MACRO NEPAL
Aqua Runtime Security in Java: Complete Implementation Guide
awiskar acharya
November 26, 2025
1:46 pm

Introduction to Aqua Runtime Security

Aqua Security provides runtime security for cloud-native applications, focusing on container security, vulnerability management, and runtime protection. Aqua Runtime Security monitors application behavior, detects threats, and prevents attacks in real-time.

Key Features

  • Runtime Threat Detection: Monitors process behavior, network activity, and file system operations
  • Container Security: Provides security for Docker and Kubernetes environments
  • Vulnerability Management: Scans containers for known vulnerabilities
  • Compliance Enforcement: Ensures compliance with security policies
  • Behavioral Monitoring: Detects anomalies in application behavior
  • Forensic Data: Provides detailed audit trails for security incidents

Implementation Guide

Dependencies and Setup

Maven Configuration (pom.xml)

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>aqua-runtime-demo</artifactId>
<version>1.0.0</version>
<packaging>jar</packaging>
<properties>
<maven.compiler.source>11</maven.compiler.source>
<maven.compiler.target>11</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<!-- Spring Boot -->
<spring.boot.version>3.1.0</spring.boot.version>
<!-- Security -->
<bouncycastle.version>1.70</bouncycastle.version>
<jwt.version>4.4.0</jwt.version>
<!-- Monitoring -->
<micrometer.version>1.11.0</micrometer.version>
<opentelemetry.version>1.28.0</opentelemetry.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>${spring.boot.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<!-- Spring Boot Starters -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
</dependency>
<!-- Database -->
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<scope>runtime</scope>
</dependency>
<!-- Security Libraries -->
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<version>${bouncycastle.version}</version>
</dependency>
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>${jwt.version}</version>
</dependency>
<!-- Monitoring & Observability -->
<dependency>
<groupId>io.micrometer</groupId>
<artifactId>micrometer-core</artifactId>
</dependency>
<dependency>
<groupId>io.micrometer</groupId>
<artifactId>micrometer-registry-prometheus</artifactId>
</dependency>
<dependency>
<groupId>io.opentelemetry</groupId>
<artifactId>opentelemetry-api</artifactId>
<version>${opentelemetry.version}</version>
</dependency>
<!-- Aqua Security SDK (Hypothetical) -->
<dependency>
<groupId>com.aquasec</groupId>
<artifactId>aqua-runtime-sdk</artifactId>
<version>1.0.0</version>
</dependency>
<!-- Test Dependencies -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<version>${spring.boot.version}</version>
<executions>
<execution>
<goals>
<goal>repackage</goal>
</goals>
</execution>
</executions>
</plugin>
<!-- Docker Build Plugin -->
<plugin>
<groupId>com.spotify</groupId>
<artifactId>dockerfile-maven-plugin</artifactId>
<version>1.4.13</version>
<executions>
<execution>
<id>default</id>
<goals>
<goal>build</goal>
</goals>
</execution>
</executions>
<configuration>
<repository>aqua-runtime-demo</repository>
<tag>${project.version}</tag>
</configuration>
</plugin>
</plugins>
</build>
</project>

Docker Configuration with Aqua Security

Dockerfile with Security Hardening

# Multi-stage build for secure Java application
FROM eclipse-temurin:11-jdk as builder
# Security: Use non-root user during build
RUN groupadd -r spring && useradd -r -g spring spring
USER spring:spring
WORKDIR /app
# Copy Maven wrapper and pom.xml
COPY --chown=spring:spring mvnw .
COPY --chown=spring:spring .mvn .mvn
COPY --chown=spring:spring pom.xml .
# Copy source code
COPY --chown=spring:spring src ./src
# Build the application
RUN ./mvnw clean package -DskipTests
# Runtime stage with security hardening
FROM aquasec/trivy:0.45.1 as scanner
WORKDIR /app
COPY --from=builder /app/target/*.jar app.jar
# Scan the application for vulnerabilities
RUN trivy filesystem --exit-code 1 --severity HIGH,CRITICAL /
# Final runtime stage
FROM eclipse-temurin:11-jre-jammy
# Security: Install security updates
RUN apt-get update && \
apt-get upgrade -y && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
# Security: Create non-root user
RUN groupadd -r spring && useradd -r -g spring spring
# Security: Create application directory with proper permissions
RUN mkdir -p /app && chown spring:spring /app
WORKDIR /app
# Security: Copy application as non-root user
COPY --from=builder --chown=spring:spring /app/target/*.jar app.jar
# Security: Create directories for Aqua runtime
RUN mkdir -p /aqua/runtime /aqua/logs /aqua/config && \
chown -R spring:spring /aqua
# Security: Set filesystem permissions
RUN chmod 755 /app && \
chmod 644 /app/app.jar && \
chmod 750 /aqua
# Switch to non-root user
USER spring:spring
# Aqua Runtime Environment Variables
ENV AQUA_ENABLED=true
ENV AQUA_RUNTIME_MONITORING=true
ENV AQUA_THREAT_DETECTION=true
ENV AQUA_LOG_LEVEL=INFO
ENV AQUA_CONFIG_PATH=/aqua/config
ENV AQUA_LOG_PATH=/aqua/logs
# Expose application port
EXPOSE 8080
# Health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=60s --retries=3 \
CMD curl -f http://localhost:8080/actuator/health || exit 1
# Security: Use exec form for proper signal handling
ENTRYPOINT ["java", "-jar", "app.jar"]

