Over the last decade or so, developers have shifted from provisioning infrastructure by way of IT teams and ticketing systems to obtaining it themselves via cloud service providers like Amazon AWS, Azure, and Google Cloud Platform. Infrastructure as Code (IaC) helps developers codify the instructions for building and terminating components in code, thus enabling the automation needed to scale applications elastically in an efficient manner. While infrastructure as code has brought exponential efficiency gains to development teams, it’s also brought new security risks; as such its security needs to be taken into account, ideally in developer workflows since they are the primary users of the technology.
Insecurity at scale
IaC templates are used to define the specifications for cloud infrastructure. A mistake made at the template level ends up being propagated across all infrastructure provisioned from that template; thus while IaC boosts efficiency, it also amplifies mistakes. In light of this, it’s no surprise that there are widespread misconfigurations in cloud infrastructure. According to a recent Gartner report “ Through 2025, more than 99% of cloud breaches will have a root cause of customer misconfigurations or mistakes.”
Rectifying Misconfiguration Should Involve Developers
When it comes time to fix IaC misconfigurations, there are several reasons you’ll want to involve your developers.
- Cost – It’s a well established fact that the earlier in the software development life cycle you can fix a bug, the less expensive it is to fix. This is particularly true with IaC because a single issue in a template can scale to many production misconfigurations.
- Effectiveness – Misconfigurations that are fixed directly in production environments, as opposed at an IaC template level, often reemerge because the flawed IaC template that spawned them, will do so again. Best practice is to fix the issue both in production and in code.
- Skills – Fixing IaC templates requires the ability to code in the IaC language or service of your organization.
Given these considerations, it’s important for your security team to work hand in hand with your developers. Developers value efficiency so it will be easier for security to enforce IaC policies and reduce misconfiguration MTTR if done in familiar workflows that don’t ask developers ever to leave their environment. Developer workflow integration for infrastructure as code security enables both teams to meet their goals. Developers can stay in their tools and are provided the ability to automatically scan their code for misconfigurations and are provided the information they need, or even the actual code needed to remediate discovered issues, while security teams can prevent insecure IaC code from reaching production branches. It’s a win-win scenario.
Securing IaC code with Cycode
Cycode IaC scanning has support for many popular IaC tools including Terraform, CloudFormation, YAML, and ARM. Our developer workflow integration helps secure IaC code directly in developer workflows, by:
- Scanning commits and pull requests for issues and blocking vulnerable code to protect the main branch
- Alerting and sharing results using alerting & ticketing tools (PagerDuty, Jira, ServiceNow, etc.)
- Providing remediation advice and code fixes for rapid resolution
With Cycode, developer workflow integration can be achieved in seconds. It’s a simple matter of toggling a single switch within the Cycode UI by checking. By setting the “enable pull request status check” Cycode will automatically scan commits and pull requests for insecure IaC configurations.
Cycode’s out-of-the-box IaC security policies adhere to best practices like those prescribed by NIST and CIS, and are assigned a severity rating (which is user configurable) to aid in prioritization. Users may also set thresholds upon which scans should return a failed status. This failed status can then trigger further action like blocking a merge request, opening a ticket in a ticketing system, or kicking off an alerting or notification workflow.
Seamlessly integrating into the pull-request flow
Once enabled, Cycode automatically scans every commit for IaC misconfiguration, and if found, the scan fails the status check (based on the setting configured in the previous section). Cycode provides the option to block the merging of this pull request if misconfigurations were identified; the developer will be prompted about the failure within the pull request itself (see the image below).
Cycode points out IaC policy that failed and the actual code which caused that failure, all within the developer integration for infrastructure as code security.
Upon scan failure, developers can use comments to interact with the Cycode platform via tags like “mark as false positive,” “implement code fix,” and more.
Code fixes are implemented in the form of a pull request, which includes the guidelines and context for the impacted resources and policies as well as the actual code that’s ready to merge and deploy.
Pull requests with the suggested fix can also be opened manually from Cycode UI.
Conclusion
As you can see IaC security doesn’t need to be painful. If done right, it can be handled in an automated process with the responsibility shared between developers and security teams. Such integrations for infrastructure as code security can play a part in improving an organization’s security posture.
Want to learn more?
A great place to start is with a free assessment of the security of your DevOps pipeline.
Originally published: October 27, 2021