Summary
To deliver maximum value, Infrastructure-as-Code (IaC) tools should provide capabilities including IaC code scanning, configuration management, template validation, open source security scanning, configuration drift management and risk prevention. They should also integrate effectively with other security tools.
Infrastructure-as-Code (IaC) tools are a great way to boost productivity and reduce risk. However, leveraging IaC can also expose teams to new types of security challenges. That’s why any organization that adopts IaC to help provision and manage infrastructure should also deploy IaC security tools that help reinforce IaC security best practices.
Keep reading for a guide to the key types of IaC security tools and features available today, along with tips on how to make the most of IaC security.
Defining Infrastructure-as-Code
Before diving into a discussion of IaC security tools and capabilities, let’s briefly define what IaC means.
Infrastructure-as-Code is an approach to infrastructure management that uses code to define and apply configurations. In other words, IaC allows you to write code that describes how servers, storage, or other resources should be configured, and then apply the desired configurations automatically. The code that defines IaC configurations is stored in files called templates.
Managing infrastructure through code offers several advantages over the alternative approach, which is configuring each resource manually and one by one. With IaC, you can define a desired configuration once, and then apply it across as many resources as you wish, which saves tremendous time and effort. In addition, an IaC approach reduces the risk of introducing errors or inconsistencies to infrastructure due to oversights during manual configuration. Last but not least, because IaC configurations are defined using code, you can track changes to configurations by monitoring code revisions, and you can revert to an earlier configuration easily in the event that a change introduces a problem to your environment.
Declarative vs. imperative IaC
There are two main approaches to implementing IaC:
- Declarative, which focuses on defining what the desired state of infrastructure should be, then having IaC tools automatically transform infrastructure to match that state.
- Imperative, which involves spelling out the steps necessary to achieve a certain configuration state.
Both approaches make it possible to define configurations using code, but they come with different benefits and drawbacks. Declarative IaC requires less effort to implement because you don’t need to define exactly how to reach a desired configuration state, but it also gives you less control because you rely on IaC tools to decide how to achieve the defined configuration automatically. In contrast, imperative IaC provides more control over how infrastructure is set up, but it also requires more effort on the part of engineers to write out the necessary configuration steps.
IaC security as a key part of the SDLC
While IaC saves time and reduces the risk of configuration mistakes, it also introduces unique security challenges.
The biggest is that mistakes in IaC code could introduce security risks or vulnerabilities into an environment. For instance, if you use IaC to configure storage resources that host private data, and you accidentally configure the resources to be publicly accessible via the Internet, data exfiltration could result. Or, you might use IaC to set up user accounts, but accidentally give some users privileges they don’t require, which breaks the principle of least privilege – one key component of IaC security best practices.
To make matters worse, the fact that IaC configurations can be applied at scale means that any security issues introduced by IaC code could be replicated across a large number of resources. This makes it particularly important to identify IaC security risks before applying a configuration.
For these reasons, integrating IaC security practices into the Software Delivery Lifecycle (SDLC) is critical for using IaC securely. By adding IaC security to the SDLC, you can scan and validate the IaC code that controls infrastructure configurations before applying it to application hosting environments.
IaC security best practices
As part of the SDLC, IaC security tools should help enable the following IaC security best practices:
- Scanning IaC code before it is applied to a production environment.
- Checking both for unusual configurations (like elevated privileges for non-admin users) and typos (which can trigger security risks by causing IaC tools to misinterpret a desired setting, leading to configurations that teams did not intend to enable).
- Version-control of IaC code, which helps teams identify updates that could introduce security risks and revert back to an earlier configuration in response to a newly identified risk.
- Enforcing the principle of least privilege, which means granting users only the privileges they specifically require.
7 essential IaC security tools and capabilities
To secure IaC effectively, look for solutions that deliver the following key features and capabilities.
#1. IaC scanning
The ability to scan IaC code for security risks is the core capability of IaC security tools. IaC scanning means automatically parsing IaC templates to determine whether they contain any settings that could expose resources to risk.
#2. Configuration management
As part of configuration management, IaC security tools should be able to validate whether the configurations defined by IaC code are secure. They should also track configurations over time so that teams can easily determine when they introduced a change that triggered a security issue.
#3. Template validation
Since templates are the files that define how resources should be configured based on an IaC approach, it’s important to check whether a given template is valid and can be trusted. This entails determining the origin of the template and verifying that it has not been changed since it was last scanned for security purposes.
#4. Open source vulnerability scanning
IaC security tools should also be able to determine whether any open source components that are introduced to an environment using IaC are subject to security vulnerabilities. For example, if IaC code installs an open source library as part of a provisioning process, IaC tools should validate that the library is secure.
#5. Configuration drift management
Configuration drift occurs when engineers make manual changes to a resource that was configured with IaC, causing the state of the resource to “drift” from the state defined by IaC. Configuration drift is risky because manual changes could introduce security problems. Worse, teams may now know about the issues because they are unaware of the manual change and assume that the state of the resource is consistent with the state defined in an IaC template.
To prevent this issue, IaC security tools should be capable of scanning resources and comparing their actual state to the state defined in IaC templates.
#6. Risk prevention
The best IaC security tools are able not just to detect risks within IaC code that has already been applied, but to prevent the majority of risks from ever entering a production environment.
Tools can do this by scanning IaC code before it is used to configure resources. Ideally, scanning should occur whenever new IaC code is written, or an existing template is updated. By detecting risks early, teams can address them proactively.
#7. Integrations
The ability to integrate IaC security tools with other software that composes the SDLC – such as Continuous Integration (CI) servers and test automation suites – helps teams take an efficient approach to IaC security. When you can integrate IaC security directly into the SDLC, it becomes easy to scan IaC code early and often, minimizing the risk of introducing security problems to live environments.
Enabling IaC security best practices with Checkmax IaC Security
Checkmarx IaC Security delivers all of the capabilities that teams need not just to detect IaC security risks, but also to respond to them effectively. Checkmarx scans both for security vulnerabilities and misconfigurations, maximizing your chances of identifying all relevant risks. In addition, alerting and risk prioritization features make it easy to determine which IaC security risks are the most serious, providing the critical guidance necessary to remediate issues efficiently.