IaC security - how to get your developers and security teams together

By Paul Baird, Chief Technical Security Officer EMEA, Qualys.

  • 1 year ago Posted in

Infrastructure as Code (IaC) describes how organisations manage their cloud resources in repeatable and predictable ways. As companies use more cloud computing services, managing deployments requires more automation and repeatability. To deal with this, developers and DevOps teams deploy the same methods for cloud that they use in the software development lifecycle.

IaC turns the process of commissioning, scripting and deploying cloud resources into code, so the process can be repeated the same way each and every time. This makes it easier to check for potential issues with your installation images, and to share the process with others. However, if you rely on IaC to manage your infrastructure, then you have to be sure that the set-up is secure.

IaC security should enable you to proactively detect and address potential threats in your cloud infrastructure by providing early detection and visibility into misconfigurations and non-standard deployments. It should also flag any changes in your environment over time where installations have ‘drifted’ out of compliance with your initial images, and point to any problems around accounts and privileges as well.

The strong point for IaC is that it allows you to carry out full version control on your cloud infrastructure deployments. However, it is also responsible for how you deploy all your infrastructure over time. Consequently, any issue in your template will be replicated multiple times, from development into deployment and production. For security teams, assessing how you use IaC throughout your software development pipeline makes it easier to fix problems before they scale up.

For developers, using IaC helps them be more efficient in their roles, but being given responsibility for security fixes can make the process harder. To improve collaboration, security teams can provide any list of security issues with details on which faults should be prioritised. This integrates developer and security operations in practice and reduces risk.

Making security practical for developers

Alongside priority information, you will have to integrate your security processes with the tools that your developers interact with every day and where those IaC images are used. This can include multiple different tools across the software development lifecycle (SDLC), from the repositories used to host code such as GitHub, GitLab, and BitBucket, through to the

Continuous Integration / Continuous Delivery (CI/CD) tools like Bamboo, Jenkins, and Azure DevOps that are used to push workloads from one stage of the SDLC to the next.

Developers will also want to integrate any security tooling into the code editors that they use on a daily basis like Visual Studio Code. This approach allows developers and DevOps to check their IaC images for potential misconfigurations during the development process without leaving the environment that they work in, and it means that security is not another process that developers have to remember to apply. This integration should take place using APIs, providing your DevOps team with real-time assessments of potential cloud misconfigurations so that you can prioritize remediations before deploying into production.

Alongside this integration, you will also have to help developers implement security fixes into IaC as part of their overall work. Providing guidance on software flaws or misconfigurations can help developers fix problems, but you can also offer more details on which ones are the most time-sensitive or need to be addressed soonest. This will help your developers balance requests for new functionality against the security fixes or other changes that are needed.

Implementing security across all your software environments

IaC security should allow you to set up and enforce security policies across your whole software development lifecycle and into production. To provide comprehensive coverage, this should include your runtime environments too.

IaC lets you evaluate what you need within your implementations and then automate those deployments. However, when you deploy those images, you may find that you need something more within those deployed instances to meet your needs. For example, you may want to install the latest version of the software you run as you set up the container from a software repository - this avoids the problem of adding and managing updates to your IaC templates all the time. However, that can open up potential security issues.

Runtime security helps to minimise the risk of security gaps and vulnerabilities being introduced into the infrastructure due to misconfigurations or changes made after deployment. Rather than relying on static scans, you can see any drift between your approved images and the current state of your deployed infrastructure. While making single changes to IaC images might seem like it would be an additional responsibility for developers, it can actually save a lot of time and potential problems in the long run.

IaC makes it easier to build IT infrastructure in repeatable, automated ways. However, using IaC also requires a security point of view. Without an effective security process, issues in your IaC deployments can scale up and spread potential vulnerabilities more widely. Help your developers and security teams to collaborate on these problems, and you can remove potential threats much faster and more efficiently.

By Anugraha Benjamin, Manager, Infrastructure at Progress.
By Hans De Visser, Chief Product Officer, Mendix.
By Andy Mills, VP of EMEA for Cequence Security.