Navigating Shark-Infested Waters: Why Businesses Need a Bigger Boat for Tackling IaC Security

By Robert Haynes, SCA & Open Source Evangelist, Checkmarx.

  • 2 years ago Posted in

Last year brought with it a digital escalation of epic proportions for organisations across the globe. As a result, many turned to the cloud to maintain business continuity, ensure the security of their information, and afford their teams the flexibility they suddenly required. But, with this transition came new challenges for software developers, one of the biggest of which revolved around the proliferation of infrastructure as code (IaC).

 

Just like Chief Martin Brody in the classic movie Jaws, it’s forced many developers into unchartered waters. They’re taking on a complex beast for the first time, often without proper training or tools in place to do so in a secure manner.

 

And similar to the mounting pressure put upon the rookie seaside cop to quickly restore normality to Amity Island, expectations to build code quickly in this new environment are ever increasing. With IaC prone to issues like misconfigurations or vulnerabilities which may jeopardise a business, what must organisations do to ensure malicious actors (or fierce ocean beasts) don’t take a nasty bite out of them?

 

Tackling the IaC AppSec beast

 

With the multitude of cloud services and configurations, IaC templates can become extremely complex. This means, just like the sea-dwelling predator of Jaws, there’s a lot developers and organisations may not fully understand about the infrastructure they create with IaC, especially when it comes to security. Unfortunately, the security tools used by many today are not designed to understand IaC templates, let alone spot valid but unwise configurations. This leaves any application developed within these flexible environments susceptible to attackers looking to prey on, and exploit any misstep made by developers. As Chief Brody found, fending off such menace isn’t simple, especially with the speed of development across today’s security landscape.

 

When it comes to application security more generally, it’s important to note that when adopting IaC, an organisation’s infrastructure is part of a set configuration of files which need to be scanned as part of the overall code. This is often a tough ask for any security testing solution, and presents one of the biggest obstacles to AppSec – making the connection between code, infrastructure, and configurations.

 

In an effort to combat these challenges and keep the aforementioned actors at bay, it’s vital for businesses to concentrate on cloud-native, and specifically IaC for the purposes of this article, security training for developers. To build a robust security culture however, it takes more than just ‘once in a while’ training, with workers needing ongoing coaching that’s interactive and engaging to truly make a difference.

 

As well as this, organisations should look at allocating additional spend towards software and application security to support the demand of a remote workforce – especially with the rise of the hybrid working model – as well as the more complex software ecosystems they’ve had to implement this past year.

 

And just when you thought it was safe…

 

When it comes to AppSec in the cloud, developing and releasing applications quickly, while maintaining security, is a mindset that, while often talked about, just isn’t being executed effectively. This is corroborated by our recent developer survey which found that one in six (15%) aren’t performing any security testing when building cloud-native applications.

 

Cloud deployment needs to happen fast with as many drops as possible. With this, the current philosophy at many organisations – to get software straight into production and roll back if a bug is found – doesn’t work for security. Yes, it might mean features can be pushed more quickly, but it’s not possible to push code and roll back to fix vulnerabilities without presenting an open goal to cybercriminals looking to infiltrate your system.

 

This mindset is starting to change, and the demand for cloud-based security is increasing the use of IaC. However, this on its own isn’t enough. Just because an organisation is starting to adopt such a mindset doesn’t mean it’s safe to get back in the water. In fact, the tools used for application security which integrate into the tool chain must work far more rapidly, scale to cloud environments and present actionable findings – in a format developers understand – for them to be able to make quick fixes.

 

Reeling in the benefits

 

IaC establishes a methodology with tools and technology for infrastructure configuration and provisioning through code. Offering advantages such as automation and cost-reduction, it’s a no brainer for many organisations. Despite this it is prone to issues including, security vulnerabilities which could jeopardise not just the applications being built, but an entire business. 

 

To see the true advantages of IaC and ensure security vulnerabilities are kept at bay, businesses need to implement the aforementioned developer security training, ensure increased budget spend on AppSec, and completely overhaul their mindsets when it comes to fixing vulnerabilities.

 

Only by doing this can they ensure their IaC security practices are strong enough to prevent even the fiercest of adversaries from pulling them under.

By Barry O'Donnelll, Chief Operating Officer at TSG.
By Dr. Sven Krasser, Senior Vice President and Chief Scientist, CrowdStrike.
By Gareth Beanland, Infinidat.
By Nick Heudecker, Senior Director at Cribl.
By Stuart Green, Cloud Security Architect at Check Point Software Technologies.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Damien Brophy, Vice President EMEA at ThoughtSpot.