Docker Compose with Aqua Security

version: '3.8'
services:
aqua-runtime-app:
build: .
container_name: aqua-runtime-demo
ports:
- "8080:8080"
environment:
- SPRING_PROFILES_ACTIVE=docker
- AQUA_ENABLED=true
- AQUA_RUNTIME_MONITORING=true
- AQUA_CONFIG_PATH=/aqua/config
- AQUA_LOG_PATH=/aqua/logs
volumes:
- aqua-config:/aqua/config
- aqua-logs:/aqua/logs
- /var/run/docker.sock:/var/run/docker.sock:ro
security_opt:
- no-new-privileges:true
read_only: true
tmpfs:
- /tmp
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
networks:
- aqua-network
# Aqua Security Enforcer (Example)
aqua-enforcer:
image: aquasec/enforcer:6.5
container_name: aqua-enforcer
environment:
- AQUA_SERVER=aqua-server:8080
- AQUA_TOKEN=${AQUA_TOKEN}
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /dev:/host/dev:ro
privileged: true
networks:
- aqua-network
# Monitoring stack
prometheus:
image: prom/prometheus:latest
ports:
- "9090:9090"
volumes:
- ./monitoring/prometheus.yml:/etc/prometheus/prometheus.yml
networks:
- aqua-network
grafana:
image: grafana/grafana:latest
ports:
- "3000:3000"
environment:
- GF_SECURITY_ADMIN_PASSWORD=admin
volumes:
- ./monitoring/grafana-dashboard.yml:/etc/grafana/provisioning/dashboards/dashboard.yml
networks:
- aqua-network
volumes:
aqua-config:
aqua-logs:
networks:
aqua-network:
driver: bridge

