The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
Protecting computer program applications running on networked computing devices typically involve some aspect of monitoring applications. Monitoring can involve collecting application messages and other data traffic that the applications emit toward a network, directed at peer instances of the applications, directed at servers, or directed at client computing devices.
Approaches for protecting computer program applications against security threats can be grouped in the following categories: vulnerability detection, network based approaches, and runtime access control. Vulnerability detection involves examining computer program binary files to determine if known vulnerabilities exists. Specifically, static vulnerability detection approaches involve scanning program executables or virtual container images for virus signatures. One of the major drawbacks to this approach is that virus signature definitions require frequent updating. Without updated virus definitions, scanning program executables may miss new vulnerabilities, such as zero day vulnerabilities.
Network based approaches to identifying security threats involve examining network traffic to detect malicious activity. However, network based approaches have limited visibility into application behavior because specific types of application activity, such as file I/O, does not have any corresponding network activity to be detected at the network level.
Runtime access control involves limiting the type and number of actions that specific computer programs can perform. Computer programs implemented within a virtual environment such as a virtual machine or container may be monitored using runtime access control. Containerization has emerged as a popular alternative to virtual machine instances for developing computer program applications. With containerization, computer program code can be developed once and then packaged in a container that is portable to different platforms that are capable of managing and running the containers. Consequently, containerization permits faster software development for the same program for multiple different platforms that would otherwise require separate source branches or forks, or at least different compilation and execution environments. The DOCKER containerization system from Docker, Inc. of San Francisco, Calif. has emerged as a popular choice for containerization architecture. However, containerization also can impose constraints on inter-program communications.
Runtime access control includes mandatory access control techniques. Mandatory access control techniques involve operating systems constraining the ability of an initiator to access or perform an operation on a target object. Examples of mandatory access control include Security-Enhanced Linux (SELinux) which is a Linux kernel security module that provides a mechanism for supporting access control security policies. Another example of access control involves a sandboxing approach, such as seccomp, which is a security mechanism for separating running programs and restricting the number of system calls allowed to be made from the computer program. However, runtime access control approaches have several drawbacks. One such drawback is that it requires a manually defined set of rules for each unique program monitored. Defining program specific rules involves customized manual interaction and may require continuous updating when programs contain changes or version updates. Another drawback includes the high level of maintenance to ensure that the manually defined rules are behaving correctly and do not become stale or generate false positives or false negatives.
The term “microservices” describes a modular way to architect applications, so that they are split into independent units (i.e., “services”) which communicate through application programming interfaces (APIs) and well defined interfaces. Microservices bring many benefits, such as reduction of the number of points of failure; a structure that enables multiple teams to work concurrently on the same application, and supports continuous delivery; better separation of concern and responsibility; and scalability.
Further information about microservices is available online at the time of this writing in the article “Microservices” in the “wiki” folder of the domain “en.wikipedia.org” and the present disclosure presumes that the reader is knowledgeable about microservices at least to the extent set forth in the foregoing article. Microservices have been adopted by many enterprises in the past, but we're now seeing a big push toward them, driven by the rise of containerization technologies like Docker.
Containers offer a way to package and isolate individual applications and allows for finer grain access control than generally supported by existing access control techniques such as SELinux and seccomp, which are typically implemented to provide system level protection. Therefore a more flexible monitoring and protection system that does not require manually defining sets of rules is desirable.