Cloud Drops Episode #002: Snyk Sysdig and Observability

## News of the week
• Sysdig teams up with Snyk, Snyk teams up with Sysdig
• Sysdig
• Snyk
• $25m investment in KubeCostEpisode 124, with Webb Brown
• Google raises payouts for Kubernetes vulnerabilities2021 VRP roundup
• Chaos Mesh moves to Incubation in CNCFKubernetes Podcast Episode 121, with Ed Huang

## CNCF online programs
Locking down your cluster the zero-trust way with mutual TLS and traffic policy
Jason Morgan, Buoyant
Fluent Bit 1.9 - First mile observability - CNCF On Demand Webinar
Eduardo Silva, Calyptia
Your Kubernetes single-pane of glass with Kubescape
Amir Kaushansky, ARMO

## Good Reads
****Auto scaling CI agents at Wix
Etamar Joseph Weinberg, Wix
Kubernetes RBAC full tutorial with examples
Anaïs Urlichs, Aqua
How to use cluster mesh for multi-region Kubernetes pod communication
Mike Bookham, Cockroach Labs
https://twitter.com/CloudNativeFdn/status/1494343985825034253?s=20&t=xOTIrxMWim02UzpOlU9hgQ
Security: The value of SBOMs
Daniel Holbach, Flux
Automate Canary analysis on Kubernetes with Argo
Hannah Troisi, Pixie
Best practices for multi-tenancy in Argo CD
Dan Garfield, Codefresh
ValidKube looks to help developers clean and secure Kubernetes YAML code VentureBeat

## On-demand webinars
• **February 24:** Deploying VNFs with Kubernetes pods and VMs Pooja Ghumre, Platform9 - **RSVP**
• **February 24:** Multi canary release and load test Yun Long & Bomin Zhang, MegaEase Inc. - **RSVP**
• **February 24:** Deploy a full CNCF-based observability stack in under 5 minutes with tobs Vineeth Pothulapati, Timescale - **RSVP**
• **February 24:** Getting Started with GitOps & Flux Priyanka Ravi, Weaveworks - **RSVP**

## Podcasts & Posts
https://kubernetespodcast.com/episode/169-sysdig-report/
‎Kubernetes Bytes: Kubernetes Observability using Promscale and tobs on Apple Podcasts
https://email.linuxfoundation.org/kubeweekly-295
http://lwkd.info/2022/20220223
ThnkBIG is a global technology services, solutions, and staffing firm specializing in Kubernetes Implementation & Operationalization and DevOps Cloud Services to small medium-sized businesses, smb commercial, and government customers. As the number one DevOps, Kubernetes, and Cloud Managment subject matter experts in Austin Texas; our managed and consulting services are first class and enterprise ready. We scale as your business needs increase. With our cloud native expertise, we operationalize Kubernetes environments both large and small using best practices, automation, cloud-native open-source tools, and technology.
‍

Key Takeaways

• Cloud Drops Episode 002 covers Snyk's developer-first security approach, Sysdig's runtime protection capabilities, and the emerging convergence of observability and security tooling.
• The shift-left security movement — catching vulnerabilities during development rather than in production — is the common thread connecting Snyk, Sysdig, and the broader observability market.
• For Kubernetes environments, combining Snyk (supply chain scanning), Sysdig (runtime detection), and a unified observability stack creates defense-in-depth without duplicating tooling.

Snyk: Developer-First Supply Chain Security

Snyk's approach to container security starts at the developer's workstation rather than at the registry gate. Developers run snyk container test during local development and in CI pipelines, getting vulnerability reports before images are pushed to production registries. This shifts the remediation cost left — fixing a vulnerable base image in development takes minutes; patching it in production requires a deployment cycle.

Snyk's Open Source and Container scanning integrations cover the full dependency chain: OS packages, language-level dependencies (npm, pip, Maven), and base image layers. The tool's automated fix pull requests reduce the manual overhead of vulnerability remediation by proposing specific version upgrades that resolve the identified CVEs.

Sysdig: Runtime Security and Forensics

Where Snyk addresses known vulnerabilities pre-deployment, Sysdig Secure addresses unknown-bad behavior at runtime. Using Falco rules (Sysdig is the primary maintainer of the open-source Falco project), Sysdig detects anomalous container behavior — file system writes to unexpected directories, outbound connections to new external IPs, privilege escalation attempts — and generates alerts with the system call context required for forensic investigation.

The observability-security convergence is evident in Sysdig Monitor, which provides Prometheus-compatible metrics alongside security events. Operations teams using a single pane of glass for performance metrics and security alerts respond to incidents faster than teams switching between separate tools.

THNKBIG's cybersecurity practice integrates Snyk and Sysdig into Kubernetes security architectures for clients across California and Texas. Talk to us about building a layered cloud-native security stack.

Cloud Drops Episode 002: Cloud-Native Security, Cost, and Reliability

Cloud Drops Episode 002 explores how modern Kubernetes and cloud-native teams are tightening security, controlling costs, and improving reliability across the full application lifecycle.

