Sponsored: Prowler on the Open Cloud Security Movement - Risky Bulletin

Summary7 min read

Risky Bulletin: Sponsored Episode – Prowler on the Open Cloud Security Movement

Hosted by Kathleen Campano

Introduction to Prowler and Tony Dallafuente

In the sponsored episode of Risky Bulletin, host Kathleen Campano engages in an insightful conversation with Tony Dallafuente, the Founder and CEO of Prowler. Prowler is a comprehensive cloud security tool designed to safeguard multi-cloud environments, including AWS, Azure, and Kubernetes. Available both as a free open-source repository on GitHub and as a commercial SaaS platform, Prowler caters to organizations with varying data access and management needs.

The Genesis of the Open Cloud Security Movement

Tony Dallafuente elaborates on the inception of the Open Cloud Security Movement, a side project spearheaded by Prowler. According to Tony, the movement was born out of a recognized deficiency in the cloud security postures of companies transitioning to platforms like AWS, Azure, GCP, and Kubernetes.

“One of the reasons that we started the Open Cloud Security movement is because we have seen over the last years a lack of improvement actually in the cloud security posture of companies all around the world moving to AWS, Azure, GCP or using Kubernetes.”
— Tony Dallafuente [01:05]

The movement emphasizes the necessity for open collaboration among companies and organizations within the cloud security domain. Drawing parallels to the early days of the Internet, Tony highlights how open-source solutions like Linux and contributions from major providers catalyzed the Internet's expansion. Similarly, Prowler aims to foster an open-source ecosystem in cloud security to drive innovation, transparency, and community-driven enhancements.

“In order to keep growing the cloud adoption, we need also to keep growing open source about cloud security.”
— Tony Dallafuente [01:05]

Open Source as the Backbone of Prowler's Success

Prowler’s commitment to open source is pivotal to its success and future growth. Tony affirms that the open-source model not only underpins Prowler’s offerings but also aligns with their philosophy of unrestricted technological access.

“We truly believe on the pure open source concept. Let’s say, of course, there are many different licenses, but when, if you want to allow everybody to access a technology, the best way is using open source.”
— Tony Dallafuente [03:06]

The open-source approach facilitates community contributions, enhancing the tool's capabilities and ensuring it remains at the forefront of cloud security advancements. Prowler’s model contrasts with closed-source alternatives, positioning itself as a more adaptable and transparent solution in the market.

Tony also draws parallels with other successful open-source projects, noting their foundational role in creating a more secure and robust Internet.

“There are other products doing very good job on open source and enhancing the security of the Internet. I can mention a few, but you mentioned like Elastic or Wazoo...”
— Tony Dallafuente [03:50]

Addressing Intellectual Property Concerns

Transitioning to an open-source model often raises concerns about intellectual property (IP) and the potential for competitors to exploit shared code. Tony addresses these apprehensions by emphasizing the importance of open collaboration in accelerating innovation and staying ahead of emerging threats.

“The only way to keep growing the innovation pace and to be up to date with all the new threats and existing threats of the cloud is with an open movement again.”
— Tony Dallafuente [04:15]

He acknowledges that while the cloud introduces different dynamics—such as a pay-per-use model compared to traditional software distribution—the core benefits of open source, like community-driven enhancements and transparency, remain invaluable.

“In the cloud you pay per use, you pay for the innovation to the cloud, service providers, etc. So the paradigm of open Source is a little bit different here.”
— Tony Dallafuente [04:15]

Tony posits that open-source companies, like Prowler, can surpass their closed-source counterparts by offering superior, community-enhanced solutions, thereby naturally encouraging the adoption of open-source models.

Community Contributions and Collaborative Enhancements

A significant portion of Prowler’s functionality stems from community contributions. Currently, approximately 20-30% of Prowler’s security checks are developed by external contributors, including major players like AWS.

“Around 20 to 30% of the checks are coming from external contributors including AWS and many other companies.”
— Tony Dallafuente [06:24]

This collaborative ecosystem ensures that Prowler remains comprehensive and up-to-date with the latest security threats and remediation strategies. Additionally, Prowler has introduced Prowler Studio, an AI-driven tool that accelerates the creation of new security checks and controls.

“Parallel Studio is a new tool that is based on AI to build detections and remediations for the cloud.”
— Tony Dallafuente [11:40]

Prowler Studio leverages artificial intelligence to reduce the time required to develop new security controls by over 80%, thereby enhancing efficiency and responsiveness to emerging threats.

