KubeCon: Cisco tames cloud application security chaos with OpenClarity

Cisco is looking to help tame cloud application security madness.

At the KubeCon + CloudNativeCon Europe 2023 in Amsterdam Thursday, Cisco rolled out the latest in a line of open-source tools designed to help developers secure modern distributed applications. Previous components in the OpenClarity suite secured applications built with APIs, containers, and serverless functions. The new VMClarity tackles security for applications built with virtual machines.

The security problem is far more complex than five to 10 years ago when enterprises ran prepackaged applications in their local environment, Vijoy Pandey, Cisco SVP of emerging technologies and incubation (ETI), said in an interview with Silverlinings. Now, assets might be running anywhere around the world, both on-premises and in the cloud.

And applications are built using assets from a broad array of sources. For example, a banking app for a mobile device might be built using mobile APIs that connect to a cloud back end, such as Amazon Web Services (AWS) or Google Cloud Platform (GCP). That application might also use APIs to connect with assets from cloud application providers such as Salesforce, Workday, and Twilio. Additionally, the application might connect to the organization’s internal applications running on-premises, possibly on a mainframe or bare metal server. And more than 70% of software today is open source, Pandey said.

Responsibility for securing applications is moving earlier in the application lifecycle. Developers are now responsible for securing code from the beginning, through continuous integration and deployment, to production and runtime. This changed philosophy is often called “Shift Left,” imagining the software lifecycle moving from development on the left to production on the right.

Cisco is tackling Shift Left through its OpenClarity open-source suite, launched more than a year ago with APIClarity, to address API security. APIClarity was followed by FunctionClarity for serverless functions. And KubeClarity is designed to help secure containerized applications built using Kubernetes.

VMClarity, introduced Thursday, helps secure code built and running on virtual machines, regardless of where the VM is running, whether in the public cloud or on-premises. VMClarity finds potential threats inside the VM, including rootkit detection, leaked secrets, misconfiguration, and malware. VM clarity determines what components are used in a VM and compiles a Software Bill of Materials (SBOM) to determine whether those components are secure and up-to-date. And because VMClarity is agentless, it protects VMs without writing or modifying any code.

OpenClarity is part of Panoptica, a Cisco service for cloud-native application security for DevSecOps, Platform, and DevOps teams.

Tools like OpenClarity help organizations secure their infrastructure and applications by providing visibility and understanding of what’s happening in the compute environment, Eric Hanselman, chief analyst, technology, media and telecom (TMT), S&P Global Market Intelligence, said in an interview.

Cisco has the strength of bringing together compute, networking, and applications in a package, Hanselman said.

But Cisco faces tough competition, including major cloud platforms such as AWS and Azure, which have their own native security tools, Zeus Kerravala, founder and principal analyst with ZK Research, said in an interview. However, those cloud providers’ tools only work on their own, individual platforms, giving Cisco a potential edge.

In addition to the security tools, Cisco on Thursday launched Nasp, open-source software for integrating applications running on edge devices, legacy virtual machines, and mobile clients, into a Kubernetes service mesh. And the company introduced Media Streaming Mesh to more efficiently run real-time media applications in cloud-native Kubernetes environments.

Also this week at the Amsterdam conference, two leading projects from the Cloud Native Computing Foundation (CNCF), Argo and Prometheus, underwent software supply chain security audits


Read more of our coverage from KubeCon here.