Abstract: In one embodiment, a method includes generating an application programming interface (API) definition by observing traffic. The API definition is associated with an API definition name and an API specification. The method also includes mounting the API definition with an application and deploying the application by a Continuous Integration/Continuous Delivery (CI/CD) pipeline. The method further includes implementing a runtime API and mapping the runtime API to the API definition.

Abstract: In one embodiment, a method includes extracting, by a vulnerability scanning tool, a plurality of images from one or more pods running within a cluster. The method also includes determining, by the vulnerability scanning tool, a plurality of unique images from the plurality of images, scanning, by the vulnerability scanning tool, the plurality of unique images in parallel, and detecting, by the vulnerability scanning tool, one or more vulnerabilities within the plurality of unique images in response to scanning the plurality of unique images in parallel. The method further includes determining, by the vulnerability scanning tool, a vulnerability level associated with a pod of the one or more pods and assigning, by the vulnerability scanning tool, the vulnerability level to the pod.

Abstract: In one embodiment, a method includes generating, by a pod deployment tool, a security context profile, associating, by the pod deployment tool, the security context profile with a deployment rule, and associating, by the pod deployment tool, a vulnerability level with the deployment rule. The method also includes identifying, by the pod deployment tool, pod policies associated with a pod located within a cluster of a network and analyzing, by the pod deployment tool, conditions of the deployment rule using the pod policies. The conditions may be associated with the security context profile and the vulnerability level. The method further includes determining, by the pod deployment tool, whether to allow deployment of the pod within the network in response to analyzing the conditions of the deployment rule.

Abstract: In one embodiment, a method includes generating, by a pod deployment tool, a security context profile, associating, by the pod deployment tool, the security context profile with a deployment rule, and associating, by the pod deployment tool, a vulnerability level with the deployment rule. The method also includes identifying, by the pod deployment tool, pod policies associated with a pod located within a cluster of a network and analyzing, by the pod deployment tool, conditions of the deployment rule using the pod policies. The conditions may be associated with the security context profile and the vulnerability level. The method further includes determining, by the pod deployment tool, whether to allow deployment of the pod within the network in response to analyzing the conditions of the deployment rule.

Abstract: A system and method for establishing application identities including application runtime properties. A method includes signing at least one artifact of a first application communicating with a second application, wherein each of the at least one artifact includes data used for executing the first application, wherein a signing result of each artifact is a signed cryptographic hash of the artifact; monitoring events related to communications between the first application and the second application to identify a file event; generating at least one runtime hash for the file event, wherein the at least one runtime hash represents runtime properties of the first application; and generating an application identity for the first application, the application identity for the first application including the signed cryptographic hash of each of the at least one artifact and the at least one runtime hash of the file event.

Abstract: A method and system for securing instantiates. The method includes determining at least one signable file among a plurality of files of an instantiate, wherein determining the at least one signable file further comprises classifying each of the plurality of files with respect to whether the file is changed at runtime; signing each of the at least one signable file to create at least one first signature, wherein signing the plurality of files further comprises computing a cryptographic hash for each file, wherein each encrypted hash is signed using a private key; and verifying an identity of the instantiate using the at least one first signature, wherein verifying the identity of the instantiate further comprises comparing the at least one first signature to the at least one second signature, wherein each of the at least one second signature is a signature of one of the at least one signable file at runtime.

Abstract: A system and method for establishing application identities including application runtime properties. A method includes signing at least one artifact of a first application communicating with a second application, wherein each of the at least one artifact includes data used for executing the first application, wherein a signing result of each artifact is a signed cryptographic hash of the artifact; monitoring events related to communications between the first application and the second application to identify a file event; generating at least one runtime hash for the file event, wherein the at least one runtime hash represents runtime properties of the first application; and generating an application identity for the first application, the application identity for the first application including the signed cryptographic hash of each of the at least one artifact and the at least one runtime hash of the file event.

Abstract: A method and system for securing instantiates. The method includes determining at least one signable file among a plurality of files of an instantiate, wherein determining the at least one signable file further comprises classifying each of the plurality of files with respect to whether the file is changed at runtime; signing each of the at least one signable file to create at least one first signature, wherein signing the plurality of files further comprises computing a cryptographic hash for each file, wherein each encrypted hash is signed using a private key; and verifying an identity of the instantiate using the at least one first signature, wherein verifying the identity of the instantiate further comprises comparing the at least one first signature to the at least one second signature, wherein each of the at least one second signature is a signature of one of the at least one signable file at runtime.