With the move to cloud-native application development, developers are increasingly using infrastructure as code to provision their own infrastructure and applications. While IaC brings unprecedented ease and speed to provisioning, it has security implications that must be addressed to reduce risk.
IaC background and development
Before the advent of the cloud, infrastructure provisioning required sys admins manually set up computing infrastructure to provision servers and configure network and security settings, subnets and gateways. As cloud use kicked off, IaC tools such as Ansible (now a part of Red Hat), Puppet, Chef and Salt focused on making it easier to manage and deploy infrastructure for cloud environments. These tools managed resources for applications, including servers, databases, networks, logs, application deployment details and configurations. These IaC tools were built for infrastructure engineers, however, not app dev teams.
Newer tools available today -- such as Terraform from HashiCorp, CloudFormation from AWS, Kubernetes manifests and Helm Charts -- empower app dev to create and use IaC declarative configuration files to manage cloud services via APIs. Developers can write code themselves or use preexisting templates, scripts and policies from communities and libraries.
Developers can use IaC in their development processes as they write, test and execute their software code, making these new tools better for continuous integration and continuous deployment processes and DevOps principles. IaC provides a command-line interface workflow to manage developers' cloud resources. If developers want to make changes or tear down infrastructure, they can code, test and deploy the changes themselves.
The security issue, however, wasn't addressed -- yet.
IaC security challenges
Developers have strong expertise in building applications, but their experience varies in terms of provisioning and testing IaC and securing IaC use. While it's easy to pull code from pre-made templates, the result could be a mix of copied-and-pasted code. Unless developers are experts in a given IaC codebase, it can be difficult to find problems, and even small mistakes can leave valuable data exposed. And, as IaC use grows across teams, the chance of mistakes gets higher.
Open source IaC testing tools are available, but most developers don't want to have to identify and learn how to use them, nor do they want to have to become IaC or security experts.
Security teams should work with developers to ensure the safe scaling of IaC use. Setting security standards and automating testing can help developers find and fix misconfigurations before they are deployed. This also helps reduce workloads by decreasing the number of misconfigurations making their way into production environments.
IaC security products
It's important for developers to consistently apply secure practices across the software development lifecycle. IaC security products can provide security teams visibility and control for setting policies and standards to prevent misconfigurations, while simultaneously automating testing within developer workflows. This not only ensures developers safely use IaC, but also prevents misconfigurations, reduces vulnerabilities that could expose data and reduces costly remediation work cycles.
While some vendors and open source tools focus on IaC security testing and policy creation, it is more common to see IaC security as a feature in application security, cloud security posture management or vulnerability management products. Vendors are rolling IaC security into their product offerings by acquiring startup companies, building their own products or sometimes using available open source tools. Rolled-in IaC security features could range from basic static application security testing (SAST) to managing policies, issuing remediation and sharing data collected from other security products.
Some examples of IaC security moves in the market include the following:
- Snyk added IaC capabilities to its offerings.
- Checkmarx created Keeping IaC Secure, or KICS, an open source IaC testing tool.
- Synopsys Inc. rolled out Rapid Scan SAST for IaC.
- Rapid7's acquisition of DivvyCloud in 2020 included IaC security.
- Palo Alto Networks acquired Bridgecrew in 2021 to add IaC capabilities to Prisma Cloud.
- Tenable Inc. acquired Accurics.
- Lacework acquired Soluble.
- Qualys Inc. announced its own IaC security capabilities in its CloudView cloud monitoring product.
As IaC use continues to grow, we're seeing IaC security topping checklists as an effective way to reduce risk for modern software development. By implementing the right IaC security tools and products, organizations can prevent misconfigurations from being deployed, which reduces the risk of exposing valuable company or customer data.