TAG Cyber: Securing Infrastructure as Code
Speed is everything in the world of DevOps. The ability to rapidly iterate and deliver software to market that addresses the needs of customers has been the main rallying cry of the DevOps movement. But there is no such thing as a free lunch, and the velocity of development often requires sacrificing other controls for the sake of speed. Security is often one of the controls pushed aside and is frequently only addressed at the very end of the development process. Any security findings identified at this late stage must then be either fixed, thereby delaying product release, or accepted as risk leaving companies to perform a careful balancing act between time to market and security.
This is a common story that we at TAG Cyber have heard time and again. The challenge always comes down to trying to convince development teams that are measured on their ability to bring software to market quickly to slow down and consider security controls. Maybe it’s my collegiate roots calling to me, but I can’t help to think of Coach John Wooden’s famous quote, “Be quick, but don’t hurry.” Companies should focus on getting to market quickly, but not be in such a hurry as to compromise security controls. No one wants to end up as a news headline due to a security incident.
Integrating security into the SDLC
Clearly the ideal scenario would be to integrate security directly into the development process, but to do this security would need to move at the same velocity of development. This is the exact lofty goal the team at Accurics is chasing. They recently connected with the TAG Cyber team to discuss the security challenges of protecting a DevOps process.
Now when you think of security in a DevOps process, you wouldn’t be wrong to think about application security. However, with the shift in DevOps towards infrastructure as code (IaC), it is now just as critical to secure the infrastructure supporting the application. A main challenge identified by Accurics is that infrastructure is being built programmatically using infrastructure as code, but security risks are being manually mitigated. Accurics addresses this challenge by automatically inspecting infrastructure as code at all stages of the software development life cycle (SDLC) and suggesting remediation for any identified issues. Suggestions are codified and automatically sent to the developers via the source control management platform so they can integrate the security feedback in real time and in a process they are already comfortable with.
A major complication when protecting the SDLC is the fact that often multiple technologies are involved which each have their own configuration language or protocol. Accurics creates a unified representation of the infrastructure as code at each step in the SDLC called Cloud as Code that translates all the disparate configurations into JSON. The unified JSON format then allows policies to be managed centrally and consistently enforced throughout the entire SDLC. Policies are defined using the Open Policy Agent (OPA) format which allows users to take advantage of the over 1800 out of the box polices while also defining their own.
Another complication when protecting the SDLC is in managing the consistency of the configurations. Most teams use some sort of code repository as a source of truth, but it is easy for the current state of the software to get out of sync with the repository as operations or development teams make adjustments during the build, deployment, or runtime phases. This configuration drift can lead to inconsistent policy enforcement and the rise of exposure that is not immediately apparent. Accurics detects configuration drift across all phases of the SDLC and automatically suggests remediation to ensure a consistent security posture.
As analysts, we can see that infrastructure as code is quickly becoming a popular deployment strategy for enterprise teams. While the strategy brings great benefits in the form of development speed, it also brings unique security challenges that security teams must reconcile with the help of development teams.
Development and security teams often have different metrics they are held accountable for that result in conflicting goals. Security is measured by how well they can mitigate risk in the environment while development teams are measured by how fast they can bring a product to market and how well they can stay in budget. This has traditionally led to security teams being forced to impose their will on development teams and slowing them down in order to address security risk.
Accurics is attempting to bridge that gap by bringing security more natively into the development process through the adoption of a DevSecOps process. However, the DevSecOps movement is one that many security companies have championed for years without widespread adoption. Perhaps the developer-focused approach will encourage the adoption of a DevSecOps mentality to allow for security to be done right the first time, but only time will tell if companies embrace the idea or continue to accept security risk for the sake of development speed. After all, as Coach Wooden said, “If you don’t have time to do it right, when will you have time to do it over?”