Aqua Runtime Security Integration

Aqua Runtime Security Service

package com.example.aqua.service;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.scheduling.annotation.Scheduled;
import org.springframework.stereotype.Service;
import java.io.File;
import java.lang.management.ManagementFactory;
import java.lang.management.RuntimeMXBean;
import java.net.InetAddress;
import java.net.NetworkInterface;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.time.LocalDateTime;
import java.util.*;
/**
* Aqua Runtime Security Service
* Monitors application runtime behavior and security events
*/
@Service
public class AquaRuntimeSecurityService {
private static final Logger logger = LoggerFactory.getLogger(AquaRuntimeSecurityService.class);
@Value("${aqua.runtime.enabled:true}")
private boolean aquaEnabled;
@Value("${aqua.threat.detection.enabled:true}")
private boolean threatDetectionEnabled;
@Value("${aqua.monitoring.interval:30000}")
private long monitoringInterval;
private final List<SecurityEvent> securityEvents = Collections.synchronizedList(new ArrayList<>());
private final RuntimeSecurityMetrics securityMetrics = new RuntimeSecurityMetrics();
/**
* Initialize Aqua runtime security
*/
public void initialize() {
if (!aquaEnabled) {
logger.info("Aqua runtime security is disabled");
return;
}
logger.info("Initializing Aqua runtime security...");
// Perform initial security assessment
performSecurityAssessment();
// Start background monitoring
startRuntimeMonitoring();
logger.info("Aqua runtime security initialized successfully");
}
/**
* Perform comprehensive security assessment
*/
public SecurityAssessment performSecurityAssessment() {
SecurityAssessment assessment = new SecurityAssessment();
assessment.setAssessmentTime(LocalDateTime.now());
try {
// Check container environment
assessment.setContainerized(isContainerized());
// Check security controls
assessment.setSecurityControls(checkSecurityControls());
// Check file system permissions
assessment.setFileSystemSecurity(checkFileSystemSecurity());
// Check network security
assessment.setNetworkSecurity(checkNetworkSecurity());
// Check runtime security
assessment.setRuntimeSecurity(checkRuntimeSecurity());
// Calculate overall security score
assessment.calculateSecurityScore();
logSecurityEvent(SecurityEvent.createAssessmentEvent(
"Security assessment completed", 
"ASSESSMENT", 
"INFO",
assessment.getSecurityScore()
));
} catch (Exception e) {
logger.error("Error during security assessment", e);
assessment.setError(e.getMessage());
}
return assessment;
}
/**
* Monitor runtime behavior
*/
@Scheduled(fixedRateString = "${aqua.monitoring.interval:30000}")
public void monitorRuntime() {
if (!aquaEnabled) return;
try {
// Monitor process behavior
monitorProcessBehavior();
// Monitor file system activity
monitorFileSystemActivity();
// Monitor network activity
monitorNetworkActivity();
// Monitor system resources
monitorSystemResources();
// Update security metrics
updateSecurityMetrics();
} catch (Exception e) {
logger.error("Error during runtime monitoring", e);
logSecurityEvent(SecurityEvent.createErrorEvent(
"Runtime monitoring error", 
"MONITORING", 
"ERROR",
e.getMessage()
));
}
}
/**
* Monitor process behavior for anomalies
*/
private void monitorProcessBehavior() {
RuntimeMXBean runtimeMXBean = ManagementFactory.getRuntimeMXBean();
// Check JVM arguments for security issues
List<String> inputArguments = runtimeMXBean.getInputArguments();
for (String arg : inputArguments) {
if (isSuspiciousJVMArgument(arg)) {
logSecurityEvent(SecurityEvent.createThreatEvent(
"Suspicious JVM argument detected: " + arg,
"PROCESS_MONITORING",
"HIGH",
"JVM_ARGUMENT_ANOMALY"
));
securityMetrics.incrementSuspiciousArguments();
}
}
// Monitor thread count
int threadCount = ManagementFactory.getThreadMXBean().getThreadCount();
if (threadCount > 1000) { // Threshold for demo
logSecurityEvent(SecurityEvent.createWarningEvent(
"High thread count detected: " + threadCount,
"RESOURCE_MONITORING",
"MEDIUM"
));
}
}
/**
* Monitor file system activity
*/
private void monitorFileSystemActivity() {
try {
// Check critical directories
String[] criticalDirs = {"/etc", "/bin", "/sbin", "/usr/bin"};
for (String dir : criticalDirs) {
Path path = Paths.get(dir);
if (Files.exists(path)) {
checkDirectoryPermissions(path);
}
}
// Monitor application directories
Path appDir = Paths.get(System.getProperty("user.dir"));
checkDirectoryPermissions(appDir);
} catch (Exception e) {
logger.warn("Error monitoring file system activity", e);
}
}
/**
* Monitor network activity
*/
private void monitorNetworkActivity() {
try {
Enumeration<NetworkInterface> interfaces = NetworkInterface.getNetworkInterfaces();
while (interfaces.hasMoreElements()) {
NetworkInterface networkInterface = interfaces.nextElement();
// Check for suspicious network interfaces
if (isSuspiciousNetworkInterface(networkInterface)) {
logSecurityEvent(SecurityEvent.createThreatEvent(
"Suspicious network interface detected: " + networkInterface.getName(),
"NETWORK_MONITORING",
"HIGH",
"NETWORK_INTERFACE_ANOMALY"
));
securityMetrics.incrementSuspiciousInterfaces();
}
}
} catch (Exception e) {
logger.warn("Error monitoring network activity", e);
}
}
/**
* Monitor system resources
*/
private void monitorSystemResources() {
Runtime runtime = Runtime.getRuntime();
long maxMemory = runtime.maxMemory();
long totalMemory = runtime.totalMemory();
long freeMemory = runtime.freeMemory();
long usedMemory = totalMemory - freeMemory;
double memoryUsage = (double) usedMemory / maxMemory;
if (memoryUsage > 0.8) { // 80% threshold
logSecurityEvent(SecurityEvent.createWarningEvent(
"High memory usage detected: " + (memoryUsage * 100) + "%",
"RESOURCE_MONITORING",
"MEDIUM"
));
}
}
/**
* Check if running in container
*/
private boolean isContainerized() {
try {
// Check for container indicators
File dockerEnv = new File("/.dockerenv");
if (dockerEnv.exists()) {
return true;
}
// Check cgroups
File cgroup = new File("/proc/1/cgroup");
if (cgroup.exists()) {
String content = Files.readString(cgroup.toPath());
return content.contains("docker") || content.contains("kubepods");
}
} catch (Exception e) {