This Week's Stories

Snyk and Sysdig Partner

Two of the most widely-used cloud-native security tools announced a formal integration:

• Snyk focuses on the software supply chain and pre-deployment vulnerabilities.
• Sysdig focuses on runtime detection, incident response, and forensics.

Together, they span the full security lifecycle from code to production, aligning developer-first security with runtime protection.

Kubecost Raises $25M

Kubecost’s new $25M investment highlights the growing enterprise demand for Kubernetes cost visibility and governance.

As more organizations standardize on Kubernetes:

• Cost becomes a first-order operational concern, not an afterthought.
• Kubecost fills gaps left by cloud billing APIs by attributing spend to:
• Namespaces
• Deployments
• Teams and applications

This enables engineering, finance, and platform teams to share a single, accurate view of Kubernetes spend.

Google Expands Kubernetes Vulnerability Payouts

Google’s 2021 Vulnerability Reward Program (VRP) roundup included increased bounties for Kubernetes security disclosures.

Larger payouts:

• Attract more security researchers to the Kubernetes ecosystem.
• Increase the odds that critical vulnerabilities are found and responsibly disclosed before they are exploited in the wild.

This strengthens the overall security posture of Kubernetes as a foundational cloud-native platform.

Chaos Mesh Moves to CNCF Incubation

Chaos Mesh, a chaos engineering platform for Kubernetes, has advanced to CNCF incubation.

This milestone signals that:

• Fault injection and chaos experiments are becoming standard reliability practices.
• Chaos engineering is moving from experimental to mainstream SRE and platform engineering workflows.

Teams can now treat chaos engineering as a core part of resilience testing for microservices and Kubernetes workloads.

Key Takeaways

• Episode 002 covers Snyk’s developer-first security, Sysdig’s runtime protection, and the convergence of observability and security in the cloud-native stack.
• The shift-left security movement—catching vulnerabilities during development instead of in production—is the common thread across Snyk, Sysdig, and the broader observability market.
• For Kubernetes environments, combining:
• Snyk for supply chain and image scanning,
• Sysdig for runtime detection and forensics, and
• A unified observability stack for metrics, logs, and traces

creates defense-in-depth without duplicating tooling.

Snyk: Developer-First Supply Chain Security

Snyk’s container security model starts at the developer’s workstation, not just at the registry or cluster boundary.

• Developers run snyk container test locally and in CI pipelines.
• Vulnerabilities are surfaced before images are pushed to production registries.

This shifts remediation left:

• Fixing a vulnerable base image in development takes minutes.
• Fixing the same issue in production requires a full deployment cycle, coordination, and potential downtime.

Snyk’s integrations cover the full dependency chain:

• OS packages in container images
• Language-level dependencies (npm, pip, Maven, etc.)
• Base image layers and transitive dependencies

Automated fix pull requests reduce manual effort by proposing specific version upgrades that remediate known CVEs, helping teams keep dependencies secure without constant manual triage.

Sysdig: Runtime Security and Forensics

Where Snyk focuses on known vulnerabilities pre-deployment, Sysdig Secure focuses on unknown-bad behavior at runtime.

Powered by Falco rules (Sysdig is the primary maintainer of the open-source Falco project), Sysdig can detect:

• Unexpected filesystem writes
• Suspicious outbound connections to new or untrusted IPs
• Privilege escalation attempts and anomalous process activity

When suspicious behavior is detected, Sysdig provides:

• Alerts enriched with system call context
• The data needed for forensic investigation and incident response

The observability–security convergence shows up in Sysdig Monitor, which offers:

• Prometheus-compatible metrics and performance monitoring
• Security events in the same interface

This gives operations and security teams a single pane of glass for performance and security, reducing context switching and improving incident response times.

Putting It Together: Defense-in-Depth for Kubernetes

In Kubernetes environments, a layered approach avoids tool sprawl while improving coverage:

• Snyk: Secure the software supply chain and container images before deployment.
• Sysdig Secure + Falco: Detect and investigate runtime threats and anomalous behavior.
• Unified observability stack: Correlate metrics, logs, traces, and security events for faster root cause analysis.

This combination delivers defense-in-depth across:

1. Code & dependencies (Snyk)
2. Build & CI/CD pipelines (Snyk integrations)
3. Runtime & production clusters (Sysdig Secure + Falco)
4. Operations & SRE workflows (observability stack + Sysdig Monitor)

Work With THNKBIG

THNKBIG’s cybersecurity practice integrates Snyk and Sysdig into Kubernetes security architectures for clients across California and Texas.

If you’re building or maturing a cloud-native security stack, we can help you:

• Design a shift-left security program around Snyk.
• Implement runtime detection and forensics with Sysdig and Falco.
• Align observability and security into a cohesive, low-friction platform for your teams.

Talk to us about building a layered, cloud-native security and observability strategy tailored to your Kubernetes environment.