In this TCP Talks episode, Justin Brodley and Jonathan Baker chat with Liz Rice, VP of open source engineering for Aqua Security, which provides tools to secure cloud-native deployments. 

Liz describes Aqua’s evolution over the years: From a provider of container security to its acquisition of CloudSploit and its development of open-source security solutions. Most customers are using cloud native software, and Aqua wants to secure those workloads and engage that community. 

“As a business, we have to be where the discussions are. Having open-source tools that are genuinely useful gives us a good way to participate in that community,” Liz explains. 

In addition to her role at Aqua Security, she is the chair on the CloudNative Computing Foundation‘s (CNCF) Technical Oversight Committee. During the conversation, Liz gives an overview of how they handle projects.

Key Takeaways

• Open source tools offer an entry point into communities. “As a business, we have to be there — we have to be where the discussions are. And having open source tools and solutions that are genuinely useful gives us a good way of participating in that community,” Liz says of the value of Aqua developing open-source tools. The company’s Starboard toolkit for finding risks in Kubernetes workloads and environments is a recent example.
• Liz discusses Starboard’s comparative advantage — it integrates existing Kubernetes tools, not just from Aqua but also from third-parties, into the Kubernetes experience. “You can run Trivy through Starboard and your results are right there next to the workload you’re interested in,” she says. 
• Liz discusses CNCF’s role with Kubernetes and beyond. “Google today contributes tons of time, energy, and engineering hours into Kubernetes. If tomorrow they were to decide they were going to walk away, Kubernetes still exists, and it would do so because of the CNCF and its participants,” she explains. 

Resources 

Here’s what was mentioned in the episode

• “Container Security: Fundamental Technology Concepts that Protect Containerized Applications“: Liz Rice’s book.
• Aqua Security: a company that delivered security solutions for applications.
• Cloud Native Computing Foundation: CNCF serves as the vendor-neutral home for many of the fastest-growing open-source projects, including Kubernetes, Prometheus, and Envoy.
• CloudSploit: security scanner for cloud accounts.
• Trivy: vulnerability scanner for container images.
• Starboard: makes security information available across the Kubernetes API in a native way.
• Prometheus: an open-source metrics-based monitoring system.
• Istio: Googl