logger.debug("Error checking container environment", e);
}
return false;
}
/**
* Check security controls
*/
private Map<String, Boolean> checkSecurityControls() {
Map<String, Boolean> controls = new HashMap<>();
// Check various security controls
controls.put("non_root_user", !"root".equals(System.getProperty("user.name")));
controls.put("file_permissions", checkFilePermissions());
controls.put("network_restrictions", checkNetworkRestrictions());
controls.put("resource_limits", checkResourceLimits());
controls.put("security_manager", System.getSecurityManager() != null);
return controls;
}
/**
* Check file system security
*/
private FileSystemSecurity checkFileSystemSecurity() {
FileSystemSecurity fsSecurity = new FileSystemSecurity();
try {
// Check critical file permissions
String[] criticalFiles = {"/etc/passwd", "/etc/shadow", "/etc/hosts"};
for (String filePath : criticalFiles) {
File file = new File(filePath);
if (file.exists()) {
FileSecurityInfo info = checkFileSecurity(file);
fsSecurity.addFileSecurity(filePath, info);
}
}
// Check application directory
File appDir = new File(System.getProperty("user.dir"));
FileSecurityInfo appDirInfo = checkFileSecurity(appDir);
fsSecurity.setApplicationDirectorySecurity(appDirInfo);
} catch (Exception e) {
logger.error("Error checking file system security", e);
}
return fsSecurity;
}
/**
* Check network security
*/
private NetworkSecurity checkNetworkSecurity() {
NetworkSecurity networkSecurity = new NetworkSecurity();
try {
// Check listening ports
networkSecurity.setOpenPorts(checkOpenPorts());
// Check network interfaces
networkSecurity.setNetworkInterfaces(checkNetworkInterfaces());
// Check DNS configuration
networkSecurity.setDnsSecurity(checkDnsSecurity());
} catch (Exception e) {
logger.error("Error checking network security", e);
}
return networkSecurity;
}
/**
* Check runtime security
*/
private RuntimeSecurity checkRuntimeSecurity() {
RuntimeSecurity runtimeSecurity = new RuntimeSecurity();
try {
// Check JVM security properties
runtimeSecurity.setJvmSecurity(checkJvmSecurity());
// Check system properties
runtimeSecurity.setSystemProperties(checkSystemProperties());
// Check environment variables
runtimeSecurity.setEnvironmentVariables(checkEnvironmentVariables());
} catch (Exception e) {
logger.error("Error checking runtime security", e);
}
return runtimeSecurity;
}
/**
* Log security event
*/
public void logSecurityEvent(SecurityEvent event) {
securityEvents.add(event);
securityMetrics.recordEvent(event);
// Log based on severity
switch (event.getSeverity()) {
case "HIGH":
logger.warn("HIGH severity security event: {}", event.getMessage());
break;
case "MEDIUM":
logger.info("MEDIUM severity security event: {}", event.getMessage());
break;
case "LOW":
logger.debug("LOW severity security event: {}", event.getMessage());
break;
default:
logger.info("Security event: {}", event.getMessage());
}
// In production, this would send to Aqua security platform
if (threatDetectionEnabled && "HIGH".equals(event.getSeverity())) {
handleHighSeverityEvent(event);
}
}
/**
* Handle high severity security events
*/
private void handleHighSeverityEvent(SecurityEvent event) {
// Implement threat response logic
logger.error("HIGH severity threat detected: {}", event.getMessage());
// Could trigger automated responses like:
// - Block suspicious IPs
// - Restrict file system access
// - Alert security team
// - Scale down affected containers
}
/**
* Start runtime monitoring
*/
private void startRuntimeMonitoring() {
logger.info("Starting Aqua runtime monitoring...");
// Implementation would start various monitoring threads
}
/**
* Update security metrics
*/
private void updateSecurityMetrics() {
// Update various security metrics
securityMetrics.setActiveEvents(securityEvents.size());
securityMetrics.setLastUpdate(LocalDateTime.now());
}
// Helper methods for security checks
private boolean isSuspiciousJVMArgument(String arg) {
return arg.contains("-Xdebug") || 
arg.contains("-Xrunjdwp") ||
arg.contains("-javaagent") && !arg.contains("aqua");
}
private boolean isSuspiciousNetworkInterface(NetworkInterface networkInterface) {
return networkInterface.isVirtual() && 
!networkInterface.isLoopback() &&
networkInterface.isUp();
}
private boolean checkFilePermissions() {
// Implementation for file permission checks
return true;
}
private boolean checkNetworkRestrictions() {
// Implementation for network restriction checks
return true;
}
private boolean checkResourceLimits() {
// Implementation for resource limit checks
return true;
}
private FileSecurityInfo checkFileSecurity(File file) {
FileSecurityInfo info = new FileSecurityInfo();
info.setPath(file.getAbsolutePath());
info.setExists(file.exists());
info.setReadable(file.canRead());
info.setWritable(file.canWrite());
info.setExecutable(file.canExecute());
info.setOwner(System.getProperty("user.name"));
return info;
}
private List<Integer> checkOpenPorts() {
// Implementation for checking open ports
return new ArrayList<>();
}
private List<String> checkNetworkInterfaces() {
// Implementation for checking network interfaces
return new ArrayList<>();
}
private DnsSecurity checkDnsSecurity() {
// Implementation for DNS security checks
return new DnsSecurity();
}
private JvmSecurity checkJvmSecurity() {
// Implementation for JVM security checks
return new JvmSecurity();
}
private Map<String, String> checkSystemProperties() {
// Implementation for system property checks
return new HashMap<>();
}
private Map<String, String> checkEnvironmentVariables() {
// Implementation for environment variable checks
return new HashMap<>();
}
private void checkDirectoryPermissions(Path path) {
try {
if (!Files.isReadable(path)) {
logSecurityEvent(SecurityEvent.createWarningEvent(
"Directory not readable: " + path,
"FILE_SYSTEM_MONITORING",
"LOW"
));
}
} catch (Exception e) {
logger.debug("Error checking directory permissions: {}", path, e);
}
}
// Getters
public List<SecurityEvent> getSecurityEvents() {
return new ArrayList<>(securityEvents);
}
public RuntimeSecurityMetrics getSecurityMetrics() {
return securityMetrics;
}
public boolean isAquaEnabled() {
return aquaEnabled;
}
}