Navigating Certifications and Compliance

Prowler is designed to support over 30 compliance frameworks and certifications, including PCI, ISO 27001:2022, and the latest CIS security benchmarks. However, Tony emphasizes that cloud security transcends standard compliance, necessitating continuous updates and mappings between regulatory requirements and cloud-specific controls.

“When it comes to certifications or compliance certifications we support more than 30, like the most common ones...”
— Tony Dallafuente [07:50]

Prowler’s dedicated team ensures that the platform remains aligned with evolving regulatory landscapes, thereby assisting organizations in maintaining robust and compliant cloud security postures.

The Open Cloud Security Conference and Expanding Collaborations

In an effort to promote the Open Cloud Security Movement, Prowler is organizing the Open Cloud Security Conference scheduled for April. This online, virtual event aims to bring together industry leaders from companies like Elastic and the Linux Foundation to discuss the importance of open-source cloud security and collaborative efforts to enhance it.

“We are doing the Open Cloud Security Conference in April and this is going to be an online virtual conference...”
— Tony Dallafuente [09:36]

The conference will feature notable speakers, publish whitepapers, and serve as a platform to unify the community around common security objectives and innovative strategies.

Advancements in Prowler: Version 5 and Beyond

Prowler continues to evolve, with the latest Version 5 introducing a new user interface (UI) that caters to both on-premises and cloud environments. The platform has expanded its support to include Kubernetes, Azure, GCP, AWS, and Microsoft 365, integrating new controls for enhanced security and compliance.

“In version 5 we added a new UI of course that can be used on Prem or in the cloud...”
— Tony Dallafuente [10:43]

Prowler Studio, recently made public under the Apache license, exemplifies the integration of AI in streamlining security operations. By training AI with comprehensive documentation and metadata from Prowler’s repository, Prowler Studio can swiftly generate detections and remediation strategies for specific security issues, significantly cutting down development time.

“We have trained that AI with all our checks, our documentation and the JSON files...”
— Tony Dallafuente [12:31]

This AI-driven approach not only accelerates the creation of security controls but also enhances the platform’s ability to adapt to new and unforeseen threats efficiently.

Conclusion: Prowler’s Vision for the Future of Cloud Security

Tony Dallafuente’s discussion underscores Prowler’s unwavering commitment to open source and collaborative security in the cloud landscape. By fostering an inclusive community, leveraging AI for rapid innovation, and maintaining robust compliance support, Prowler aims to spearhead advancements in cloud security. The Open Cloud Security Movement and upcoming conference signify Prowler’s proactive role in shaping a more secure and transparent cloud environment for organizations worldwide.

“We are solving a problem in the cloud that is still the same as five years ago.”
— Tony Dallafuente [05:16]

As cloud adoption continues to surge, Prowler’s open-source foundations and community-driven enhancements position it as a pivotal player in ensuring that security keeps pace with technological advancements.

Notable Quotes:

“One of the reasons that we started the Open Cloud Security movement is because we have seen over the last years a lack of improvement actually in the cloud security posture of companies...”
— Tony Dallafuente [01:05]
“We truly believe on the pure open source concept. Let’s say, of course, there are many different licenses, but when, if you want to allow everybody to access a technology, the best way is using open source.”
— Tony Dallafuente [03:06]
“The only way to keep growing the innovation pace and to be up to date with all the new threats and existing threats of the cloud is with an open movement again.”
— Tony Dallafuente [04:15]
“Around 20 to 30% of the checks are coming from external contributors including AWS and many other companies.”
— Tony Dallafuente [06:24]
“Parallel Studio is a new tool that is based on AI to build detections and remediations for the cloud.”
— Tony Dallafuente [11:40]
“When it comes to certifications or compliance certifications we support more than 30, like the most common ones...”
— Tony Dallafuente [07:50]
“We are solving a problem in the cloud that is still the same as five years ago.”
— Tony Dallafuente [05:16]

This episode of Risky Bulletin offers a comprehensive overview of Prowler’s initiatives in advancing cloud security through open-source collaboration, community engagement, and innovative tooling. Tony Dallafuente’s insights provide valuable perspectives for organizations striving to enhance their cloud security postures in an increasingly complex digital landscape.

