a dangerously large window of exposure to vulnerabilities that can be actively exploited by threat actors.

 

Fixing all vulnerabilities is an unrealistic goal, yet giving up on timely remediation is a dangerous bet. Prioritization is required.

 

Filtering out the noise with runtime intelligence

Snyk is the leader in developer security. With Snyk Container, developers get vulnerabilities in containers and Kubernetes workloads  throughout the entire development process. Snyk Container guides developers them to build containers on more secure base images. But vulnerabilities are practically unavoidable  in today’s applications assembled with open source and third-party packages. The result is environments with tens of thousands of vulnerabilities in packages included in containers.

However, containers are often bloated with contents and packages that are not used when the application runs. So, trying to prioritize vulnerabilities without an upfront cut-off — to separate what matters from what doesn’t — results in what you get from existing prioritization approaches. Noise in, noise out. That is why vulnerability overload pain is so prevalent. And, that is where Sysdig Secure container runtime security intelligence comes into play. 

Sysdig pioneered cloud-native runtime threat detection and response by creating Falco, the open-source standard for continuous risk and threat detection across Kubernetes, containers, and cloud. It is like a security camera that continuously detects activity including unexpected behavior, configuration changes, and intrusions in real time. With it you can answer the question, “What is happening inside my containers during runtime?”

Sysdig Secure extends and scales the open-source Falco engine, adding out-of-the-box policies and workflows for security and compliance. It provides a SaaS-first security solution for containers, Kubernetes and cloud that helps users deliver threat detection and response at scale.

Sysdig’s container runtime intelligence is able to identify what is actually used within a container during its execution in production. In the joint solution with Snyk, Sysdig provides the details of what packages are actually used at runtime to Snyk Container, enabling Snyk to help developers focus on vulnerabilities affecting packages that are actually used when the container is running. These are the ones to fix first because they are at real risk of being exploited.

Integrated prioritization enables optimized remediation

As evidenced by the persistently large number of vulnerabilities found in production, previous prioritization approaches render vulnerability reports still polluted with noise. Without the runtime context, developers end up overwhelmed by low-risk or irrelevant vulnerabilities, and may even waste resources fixing them. And, what’s worse, developers may miss critical vulnerabilities, leaving them unpatched, which can lead to breaches.

With Sysdig and Snyk integration, developers can focus. The runtime context pinpoints exploitable packages that are active in production applications. Because developers can now clearly see the few issues that cannot wait, they get more committed to remediating faster. Less guesswork and more done.

Bridging the gap between development, security, and operations 

Oracle is very happy to partner with Snyk and Sysdig because a secure DevOps culture is fully embraced when it delivers a positive impact across teams. All teams get what they need to develop and run secure cloud-native apps while removing the barriers standing in the way of faster innovation. 

 

The container security runtime integration is a good example of bridging gaps and delivering great value to developers, security, and operations. With risk mitigated more efficiently, SecOps improves the organization’s risk exposure and can better focus on detecting early signs of threats. Plus, developers gain time back to code, advancing business goals.

From managing vulnerabilities to detecting and responding to real-time threats as well as monitoring and troubleshooting cloud-native environments, taking advantage of Sysdig and Snyk in an Oracle Cloud environment will help you deliver the most comprehensive security to:

  • Secure containers from code to runtime: Integrate security into the container and Kubernetes lifecycle — from secure base images to vulnerability prioritization, to detecting real-time threats and new vulnerabilities at runtime.
  • Build secure from the start: Address vulnerabilities and remove unnecessary packages right in the build process based on what is really necessary for production. 
  • Ensure runtime protection: Make sure that threat detection is in place to protect against attacks until new critical vulnerabilities and vulnerabilities targeted by zero-day exploits are remediated. 
  • Unify prioritization: Get a unified view of risk, pairing runtime context with vulnerability checks, to prioritize alerts that matter. Developer and operations workloads become manageable when teams know what needs to be fixed now, versus in a week, and what is just simply noise that can be ignored. 

Securing Workloads on OKE 

Oracle Container Engine for Kubernetes (OKE) is an Oracle-managed container orchestration service that can reduce the time and cost to build modern cloud native applications. Unlike most other vendors, Oracle Cloud Infrastructure provides Container Engine for Kubernetes as a free service that runs on higher-performance, lower-cost compute shapes. In this Quickstart we will walk you through the necessary steps to deploy Snyk and Sysdig to take advantage of the individual capabilities and integrated value of these solutions.

 

 Sysdig Quickstart Prerequisites 

  • An OCI account, the Oracle CLI (Resource Manager) and Terraform installed and configured. Find the step by step instructions in the Oracle QuickStart Prerequisites.
  • A Sysdig account. Configuration parameters
  • If the Snyk integration is enabled, you need the Snyk monitor configured and running on the same cluster.