Security Data Models

package com.example.aqua.model;
import java.time.LocalDateTime;
import java.util.*;
/**
* Security assessment result
*/
public class SecurityAssessment {
private LocalDateTime assessmentTime;
private boolean containerized;
private Map<String, Boolean> securityControls;
private FileSystemSecurity fileSystemSecurity;
private NetworkSecurity networkSecurity;
private RuntimeSecurity runtimeSecurity;
private double securityScore;
private String error;
public SecurityAssessment() {
this.securityControls = new HashMap<>();
this.assessmentTime = LocalDateTime.now();
}
public void calculateSecurityScore() {
int totalChecks = 0;
int passedChecks = 0;
// Calculate score based on security controls
for (Boolean control : securityControls.values()) {
totalChecks++;
if (Boolean.TRUE.equals(control)) {
passedChecks++;
}
}
this.securityScore = totalChecks > 0 ? (double) passedChecks / totalChecks * 100 : 100;
}
// Getters and setters
public LocalDateTime getAssessmentTime() { return assessmentTime; }
public void setAssessmentTime(LocalDateTime assessmentTime) { this.assessmentTime = assessmentTime; }
public boolean isContainerized() { return containerized; }
public void setContainerized(boolean containerized) { this.containerized = containerized; }
public Map<String, Boolean> getSecurityControls() { return securityControls; }
public void setSecurityControls(Map<String, Boolean> securityControls) { this.securityControls = securityControls; }
public FileSystemSecurity getFileSystemSecurity() { return fileSystemSecurity; }
public void setFileSystemSecurity(FileSystemSecurity fileSystemSecurity) { this.fileSystemSecurity = fileSystemSecurity; }
public NetworkSecurity getNetworkSecurity() { return networkSecurity; }
public void setNetworkSecurity(NetworkSecurity networkSecurity) { this.networkSecurity = networkSecurity; }
public RuntimeSecurity getRuntimeSecurity() { return runtimeSecurity; }
public void setRuntimeSecurity(RuntimeSecurity runtimeSecurity) { this.runtimeSecurity = runtimeSecurity; }
public double getSecurityScore() { return securityScore; }
public void setSecurityScore(double securityScore) { this.securityScore = securityScore; }
public String getError() { return error; }
public void setError(String error) { this.error = error; }
}
/**
* File system security information
*/
class FileSystemSecurity {
private Map<String, FileSecurityInfo> fileSecurity = new HashMap<>();
private FileSecurityInfo applicationDirectorySecurity;
// Getters and setters
public Map<String, FileSecurityInfo> getFileSecurity() { return fileSecurity; }
public void setFileSecurity(Map<String, FileSecurityInfo> fileSecurity) { this.fileSecurity = fileSecurity; }
public FileSecurityInfo getApplicationDirectorySecurity() { return applicationDirectorySecurity; }
public void setApplicationDirectorySecurity(FileSecurityInfo applicationDirectorySecurity) { 
this.applicationDirectorySecurity = applicationDirectorySecurity; 
}
public void addFileSecurity(String path, FileSecurityInfo info) {
fileSecurity.put(path, info);
}
}
/**
* File security information
*/
class FileSecurityInfo {
private String path;
private boolean exists;
private boolean readable;
private boolean writable;
private boolean executable;
private String owner;
// Getters and setters
public String getPath() { return path; }
public void setPath(String path) { this.path = path; }
public boolean isExists() { return exists; }
public void setExists(boolean exists) { this.exists = exists; }
public boolean isReadable() { return readable; }
public void setReadable(boolean readable) { this.readable = readable; }
public boolean isWritable() { return writable; }
public void setWritable(boolean writable) { this.writable = writable; }
public boolean isExecutable() { return executable; }
public void setExecutable(boolean executable) { this.executable = executable; }
public String getOwner() { return owner; }
public void setOwner(String owner) { this.owner = owner; }
}
/**
* Network security information
*/
class NetworkSecurity {
private List<Integer> openPorts = new ArrayList<>();
private List<String> networkInterfaces = new ArrayList<>();
private DnsSecurity dnsSecurity;
// Getters and setters
public List<Integer> getOpenPorts() { return openPorts; }
public void setOpenPorts(List<Integer> openPorts) { this.openPorts = openPorts; }
public List<String> getNetworkInterfaces() { return networkInterfaces; }
public void setNetworkInterfaces(List<String> networkInterfaces) { this.networkInterfaces = networkInterfaces; }
public DnsSecurity getDnsSecurity() { return dnsSecurity; }
public void setDnsSecurity(DnsSecurity dnsSecurity) { this.dnsSecurity = dnsSecurity; }
}
/**
* DNS security information
*/
class DnsSecurity {
private boolean secureDnsEnabled;
private List<String> dnsServers = new ArrayList<>();
// Getters and setters
public boolean isSecureDnsEnabled() { return secureDnsEnabled; }
public void setSecureDnsEnabled(boolean secureDnsEnabled) { this.secureDnsEnabled = secureDnsEnabled; }
public List<String> getDnsServers() { return dnsServers; }
public void setDnsServers(List<String> dnsServers) { this.dnsServers = dnsServers; }
}
/**
* Runtime security information
*/
class RuntimeSecurity {
private JvmSecurity jvmSecurity;
private Map<String, String> systemProperties = new HashMap<>();
private Map<String, String> environmentVariables = new HashMap<>();
// Getters and setters
public JvmSecurity getJvmSecurity() { return jvmSecurity; }
public void setJvmSecurity(JvmSecurity jvmSecurity) { this.jvmSecurity = jvmSecurity; }
public Map<String, String> getSystemProperties() { return systemProperties; }
public void setSystemProperties(Map<String, String> systemProperties) { this.systemProperties = systemProperties; }
public Map<String, String> getEnvironmentVariables() { return environmentVariables; }
public void setEnvironmentVariables(Map<String, String> environmentVariables) { this.environmentVariables = environmentVariables; }
}
/**
* JVM security information
*/
class JvmSecurity {
private boolean securityManagerEnabled;
private List<String> securityPolicies = new ArrayList<>();
private Map<String, String> securityProperties = new HashMap<>();
// Getters and setters
public boolean isSecurityManagerEnabled() { return securityManagerEnabled; }
public void setSecurityManagerEnabled(boolean securityManagerEnabled) { this.securityManagerEnabled = securityManagerEnabled; }
public List<String> getSecurityPolicies() { return securityPolicies; }
public void setSecurityPolicies(List<String> securityPolicies) { this.securityPolicies = securityPolicies; }
public Map<String, String> getSecurityProperties() { return securityProperties; }
public void setSecurityProperties(Map<String, String> securityProperties) { this.securityProperties = securityProperties; }
}
/**
* Security event model
*/
class SecurityEvent {
private String id;
private LocalDateTime timestamp;
private String message;
private String category;
private String severity; // HIGH, MEDIUM, LOW, INFO
private String source;
private Map<String, Object> details = new HashMap<>();
public SecurityEvent() {
this.id = UUID.randomUUID().toString();
this.timestamp = LocalDateTime.now();
}
// Factory methods for different event types
public static SecurityEvent createThreatEvent(String message, String category, String severity, String threatType) {
SecurityEvent event = new SecurityEvent();
event.setMessage(message);
event.setCategory(category);
event.setSeverity(severity);
event.getDetails().put("threatType", threatType);
return event;
}
public static SecurityEvent createWarningEvent(String message, String category, String severity) {
SecurityEvent event = new SecurityEvent();
event.setMessage(message);
event.setCategory(category);
event.setSeverity(severity);
return event;
}
public static SecurityEvent createAssessmentEvent(String message, String category, String severity, double score) {
SecurityEvent event = new SecurityEvent();
event.setMessage(message);
event.setCategory(category);
event.setSeverity(severity);
event.getDetails().put("securityScore", score);
return event;
}
public static SecurityEvent createErrorEvent(String message, String category, String severity, String error) {
SecurityEvent event = new SecurityEvent();
event.setMessage(message);
event.setCategory(category);
event.setSeverity(severity);
event.getDetails().put("error", error);
return event;
}
// Getters and setters
public String getId() { return id; }
public void setId(String id) { this.id = id; }
public LocalDateTime getTimestamp() { return timestamp; }
public void setTimestamp(LocalDateTime timestamp) { this.timestamp = timestamp; }
public String getMessage() { return message; }
public void setMessage(String message) { this.message = message; }
public String getCategory() { return category; }
public void setCategory(String category) { this.category = category; }
public String getSeverity() { return severity; }
public void setSeverity(String severity) { this.severity = severity; }
public String getSource() { return source; }
public void setSource(String source) { this.source = source; }
public Map<String, Object> getDetails() { return details; }
public void setDetails(Map<String, Object> details) { this.details = details; }
}
/**
* Runtime security metrics
*/
class RuntimeSecurityMetrics {
private int totalEvents;
private int highSeverityEvents;
private int mediumSeverityEvents;
private int lowSeverityEvents;
private int suspiciousArguments;
private int suspiciousInterfaces;
private int activeEvents;
private LocalDateTime lastUpdate;
public RuntimeSecurityMetrics() {
this.lastUpdate = LocalDateTime.now();
}
public void recordEvent(SecurityEvent event) {
totalEvents++;
switch (event.getSeverity()) {
case "HIGH":
highSeverityEvents++;
break;
case "MEDIUM":
mediumSeverityEvents++;
break;
case "LOW":
lowSeverityEvents++;
break;
}
lastUpdate = LocalDateTime.now();
}
public void incrementSuspiciousArguments() {
suspiciousArguments++;
}
public void incrementSuspiciousInterfaces() {
suspiciousInterfaces++;
}
// Getters and setters
public int getTotalEvents() { return totalEvents; }
public void setTotalEvents(int totalEvents) { this.totalEvents = totalEvents; }
public int getHighSeverityEvents() { return highSeverityEvents; }
public void setHighSeverityEvents(int highSeverityEvents) { this.highSeverityEvents = highSeverityEvents; }
public int getMediumSeverityEvents() { return mediumSeverityEvents; }
public void setMediumSeverityEvents(int mediumSeverityEvents) { this.mediumSeverityEvents = mediumSeverityEvents; }
public int getLowSeverityEvents() { return lowSeverityEvents; }
public void setLowSeverityEvents(int lowSeverityEvents) { this.lowSeverityEvents = lowSeverityEvents; }
public int getSuspiciousArguments() { return suspiciousArguments; }
public void setSuspiciousArguments(int suspiciousArguments) { this.suspiciousArguments = suspiciousArguments; }
public int getSuspiciousInterfaces() { return suspiciousInterfaces; }
public void setSuspiciousInterfaces(int suspiciousInterfaces) { this.suspiciousInterfaces = suspiciousInterfaces; }
public int getActiveEvents() { return activeEvents; }
public void setActiveEvents(int activeEvents) { this.activeEvents = activeEvents; }
public LocalDateTime getLastUpdate() { return lastUpdate; }
public void setLastUpdate(LocalDateTime lastUpdate) { this.lastUpdate = lastUpdate; }
}