Loading summary

Transcript32 lines

[00:00]
A
Foreign this is Kathleen Campano and this is a Risky Business News sponsor interview with Prowler Founder and CEO Tony Dallafuente. Welcome Tony. Hello.
[00:15]
B
Thanks for having me Tony.
[00:17]
A
Prowler is a cloud security product that can be used to secure multi cloud environments like aws, Azure and Kubernetes. You offer your product as a free open source repo available on GitHub and as a classic cloud hosted SaaS commercial platform for the customers who want it managed for them and have strict data access requirements. In case anyone wants to see how your product works, you and Pat recorded a Prowler demo that went out last week that I will also link in the show's notes. You not only open source to your product, but you also preach for open source in general. Your company is also behind a side project you call the Open Cloud Security Movement. Can you tell me more about it and how it's related or important for Prowler?
[01:05]
B
One of the reasons that we started the Open Cloud Security movement is because we have seen over the last years a lack of improvement actually in the cloud security posture of companies all around the world moving to aws, Azure, GCP or using Kubernetes. Why is that? It's because we have a lot of black boxes, solutions with poor customization or a lot of noise in their findings, etc. So what we wanted to tell everybody and also to highlight is the need of proper solutions and collaboration. Open collaboration between companies and between organizations that are in cloud security. If you think about back in the days of Internet, Internet didn't explode until we had proper enterprise solutions like Linux with Red Hat and other providers, right? I think in order to keep growing the cloud adoption, we need also to keep growing open source about cloud security. So that is one of the main reasons of having the Open Cloud Security movement and the manifesto highlighting what we think is needed for everybody, right? Like being transparent and open. The collaboration around around open source, make that code available to everybody. The innovation part that we need also as an open source of course, educate our community and make sure we adapt to everything that is new.
[02:41]
A
So you basically saw the success that cloud infrastructure in general, which is based on Mostly Linux, Kubernetes, MongoDB, Elastic, all are open source project, all are the backbone of the cloud. So you're trying to replicate this in the cloud security world. Do you see your company's success directly tied to the usefulness of Prowler's open source version? Is that where you see your future growth coming from?
[03:07]
B
Of course, of course. I mean we Respect everybody around open source, of course, and different type of open source, open Core. But we truly believe on the pure open source concept. Let's say, of course there are many different licenses, but when, if you want to allow everybody to access a technology, the best way is using open source, right? Of course, that is what we do with Prowler, but with many other. There are other products doing very good job on open source and enhancing the security of the Internet. I can mention a few, but you mentioned like Elastic or Wazoo or many other open source projects that they are actually the foundation of a better Internet or more secure Internet at the end of the day.
[03:51]
A
But there's obviously some pushback against your way of thinking, mostly because of how people view intellectual property. Those are your main detractors, probably. Companies fear losing technological advantages by opening their code and opening themselves to theft and unfair competitors who cut down research and development. What do you say to these people? How do you win these companies over to go on the open source route?
[04:15]
B
The only way to keep growing the innovation pace and to be up to date with all the new threats and existing threats of the cloud is with an open movement again. So we are not inventing anything new when it comes to open source, right? Because there are so many companies that they are a very good president when it comes to open source. But talking about the cloud is different. We are not in the age of getting a DVD or CD ROM and having a Linux in your laptop at home. Now, in the cloud nothing is free. So we're talking about open source, but we are talking that everybody's paying something because in the cloud you pay per use, you pay for the innovation to the cloud, service providers, etc. So the paradigm of open Source is a little bit different here.
[05:08]
A
So basically, as long as your company is doing better than your closed source competition, they're basically winning and they're probably going to adopt your model eventually.
[05:16]
B
And there is something this is. I'm going to use the example of Prowler, of course, but it can be for anything else. This is not only about having a SaaS platform where you come to me and you pay and you use it. Of course that is part of the whole thing. But delivering a cli, a powerful CLI that allows you all the integrations, delivering a public APIs, delivering a full set of applications that you can use on prem or you can use in the cloud as a service, right? The whole platform and some other services around it offering is what say for the users? Because at the end of the day of course we are making money, but we are solving a problem. We are solving a problem in the cloud that is still the same as five years ago.
[06:03]
A
Since you mentioned your product, basically your platform works on an engine that performs security checks that look for cloud misconfigurations and many other issues. I think you have around 1,000 checks now, if I remember correctly.
[06:17]
B
Yeah, I don't want a thousand yet.
[06:19]
A
What's the proportion of those that came via your open source community? Do you have a number for that?
[06:24]
B
Around 20 to 30% of the checks are coming from external contributors including AWS and many other companies.
[06:32]
A
