Tackling IaC security can help businesses avoid the jaws of defeat, says Robert Haynes, SCA & Open Source Evangelist, at app security testing company Checkmarx.
The last 18 months plunged businesses across the globe into a digital escalation on a scale never before seen. To keep up with the pace of change, many looked to the cloud in a bid to maintain business continuity, ensure information security, and allow employees and teams the flexibility they suddenly required. With this transition however, came new challenges for software developers, namely the proliferation of infrastructure as code (IaC).
As a result of this, developers have found themselves in unchartered waters, much like Chief Martin Brody in the 1975 Spielberg classic, Jaws. IaC is a complex beast, and many are taking it on without the proper training or tools to do so securely.
There’s now mounting pressure and expectations on developers to build code quickly and in this new environment, similar to the expectations faced by the seaside cop to quickly restore normality to Amity Island. The question is, with IaC being prone to issues such as vulnerabilities and misconfigurations, what do organisations need to do to ensure malicious threat actors (the deadly ocean beasts in this story) don’t take a bite out of them?
The AppSec beast
With the multitude of cloud services and configurations, IaC templates can become extremely complex. This means, just like the sea-dwelling predator of Jaws, a lot of developers and organisations may not fully understand the infrastructure they create with IaC, especially when it comes to security. Unfortunately, the security tools used by many today are not designed to understand IaC templates, let alone spot valid but unwise configurations. This leaves any application developed within these flexible environments susceptible to attackers looking to prey on and exploit any misstep made by developers. As Chief Brody found, fending off such menace isn’t simple, especially with the speed of development across today’s security landscape.
When it comes to application security more generally, it’s important to note that when adopting IaC, an organisation’s infrastructure is part of a set configuration of files which need to be scanned as part of the overall code. This is often a tough ask for any security testing solution, and presents one of the biggest obstacles to AppSec – making the connection between code, infrastructure, and configurations.
In an effort to combat these challenges and keep the aforementioned actors at bay, it’s vital for businesses to concentrate on cloud-native, and specifically IaC for the purposes of this article, security training for developers. To build a robust security culture however, it takes more than just ‘once in a while’ training, with workers needing ongoing coaching that’s interactive and engaging to truly make a difference.
As well as this, organisations should look at allocating additional spend towards software and application security to support the demand of a remote workforce – especially with the rise of the hybrid working model – as well as the more complex software ecosystems they’ve had to implement this past year.
Don’t fall hook, line and sinker
When it comes to AppSec in the cloud, developing and releasing applications quickly, while maintaining security, is a mindset that, while often talked about, just isn’t being executed effectively. This is corroborated by our recent developer survey which found that one in six (15pc) aren’t performing any security testing when building cloud-native applications.
Cloud deployment needs to happen fast with as many drops as possible. With this, the current philosophy at many organisations – to get software straight into production and roll back if a bug is found – doesn’t work for security. Yes, it might mean features can be pushed more quickly, but it’s not possible to push code and roll back to fix vulnerabilities without presenting an open goal to cybercriminals looking to infiltrate your system.
This mindset is starting to change, and the demand for cloud-based security is increasing the use of IaC. However, this on its own isn’t enough. Just because an organisation is starting to adopt such a mindset doesn’t mean it’s safe to get back in the water. In fact, the tools used for application security which integrate into the tool chain must work far more rapidly, scale to cloud environments and present actionable findings – in a format developers understand – for them to be able to make quick fixes.
Getting back in the water
IaC establishes a methodology with tools and technology for infrastructure configuration and provisioning through code and is a no brainer for most organisations given some of the advantages it offers, including automation and cost-reduction. Saying that, with its tendency towards security vulnerabilities, it can put entire businesses in jeopardy should they fail to protect themselves.
For those looking to get back in the water and keep IaC security vulnerabilities at bay, it’s vital to implement security training, increase spend on AppSec and also overhaul outdated security mindsets within their business. Those who don’t, could easily fall prey to some of the fiercest adversaries, and lose more than just an arm or leg.