Security Configuration

package com.example.aqua.config;
import com.example.aqua.service.AquaRuntimeSecurityService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.scheduling.annotation.EnableScheduling;
/**
* Aqua Security Configuration
*/
@Configuration
@EnableScheduling
public class AquaSecurityConfig {
private static final Logger logger = LoggerFactory.getLogger(AquaSecurityConfig.class);
@Autowired
private AquaRuntimeSecurityService aquaSecurityService;
/**
* Initialize Aqua security on application startup
*/
@Bean
public CommandLineRunner initializeAquaSecurity() {
return args -> {
logger.info("Initializing Aqua runtime security configuration...");
aquaSecurityService.initialize();
};
}
/**
* Security-related beans configuration
*/
@Bean
public SecurityProperties securityProperties() {
return new SecurityProperties();
}
/**
* Security properties configuration
*/
public static class SecurityProperties {
private boolean aquaEnabled = true;
private boolean threatDetection = true;
private long monitoringInterval = 30000;
private String aquaConfigPath = "/aqua/config";
private String aquaLogPath = "/aqua/logs";
// Getters and setters
public boolean isAquaEnabled() { return aquaEnabled; }
public void setAquaEnabled(boolean aquaEnabled) { this.aquaEnabled = aquaEnabled; }
public boolean isThreatDetection() { return threatDetection; }
public void setThreatDetection(boolean threatDetection) { this.threatDetection = threatDetection; }
public long getMonitoringInterval() { return monitoringInterval; }
public void setMonitoringInterval(long monitoringInterval) { this.monitoringInterval = monitoringInterval; }
public String getAquaConfigPath() { return aquaConfigPath; }
public void setAquaConfigPath(String aquaConfigPath) { this.aquaConfigPath = aquaConfigPath; }
public String getAquaLogPath() { return aquaLogPath; }
public void setAquaLogPath(String aquaLogPath) { this.aquaLogPath = aquaLogPath; }
}
}