 

Using Resource Manager

To make things easy you can deploy Sysdig directly to your Oracle Cloud tenancy using the deploy button below:

  1. Click the Deploy to Oracle Cloud button to go to the OCI deployment wizard.​​​​​​​​​​​​​​
  2. Provide configuration parameters and credentials explained in the requirements section above.
  3. Follow the wizard isntructions and run Plan check the stack.
  4. Go to Stack Page > Terraform Actions > Apply to deploy the infrastructure.
  5. If no longer need the infrastructure, run Stack Page > Terraform Actions > Destroy

Using Terraform Scripts

Alternativly, you can use the Terraform script below to apply the same configuration. If you are using Terraform (locally or via CloudShell), you need to copy the file terraform.tfvars.example to terraform.tfvars and populate the necessary variables.

Using Terraform (locally or via CloudShell), copy the file terraform.tfvars.example to terraform.tfvars and configure the variables. Make sure you have the OCI CLI installed and configured, then go ahead with terraform init, plan and apply.

Basic configuration example

# OCI authentication

tenancy_ocid     = "ocid1.tenancy.oc1..aaaaaaaahpra2di6l4levg7gtrb7w25xplkrba3dkclhcff48vofxuvv36pd"

# Deployment compartment

compartment_ocid = "ocid1.compartment.oc1..aaaaaaaatd5ktvvwe1r4mybei7nfqvcwfdsepggun4kvojgeh5mbibryy22tq"

# region

region = "us-sanjose-1"

# Sysdig

sysdig_access_key = "3e43321c-45ee-423d-b243-fab4d40cc87a"

sysdig_settings_collector = "ingest-us2.app.sysdig.com" # us-west

sysdig_settings_collector_port = "6443"

sysdig_node_analyzer_api_endpoint = "us2.app.sysdig.com" # us-west

Synk Quickstart Prerequisites 

  • An Oracle Cloud Account. If you don’t have one you can sign up for a trial here.
  • A Snyk Business or Enterprise plan.
  • If the Sysdig integration is already enabled, you need the Sysdig agent configured and running on the same cluster.

To make things easy you can deploy Snyk directly to your Oracle Cloud tenancy using this button:

 

Follow the wizard, include your Snyk integration ID and click apply.

  • Locate your Snyk Integration ID from the Snyk Integrations page (navigate to https://app.snyk.io/org/YOUR-ORGANIZATION-NAME/manage/integrations/kubernetes) and copy it. The Snyk Integration ID is a UUID and looks similar to the following: abcd1234-abcd-1234-abcd-1234abcd1234
  • Optionally enter the Container Private Registry credentials if you plan to use it and scan the container images

You can also enable the Sysdig Integration. The Sysdig agent must be installed and running on the same cluster. The scripts will clone the Sysdig secret to the Snyk namespace. If the secret has a different name from default or the Sysdig is in a different namespace, enter the new name.

Remember to select “Run Apply” when creating the stack. You can also do this later by clicking the button “apply” on the stack details.

Using Terraform Scripts

Optionally, you can use the underlying Terraform scripts to apply. If you are using Terraform (locally or via CloudShell), you need to copy the file terraform.tfvars.example to terraform.tfvars and populate the necessary variables.

Using Snyk

Now that we have some workloads running on our OKE cluster and deployed Snyk, we can analyze these for insights into:

  • Issues in open source libraries.
  • Base image upgrade recommendations.
  • Application misconfigurations.

As well as other features critical to running a secure environment available with Snyk Container.

Scan Workloads

Login to Snyk and navigate to the Integrations menu where you will click on the Kubernetes section. Select our cluster and desired namespace (in this case these are both named goof) then click the Add selected workloads button as shown below:

 

Which Kubernetes workloads do you want to test?

Detailed instructions on adding Kubernetes workloads are available in our Documentation Pages.

Project Status

Once selected, you will be redirected to the main projects page where you will find a summary of the findings grouped by project as shown below:

Project Status

 

From this view, you can drill into each category and examine the findings. Let’s start with misconfigurations of our cluster.

Project Status detail

Here we see that our application was deployed with various settings that were either not defined or incorrectly defined. For example, whether any containers in the workload have container.securityContext.runAsNonRootset to false, or unset. These can be resolved by updating the Kubernetes manifest files for the deployment and can be resolved proactively with one of the many Snyk Source Code Management (SCM) integrations.

 

Next, let’s examine our container image.

Examine container image

Here we are provided with a base image upgrade recommendation that takes into account which image is compatible with our application and reduces the number of vulnerabilities to improve our security posture.

 

Finally, let’s examine our open source dependencies and find vulnerabilities.

open source dependencies and found vulnerabilities

In this view, we get detailed contextual data on found vulnerabilities along with Snyk’s Priority Score which helps to drastically simplify one of the biggest challenges in using open source securely: working out which vulnerabilities to tackle first.

 

Want to learn more?

Together, Oracle, Snyk, and Sysdig help you more effectively deliver secure, cloud-native applications with a managed container orchestration service. Using the Quick Start outlined above you can take advantage of the integration of runtime intelligence with vulnerability management on OKE, giving your teams better insights into where to focus time and attention to reduce risk.

Join us for our joint webinar on June 23rd, at 9am PT to learn more about Oracle, Snyk, and Sysdig and see the integrated solutions in action. Click here to register for the online event.