With the shift to cloud-native application development, developers are increasingly using infrastructure as code to provision their own infrastructure and applications. Although IaC brings unprecedented ease and speed to provisioning, it has security implications that must be considered to reduce risk.
Background and development of IaC
Before the advent of the cloud, infrastructure provisioning required system administrators to manually configure IT infrastructure to provision servers and configure network and security settings, subnets, and gateways. In the early days of cloud usage, IaC tools such as Ansible (now part of Red Hat), Puppet, Chef, and Salt focused on simplifying infrastructure management and deployment for environments cloud. These tools managed application resources, including servers, databases, networks, logs, application deployment details, and configurations. These IaC tools were designed for infrastructure engineers, but not for application development teams.
New tools available today, such as Terraform from HashiCorp, CloudFormation from AWS, Kubernetes manifests, and Helm Charts, allow application developers to create and use declarative IaC configuration files to manage cloud services through APIs. Developers can write code themselves or use pre-existing templates, scripts, and policies from communities and libraries.
Developers can use IaC in their development processes as they write, test, and run their software code, enhancing these new tools for continuous integration and deployment processes and DevOps principles. IaC provides a CLI workflow for managing developer cloud resources. If developers want to make changes or tear down the infrastructure, they can code, test, and deploy the changes themselves.
The issue of security, however, has not been addressed – yet.
IaC security challenges
Developers have strong expertise building apps, but their experience varies in terms of provisioning and testing IaC and securing IaC usage. While it’s easy to extract code from pre-made templates, the result can be a mix of copy-and-paste code. Unless developers are experts in a given IaC codebase, it can be difficult to find issues, and even small errors can leave valuable data exposed. And, as the use of IaC increases across all teams, the risk of errors increases.
Open-source IaC testing tools are available, but most developers don’t want to have to identify them and learn how to use them, or become IaC or security experts.
Security teams should work with developers to ensure safe scaling of IaC usage. Setting security standards and automating testing can help developers detect and fix misconfigurations before they are deployed. It also helps reduce workloads by reducing the number of configuration errors that end up in production environments.
IaC security products
It is important that developers consistently apply secure practices throughout the software development lifecycle. IaC security products can provide security teams with visibility and control for setting policies and standards to prevent misconfigurations, while simultaneously automating testing in developer workflows. This not only ensures that developers are using IaC securely, but also prevents misconfigurations, reduces vulnerabilities that could expose data, and reduces costly remediation work cycles.
While some vendors and open source tools focus on IaC security testing and policy creation, it is more common to view IaC security as a feature of application security products, cloud security posture management or vulnerability management. Vendors are integrating IaC security into their product offerings by acquiring startups, creating their own products, or sometimes using available open source tools. Built-in IaC security features can range from basic static application security testing (SAST) and policy management to issuing corrective actions and sharing data collected from other security products.
Here are some examples of IaC security moves in the market:
- Snyk has added IaC capabilities to its offerings.
- Checkmarx has created Keeping IaC Secure, or KICS, an open source IaC testing tool.
- Synopsys Inc. has deployed Rapid Scan SAST for IaC.
- Rapid7’s acquisition of DivvyCloud in 2020 included IaC security.
- Palo Alto Networks acquired Bridgecrew in 2021 to add IaC capabilities to Prisma Cloud.
- Tenable Inc. acquired Accurics.
- Lacework acquired Soluble.
- Qualys Inc. announced its own IaC security features in its CloudView cloud monitoring product.
As the use of IaC continues to grow, we see IaC security checklists as an effective way to reduce risk for modern software development. By implementing the right IaC security tools and products, organizations can prevent misconfigurations from being deployed, reducing the risk of exposing valuable company or customer data.