SBN

Introducing Infrastructure as Code Security

Introducing Infrastructure as Code Security

Last month, we announced our Infrastructure as Code (IaC) scanning capabilities in a press release. We are adding IaC scanning for security misconfigurations to our Internal Monitoring platform. This new release complements the current automated secrets detection and remediation capabilities. And in keeping with Shift Left security, we are enabling proactive IaC scanning through the popular open-source command-line interface (CLI) for developers, ggshield.

Why should you care about IaC scanning?

While software-defined infrastructure has enabled engineering teams to deploy cloud resources more quickly and consistently, it comes with risks. Gartner predicts that through 2023, at least 99% of cloud security failures will be the user's fault, primarily due to misconfigurations.

Today, developers are under pressure to deliver new features while also managing all of the configurations required for the services on which their applications run. In this hustle, it is easy to overlook the manual checks required to secure their Infrastructure as Code. It might be as simple as forgetting to restrict network access, setting the right permissions to their resources, or failing to encrypt storage systems such as databases, AWS S3 buckets, etc. It might also be as dangerous as leaving credentials hardcoded in Terraform configuration files. These errors spread from code to different cloud-native environments, exposing crucial workloads and resources. So, IaC security scanning that does not cause developer friction is critical for your security posture.

Introducing Infrastructure as Code Security

Infrastructure code is not so different from application code that it cannot be tested. Developers should not waste time manually going through templates that were meant to save time. Even if you are ready to put in the time to comb through the code for misconfigurations, there is still the likelihood of human error. IaC scanning tools can automate the process and guarantee that every line of your infrastructure code is safe and secure.

How should you use ggshield to scan IaC misconfigurations?

The GitGuardian CLI, ggshield, for IaC scanning, is to be adopted on local workstations (as a pre-commit check) to scan your IaC before each commit. It can also be integrated into your CI pipelines to prevent serious misconfigurations from being deployed. We always encourage you to prevent security issues as early as possible in the software development life cycle. This will minimize the potential cost and impact of security misconfiguration.

Introducing Infrastructure as Code Security
A layered detection strategy

IaC scanning was added to ggshield with one goal: to make it simple for for Developers, Site Reliability Engineers, DevOps Engineers (or any Terraform author) to manage large-scale IaC misconfigurations from the comfort of the command line.

Let's take a closer look at how it works:

1. Create a token to authenticate your GitGuardian workspace

After installing ggshield, you can use the ggshield auth login command (see documentation) or manually create a personal access token in your dashboard with the scan permission.

2. Scan your local repositories

Once you have installed and set up the command-line interface, you can initiate scans with a simple ggshield command: ggshield iac scan. Scanning takes a few seconds.Introducing Infrastructure as Code Security

3. View scan results in the command line interface

You can quickly identify misconfigurations, read detailed information about them, and see which exact policies were violated all in one place. You may also export the results to a JSON file and save it somewhere else in your CI/CD for further analysis.
Introducing Infrastructure as Code Security

4. Set a minimum severity to prioritize issues

Unlike most IaC security scanning tools, ggshield IaC Scanning does not overwhelm the user with numerous alerts. The command line interface allows you to prioritize remediation. You can set a severity threshold to filter critical misconfigurations (thanks to rich context!) and address them before running a Terraform plan and generating the corresponding infrastructure.
Introducing Infrastructure as Code Security

5. Achieve a broad scope of coverage

Before deployment, DevOps, Platform Engineering, and Site Reliability Engineering teams can find and fix over 70 security misconfigurations in their Terraform and AWS CloudFormation (CFT) files.

Within a few weeks, Application and Cloud Security teams will be able to enforce and monitor ggshield IaC Scanning from the GitGuardian Internal Monitoring dashboard, thanks to our upcoming analytics and reporting features.

We're not going to stop at secrets detection and remediation

ggshield IaC Scanning is part of our vision to create a code security platform for the next generation of DevOps professionals. ggshield has already assisted thousands of enterprises in hardening the Source Control Management systems on which they rely to create and sell software. This time, we tried to explore a different use case that would benefit cloud security posture defenders.

See ggshield IaC Scanning in action

To get started with IaC Scanning, all you need is a GitGuardian account! This feature is free for all GitGuardian customers at the moment.

Check out our public documentation for more information on our IaC security scanning capabilities.

*** This is a Security Bloggers Network syndicated blog from GitGuardian Blog - Automated Secrets Detection authored by Soujanya Ain. Read the original post at: https://blog.gitguardian.com/introducing-infrastructure-as-code-security/