This is why you want other companies to adapt your open cloud security movement so their products get better for collaboration, Right?
[06:39]
B
Exactly. Because I mean we have a team dedicated to do the research and detect stuff in the cloud, to write new checks, new controls. Right, and remediations. But is the whole Internet, I mean is the whole community working? That is why we said community driven. Because if we have companies that they need a control for something specific for them, but can be used also for everybody else, they contribute that back. So we can go to the repo and see the latest contributions. For example, AWS contributed to the NEPTUNE checks lately, but many others in the past. Other companies are contributing to new checks because they have Prowler in their CI CD pipeline. Right. When it comes to deploying infrastructure in any cloud, basically in most popular cloud providers that is key. But also we have now a new tool called Parallel Studio that using AI helps the developers to create checks, controls and remediations in minutes rather than hours. It's not perfect because AI is not perfect, but it reduce the time in more than 80%.
[07:45]
A
The Prowler engine is open source, but does this impact your certifications and compliance in any way?
[07:51]
B
Yeah, well when it comes to certifications or compliance certifications we support more than 30, like the most common ones and also specific ones for some countries. And they are good for what they are. But of course cloud security is beyond cis, is beyond C NIST is beyond all that stuff. Right? So we try to do an update the mapping between what a regulation says to what the cloud says. Right? Because it's not easy. It's not easy at all. And I mean we also have a team dedicated for that. So the point of having multiple controls and being able to create new controls is not only to detect what is important. As I said, that we are detecting stuff, the same threats as five years ago, but everything that is coming. Like for example, all the Genai security stuff that we are Also building with.
[08:49]
A
Prowler, has any other company has shown any interest in contributing to your movement?
[08:54]
B
We have from Elastic to other companies that we are now finishing the agreements. But the good thing of the Open Cloud security movement is that it's is inclusive. Anybody can join this way of thinking, this way of doing cloud security. Since we released the Open Cloud Security movement and the manifesto like two weeks ago, we are getting a lot of emails from companies and we will make announcements soon.
[09:28]
A
So what's your role in this? Is it more like working with companies to make them understand the need to open source products?
[09:36]
B
Exactly, it's about working with the companies as their whole strategy to make sure they embrace open source because it's good. It's a business model as well. Right. We collaborate each other to make sure we can keep growing the cloud adoption because we are cloud native. Right. So the way to keep growing the cloud adoption is making the cloud more secure and drive those efforts. And one one way to drive this effort and to tell people hey, this is important and come with us is creating an event. So actually we are doing the Open Cloud Security Conference in April and this is going to be an online virtual conference with a lot of interesting names and also we will publish our four paper. But this is a way also to put in the same place our vision but also the vision of other very important people in the industry from Elastic, from the Linux foundation and many others talking about why this is important.
[10:40]
A
Tony, anything new with Prowler besides this movement?
[10:43]
B
Oh yeah, a lot of new things we have in version 5 we added a new UI of course that can be used on Prem or in the cloud. In our cloud service we are adding Kubernetes, Azure, gcp, AWS and also we are adding some new controls for Microsoft 365. We are adding all the new PCI version compliance version, ISO 27001 2022, the latest CIS security benchmarks. Also in Prowler. In the latest version of Prowler, new checks. We are continuously adding new checks and Prowler Studio that we are actually making public or releasing officially next week is now public. The repo is public and it's Apache license. But we will do a demo in an event next week. What is that the rooted con in Madrid?
[11:38]
A
No, no, what is the Prowler Studio?
[11:40]
B
Parallel Studio is a new tool that is based on AI to build detections and remediations for the cloud.
[11:50]
A
Ah, what you mentioned earlier, right?
[11:52]
B
Yeah, yeah and the point is, you know, when you are developing stuff with AI you discover new things even that you didn't plan. And with Product Studio we created a rack of all our checks, all our knowledge in order to tell the A.I. okay, do this. And also while doing that, we realized that it's very good at mapping controls into compliance frameworks. So Product Studio also works and help us to be more efficient in our compliance framework support.
[12:26]
A
I'm curious, how do you train this on the official documentation of cloud providers and their tools?
[12:32]
B
We have trained that AI with all our checks, our documentation and the JSON files. Every detection and remediation of Prowler is a very easy to follow path of folders in our repo with metadata JSON file with everything, all the text. Let's say when you the severity, description, remediation, all the stuff, remediation steps and then the code itself which is Python. And if you want to add remediation, you add also another Python file. All the stuff is what we have trained the AI to say. Okay, let's remember the issue that happened a month ago with deep seq that they left database open, the port 9000 open. You can tell Prowler Studio a create a detection for any port, any anything that is exposing the port 9000 into the Internet and creates that for AWS or for Azure or for GCP. And in minutes you can run that and even Prowler Studio recommends you what to do to fix it with commands, processes, etc.
[13:43]
A
I think that's a great way to end it.
[13:45]
B
Okay, thank you.