Security Dashboard Controller

package com.example.aqua.controller;
import com.example.aqua.model.SecurityAssessment;
import com.example.aqua.model.SecurityEvent;
import com.example.aqua.service.AquaRuntimeSecurityService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.*;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
/**
* Security Dashboard REST Controller
*/
@RestController
@RequestMapping("/api/security")
@PreAuthorize("hasRole('ADMIN')")
public class SecurityDashboardController {
@Autowired
private AquaRuntimeSecurityService aquaSecurityService;
/**
* Get current security assessment
*/
@GetMapping("/assessment")
public ResponseEntity<SecurityAssessment> getSecurityAssessment() {
SecurityAssessment assessment = aquaSecurityService.performSecurityAssessment();
return ResponseEntity.ok(assessment);
}
/**
* Get security events
*/
@GetMapping("/events")
public ResponseEntity<List<SecurityEvent>> getSecurityEvents() {
List<SecurityEvent> events = aquaSecurityService.getSecurityEvents();
return ResponseEntity.ok(events);
}
/**
* Get security metrics
*/
@GetMapping("/metrics")
public ResponseEntity<Map<String, Object>> getSecurityMetrics() {
Map<String, Object> metrics = new HashMap<>();
metrics.put("totalEvents", aquaSecurityService.getSecurityMetrics().getTotalEvents());
metrics.put("highSeverityEvents", aquaSecurityService.getSecurityMetrics().getHighSeverityEvents());
metrics.put("mediumSeverityEvents", aquaSecurityService.getSecurityMetrics().getMediumSeverityEvents());
metrics.put("activeEvents", aquaSecurityService.getSecurityMetrics().getActiveEvents());
metrics.put("lastUpdate", aquaSecurityService.getSecurityMetrics().getLastUpdate());
return ResponseEntity.ok(metrics);
}
/**
* Trigger manual security scan
*/
@PostMapping("/scan")
public ResponseEntity<Map<String, String>> triggerSecurityScan() {
SecurityAssessment assessment = aquaSecurityService.performSecurityAssessment();
Map<String, String> response = new HashMap<>();
response.put("status", "COMPLETED");
response.put("securityScore", String.valueOf(assessment.getSecurityScore()));
response.put("message", "Security assessment completed successfully");
return ResponseEntity.ok(response);
}
/**
* Get security status
*/
@GetMapping("/status")
public ResponseEntity<Map<String, Object>> getSecurityStatus() {
Map<String, Object> status = new HashMap<>();
status.put("aquaEnabled", aquaSecurityService.isAquaEnabled());
status.put("runtimeMonitoring", true);
status.put("threatDetection", true);
status.put("containerized", false); // This would be dynamic
return ResponseEntity.ok(status);
}
}

Monitoring and Observability

Security Metrics with Micrometer

package com.example.aqua.monitoring;
import com.example.aqua.service.AquaRuntimeSecurityService;
import io.micrometer.core.instrument.Gauge;
import io.micrometer.core.instrument.MeterRegistry;
import io.micrometer.core.instrument.Counter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.scheduling.annotation.Scheduled;
import org.springframework.stereotype.Component;
import java.util.concurrent.atomic.AtomicInteger;
/**
* Security metrics exporter for Prometheus monitoring
*/
@Component
public class SecurityMetricsExporter {
private final MeterRegistry meterRegistry;
private final AquaRuntimeSecurityService securityService;
private final AtomicInteger securityScore = new AtomicInteger(100);
private final Counter securityEventsCounter;
private final Counter highSeverityEventsCounter;
@Autowired
public SecurityMetricsExporter(MeterRegistry meterRegistry, 
AquaRuntimeSecurityService securityService) {
this.meterRegistry = meterRegistry;
this.securityService = securityService;
// Initialize counters
this.securityEventsCounter = Counter.builder("aqua.security.events.total")
.description("Total number of security events")
.register(meterRegistry);
this.highSeverityEventsCounter = Counter.builder("aqua.security.events.high_severity")
.description("Number of high severity security events")
.register(meterRegistry);
// Initialize gauges
Gauge.builder("aqua.security.score")
.description("Current security assessment score")
.register(meterRegistry, securityScore);
Gauge.builder("aqua.security.active_events")
.description("Number of active security events")
.register(meterRegistry, securityService.getSecurityMetrics(), 
metrics -> metrics.getActiveEvents());
}
/**
* Update security metrics periodically
*/
@Scheduled(fixedRate = 30000) // Every 30 seconds
public void updateSecurityMetrics() {
// Update security score
securityScore.set((int) securityService.performSecurityAssessment().getSecurityScore());
// Update event counters based on current state
// This would be more sophisticated in production
}
/**
* Record security event in metrics
*/
public void recordSecurityEvent(String severity) {
securityEventsCounter.increment();
if ("HIGH".equals(severity)) {
highSeverityEventsCounter.increment();
}
}
}

Application Configuration

# application.yml
spring:
application:
name: aqua-runtime-demo
security:
oauth2:
resourceserver:
jwt:
issuer-uri: https://auth.aquasec.com
# Aqua Security Configuration
aqua:
runtime:
enabled: true
threat-detection:
enabled: true
monitoring:
interval: 30000
config:
path: /aqua/config
logs:
path: /aqua/logs
# Actuator Endpoints
management:
endpoints:
web:
exposure:
include: health,info,metrics,prometheus,aqua
endpoint:
health:
show-details: always
aqua:
enabled: true
# Logging Configuration
logging:
level:
com.example.aqua: DEBUG
file:
name: /aqua/logs/application.log
pattern:
file: "%d{yyyy-MM-dd HH:mm:ss} - %logger{36} - %msg%n"
# Server Configuration
server:
port: 8080
servlet:
context-path: /
compression:
enabled: true

