IAC is an emerging practice of defining, in a development environment, how cloud or data center resources — such as networking and storage — are to be deployed for an application, eliminating the need for operations to spin up, and then manage, these resources up just before the application goes live.
As organizations adopt IaC technologies, however, more is being learned about how improper configurations can lead to security errors.
Last month, developer-focused security vendor Bridgecrew, released a report showing that as many as half of all community-built Terraform modules available for download are misconfigured, opening the path for potential security breaches. Managed by HashiCorp, Terraform is an open source software for managing cloud and infrastructure components, as well as services.
“By 2025, 70% of attacks against containers will be from known vulnerabilities and misconfigurations that could have been remediated,” Gartner has reported.
Accurics has updated its Terrascan open source static code analyzer so it can codify policy checks across Infrastructure-as-Code deployments. The new release highlights common security flaws in Terraform templates from popular cloud providers such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform.
The architecture, which relies on the CNCF’s Open Policy Agent (OPA), can be easily extended to other popular technologies such as AWS CloudFormation, Kubernetes, as well as service mesh and serverless deployments. The OPA engine can dramatically simplify policy definition for developers that want to create custom policies as well as provides over 500 out-of-the-box policies for the CIS Benchmark, according to the company.
“The rapid adoption of IaC is clearly meeting its intended goal: to help organizations achieve more reliability by programmatically embedding policy checks earlier in the development lifecycle,” said Cesar Rodriguez, head of developer advocacy at Accurics, in a statement. “Organizations are required to implement policy guardrails to ensure that cloud native infrastructure is securely defined and managed. Terrascan is already playing a key role in this process within many organizations, and the newest iteration takes these important capabilities much further.”
Terrascan, now available as a GitHub Action (and is also included in the popular Super-Linter GitHub Action package), can be installed as a pre-commit hook. It can also be integrated into the CI/CD pipeline. There, it can help detect issues before code is pushed into a repository.
Also targeting the infrastructure-as-code market is Snyk, with a new release, Snyk IaC. This offering was designed to find and fix misconfigurations in Kubernetes and Terraform code prior to going live, minimizing manual code reviews and extensive research to detect potential security errors.
“It is critical to have an approach to security that acknowledges that the infrastructure has become part of the application itself,” said Guy Podjarny, Snyk co-founder and President, in a statement.
Snyk Infrastructure as Code will be available to both free users of Snyk and as a paid add-on to Snyk Open Source and Snyk Container with additional features for teams and larger organizations, according to the company.
Accurics, Amazon Web Services, Bridgecrew, the Cloud Native Computing Foundation, HashiCorp, and Snyk are sponsors of The New Stack.