Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Falco is the First Runtime Security Project to Join the CNCF Incubator

January 2020 by Marc Jacob

Sysdig, Inc., the secure DevOps leader, announced that Falco, the open source cloud-native runtime security project originally created by Sysdig, has been accepted as a Cloud Native Computing Foundation® (CNCF®) incubation-level hosted project. Falco entered the CNCF as a Sandbox Project in October 2018, the first and still the only runtime security technology to join. In the event of unexpected behavior at runtime, Falco detects and alerts, reducing the risk of a security incident.

Gartner analysts predict that “by 2021, more than 75% of midsize and large organizations will have adopted a multicloud and/or hybrid IT strategy.” A business benefit of cloud environments operated by Kubernetes includes shorter software production cycles and consistency across multicloud and hybrid deployments. As a result, organizations are standardizing on Kubernetes as a container orchestrator. The Sysdig Container Usage Report found that in 2019, 77 percent of Sysdig customers operated Kubernetes environments, a 26 percent increase over 2018.

Kubernetes provides easy access to infrastructure for development teams. However, securing Kubernetes requires putting controls in place to detect unexpected behavior. Common risks include exploits of unpatched and new vulnerabilities, insecure configurations, leaked or weak credentials, and insider threats that can be used as entry points into the application and to access data.

When operating a cloud-native environment, being able to detect anomalous activity is the last line of defense. This requires understanding unexpected service interactions between containers, without impacting performance. Falco efficiently leverages extended Berkeley Packet Filter (eBPF), a secure mechanism, to capture system calls to gain deep visibility. By adding Kubernetes application context and Kubernetes API audit events, teams can understand who did what.

“Runtime security is a critical piece in a cloud-native security story and essential for anyone taking cloud-native security seriously. Access control and policy enforcement are important prevention techniques, but runtime security is needed to detect threats that evade preventions,” said Kris Nova, Chief Open Source Advocate at Sysdig.

Security for cloud-native systems is one of the few areas of the CNCF landscape that is still being standardized. Acceptance as an incubation-level hosted project signals that Falco is the de facto open source standard for cloud-native runtime security. Falco is trusted by government agencies, financial institutions, Fortune 2000 enterprises, and web-scale companies.

“It is great to see Falco advance within the CNCF to the incubating stage. As cloud-native technologies and our ecosystem matures, focus rightly shifts towards security. Falco fills a key gap in the cloud-native security landscape around intrusion detection. Combined with other projects and technologies on the prevention side, we have a comprehensive open source toolkit to enable an enhanced security posture for those investing in cloud native,” said Joe Beda, Principal Engineer at VMware and CNCF TOC Member.

Falco’s accomplishments since joining the CNCF

100 percent increase in commits year-over-year
64 committers
More than 2000 GitHub stars
55 contributors, including engineers from, Shopify, Snap, and Booz Allen Hamilton

Since joining the CNCF, the Falco community focused on making Falco easier to adopt and make contributions. A governance model, an outline that sets guidelines and standards for both contributors and maintainers to ensure the project’s compliance and health, was implemented during the last year. Falco was also made available in the Google marketplace and included in the launch of several major cloud projects, including AWS Firelens and Google Anthos. The Falco community created an operator that is available in the

One of the major challenges of operating containers is defining the complex rules and configurations. At KubeCon + CloudNativeCon, Sysdig announced the Cloud-Native Security Hub, a repository for discovering and sharing Kubernetes security best practices and configurations. The hub currently hosts Falco rules. During the next phase, the Falco community will scale the scope to include rules and configurations for other Kubernetes security tools.

The future of Falco

While in the CNCF Incubator, the Falco community will continue to drive end user adoption. The main focus will be on making Falco easier to consume and integrate in cloud-native environments. This includes moving components of Falco to an API-first architecture, which enables the community to begin developing integrations with other tools, including Prometheus, Envoy, and Kubernetes.

To get started with Falco, visit its Falco GitHub page. To get involved, join the Falco Slack channel and attend the weekly office hours calls to discuss feature work, open issues, and repository planning.

Learn more about Falco on the blog and follow on Twitter. Learn more about Sysdig on the Sysdig blog and Twitter.

[1]Gartner, Technology Insight for Network Security Policy Management, Rajpreet Kaur, Adam Hils, John Watts February 21, 2019

See previous articles


See next articles