CI/CD Integration

GitHub Actions Workflow

name: Aqua Security Scan
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 2 * * *'  # Daily at 2 AM
jobs:
security-scan:
name: Aqua Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Java
uses: actions/setup-java@v3
with:
java-version: '11'
distribution: 'temurin'
cache: 'maven'
- name: Build application
run: mvn clean package -DskipTests
- name: Build Docker image
run: docker build -t aqua-runtime-demo:latest .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'aqua-runtime-demo:latest'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
- name: Run Aqua security scan
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
aquasec/scanner:latest \
scan --local aqua-runtime-demo:latest
- name: Security Scan Summary
run: |
echo "## Aqua Security Scan Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Security Assessment" >> $GITHUB_STEP_SUMMARY
echo "- ✅ Container image built successfully" >> $GITHUB_STEP_SUMMARY
echo "- ✅ Trivy vulnerability scan completed" >> $GITHUB_STEP_SUMMARY
echo "- ✅ Aqua security scan completed" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Next Steps" >> $GITHUB_STEP_SUMMARY
echo "- Review security reports" >> $GITHUB_STEP_SUMMARY
echo "- Address any critical vulnerabilities" >> $GITHUB_STEP_SUMMARY
echo "- Deploy with Aqua runtime protection" >> $GITHUB_STEP_SUMMARY
deploy:
name: Deploy with Aqua Protection
runs-on: ubuntu-latest
needs: security-scan
if: github.ref == 'refs/heads/main'
steps:
- name: Deploy to Kubernetes
run: |
kubectl apply -f kubernetes/deployment.yaml
kubectl apply -f kubernetes/aqua-security.yaml
- name: Verify deployment
run: |
kubectl rollout status deployment/aqua-runtime-demo

Kubernetes Deployment with Aqua

# kubernetes/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: aqua-runtime-demo
labels:
app: aqua-runtime-demo
spec:
replicas: 3
selector:
matchLabels:
app: aqua-runtime-demo
template:
metadata:
labels:
app: aqua-runtime-demo
annotations:
aquasecurity.com/scanner: "true"
aquasecurity.com/enforcer: "true"
spec:
containers:
- name: aqua-runtime-demo
image: aqua-runtime-demo:latest
ports:
- containerPort: 8080
env:
- name: AQUA_ENABLED
value: "true"
- name: SPRING_PROFILES_ACTIVE
value: "kubernetes"
resources:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "1Gi"
cpu: "500m"
securityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
livenessProbe:
httpGet:
path: /actuator/health
port: 8080
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /actuator/health
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
---
apiVersion: v1
kind: Service
metadata:
name: aqua-runtime-demo
spec:
selector:
app: aqua-runtime-demo
ports:
- port: 80
targetPort: 8080
type: ClusterIP

Security Testing

package com.example.aqua.security;
import com.example.aqua.service.AquaRuntimeSecurityService;
import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.test.context.TestPropertySource;
import static org.junit.jupiter.api.Assertions.*;
/**
* Aqua Runtime Security Tests
*/
@SpringBootTest
@TestPropertySource(properties = {
"aqua.runtime.enabled=true",
"aqua.threat.detection.enabled=true"
})
public class AquaSecurityTests {
@Autowired
private AquaRuntimeSecurityService aquaSecurityService;
@Test
public void testSecurityAssessment() {
var assessment = aquaSecurityService.performSecurityAssessment();
assertNotNull(assessment);
assertTrue(assessment.getSecurityScore() >= 0);
assertTrue(assessment.getSecurityScore() <= 100);
assertNotNull(assessment.getSecurityControls());
}
@Test
public void testSecurityEvents() {
var events = aquaSecurityService.getSecurityEvents();
assertNotNull(events);
}
@Test
public void testSecurityMetrics() {
var metrics = aquaSecurityService.getSecurityMetrics();
assertNotNull(metrics);
assertTrue(metrics.getTotalEvents() >= 0);
}
@Test
public void testAquaEnabled() {
assertTrue(aquaSecurityService.isAquaEnabled());
}
}

Best Practices

1. Runtime Security Monitoring

/**
* Advanced runtime security monitoring
*/
@Component
public class AdvancedRuntimeMonitor {
/**
* Monitor for suspicious system calls
*/
@Scheduled(fixedRate = 60000)
public void monitorSystemCalls() {
// Monitor for suspicious process behavior
// Check for unauthorized file access
// Monitor network connections
// Check for privilege escalation attempts
}
/**
* Behavioral analysis for anomaly detection
*/
public void analyzeBehavior() {
// Implement machine learning for anomaly detection
// Baseline normal behavior
// Detect deviations from baseline
// Trigger alerts for suspicious activities
}
}

2. Incident Response

/**
* Security incident response handler
*/
@Component
public class SecurityIncidentResponse {
/**
* Handle security incidents
*/
public void handleIncident(SecurityEvent event) {
switch (event.getSeverity()) {
case "HIGH":
handleHighSeverityIncident(event);
break;
case "MEDIUM":
handleMediumSeverityIncident(event);
break;
case "LOW":
handleLowSeverityIncident(event);
break;
}
}
private void handleHighSeverityIncident(SecurityEvent event) {
// Immediate response actions
// Isolate affected container
// Alert security team
// Collect forensic data
// Trigger automated remediation
}
}

Conclusion

This comprehensive Aqua Runtime Security implementation provides:

  • Runtime threat detection and monitoring
  • Container security hardening
  • Behavioral analysis for anomaly detection
  • Comprehensive security assessment
  • CI/CD integration with security scanning
  • Kubernetes deployment with security best practices
  • Real-time monitoring and metrics

Key benefits include proactive threat detection, automated security enforcement, comprehensive visibility into runtime behavior, and seamless integration with cloud-native ecosystems.

Remember to:

  • Enable Aqua runtime protection in production
  • Regularly update security policies
  • Monitor security metrics and alerts
  • Conduct regular security assessments
  • Integrate with your existing security infrastructure
  • Follow cloud-native security best practices
Category : JAVA

Leave a Reply

Your email address will not be published. Required fields are marked *


Macro Nepal Helper