Alex -

Aqua adds free infrastructure-as-code security for Terraform

Infrastructure-as-code security scans appeal to enterprises as they shift cloud-native security left; Aqua's tfsec buy adds to its free offerings amid broad competition.

Aqua Security expanded its portfolio of open source tools with an acquisition that integrates a free infrastructure-as-code security scanner for HashiCorp's Terraform into its Trivy product.

The company and open source project of the same name, tfsec, was acquired by Aqua last month for an undisclosed sum, and its two co-founders have joined Aqua to help it develop further infrastructure-as-code security tools. Aqua announced the acquisition this week, and that it has integrated tfsec's Terraform scanning utility into its Trivy open source vulnerability scanning tool.

The expansion of Aqua's Trivy comes as enterprises transfer application security responsibilities to developers, a practice called "shift left" or "DevSecOps."

"The ratio of developers to security professionals is 50 to 1," said Amir Jerbi, CTO and co-founder at Aqua. "Developers are being asked to do much more than before to prepare applications to be deployed in the cloud."

Aqua, which began as a container security specialist, has expanded significantly over the last three years to cover cloud-native deployment patterns such as serverless computing, as well as multi-cloud infrastructure security with the acquisition of cloud security posture management (CSPM) vendor CloudSploit in 2019.

Aqua users could previously build Trivy vulnerability scans into CI/CD pipelines to scan Dockerfiles and Kubernetes YAML infrastructure-as-code files. The addition of tfsec will expand those checks to include HashiCorp Terraform infrastructure-as-code files as part of the CI/CD process. Aqua and tfsec's founders also plan to add Trivy scans for AWS CloudFormation infrastructure-as-code files later this quarter.

Cloud security convergence stokes competition

Aqua's acquisition comes amid massive convergence between previously specialized areas of IT security, accompanied by a spate of vendor M&A activity. Most notably, Palo Alto Networks, which acquired Aqua competitor Twistlock in 2019, rolled out open source Terraform infrastructure-as-code security scans based on its acquisition of Bridgecrew earlier this year. Elsewhere, emerging infrastructure-as-code vendor Pulumi also offers a free open source version of its CrossGuard security tool; code security scanning specialists such as Snyk and Accurics also offer open source tools for infrastructure as code.

HashiCorp itself opens an opportunity for such open source players, because it reserves its Terraform security and governance-as-code tool, Sentinel, for paying Terraform Enterprise customers.

It's crucial for independent cloud-native security vendors such as Aqua to participate in as many free and open source projects as possible to keep pace with bigger vendors, according to Fernando Montenegro, an analyst at 451 Research, a division of S&P Global.

Differentiation for vendors like Aqua ... will come from focusing as much on user experience -- fitting into the way customers want to consume tools -- and community participation, as [on] features and functionality.
Fernando MontenegroAnalyst, 451 Research

"Differentiation for vendors like Aqua, NeuVector, Sysdig and Tigera will come from focusing as much on user experience -- fitting into the way customers want to consume tools -- and community participation, as [on] features and functionality," Montenegro said.

In addition to Trivy, Aqua's open source security projects include a Linux runtime security scanner, Tracee; a Kubernetes security toolkit called Starboard; a Kubernetes security conformance scanner named kube-bench; and kube-hunter, which finds vulnerabilities in active Kubernetes environments.

Aqua officials believe the company's visibility in open source communities will translate into sales for its commercial products. For example, users of open source Trivy can gain additional features, such as support for infrastructure-as-code security remediation projects, when they buy into the Aqua commercial platform, Jerbi said.

"A CISO that wants to respond to an issue [identified by Trivy] can automatically spin up a project [in the commercial CSPM tool], and after 60 days, tfsec will stop the execution of problem configurations in production that haven't been fixed," Jerbi said.

Fernando Montenegro, 451 ResearchFernando Montenegro

Aqua still faces strong competition -- Montenegro said he tracks more than 80 CSPM vendors and more than 85 cloud workload protection vendors in the cloud-native security space, and more startups are still emerging.

But tying features such as infrastructure-as-code security scans into broader tools is a crucial requirement for any vendor that seeks to compete in the enterprise amid rising cybersecurity threats, Montenegro said.

"Infrastructure-as-code support is great, and it's important to reduce the operations workload by preventing security vulnerabilities from making it to production," he said. "But scanning can't replace runtime security -- there will always be the risk of drift."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on Systems automation and orchestration

Software Quality
App Architecture
Cloud Computing
Data Center