Sergey Nvns - Fotolia
Cloud-native security software provider Snyk has launched a new tool to help developers find and fix infrastructure-as-code configuration problems.
The new product, known as Snyk Infrastructure as Code (Snyk IaC), joins Snyk Open Source and Snyk Container to provide developers with a comprehensive security tool set for cloud-native environments as they take more responsibility to secure their code, open source dependencies, containers and infrastructure.
With Snyk IaC, developers can find and fix problems in their Kubernetes configuration and Terraform code before they result in production security problems, said Gareth Rushgrove, director of product management at Snyk.
Many developers who write infrastructure as code have a hard time creating secure configurations without manual code reviews and extensive research, Rushgrove said. This often leads to security lapses, he said.
Automating the processes
Snyk IaC helps developers write secure Terraform and Kubernetes configurations by automating code fixes and guidance as they shift left to address security issues early in the development lifecycle.
"As applications are created in this new model using Kubernetes and Terraform, misconfigurations can often leave applications with overprivileged access, enabling attackers to escalate privileges which then provide access to restricted data," said Dave Gruber, an analyst at Enterprise Strategy Group in Milford, Mass.
Developers haven't had to think much about configurations in the past, so it's a common oversight.
"Adding dev-time support that can inspect and identify issues pre-deployment ... has the potential to head off these issues, preventing access to restricted data," Gruber said.
Gruber noted that his research showed that 85% of organizations have unwittingly pushed code to production with known vulnerabilities because they caught security problems too late in the software lifecycle.
Moreover, a recent Gartner report notes that by 2025, 70% of attacks against containers will be from known vulnerabilities and misconfigurations that could have been remediated.
"Verifying the configuration of policies in Terraform before deployment is a best practice and a great add to Snyk," said Brendan Hannigan, CEO of New York City-based software vendor Sonrai Security, which uses Snyk. "Of course, enterprises also have to verify configuration as part of end-to-end testing and in production to prevent runtime-related interactions."
In addition, to be as safe as possible, organizations should also conduct unit tests and static code analysis help to reduce and eliminate chances for simple mistakes and misconfigurations to make their way into the pipeline and thus into production.
"However, users must also take steps to ensure that systems spin up securely and maintain their secure state throughout their lifecycle and alert users to any change in the production security status," said Galen Emery, lead compliance & security architect at Chef.
Good fit for developers
Snyk IaC fits directly in the developer's workflow and not only suggests code fixes, but also highlights issues in configuration code that need to be addressed so insecure Terraform and Kubernetes configurations never reach production code.
Dave ShacklefordFounder, Voodoo Security
Snyk Infrastructure as Code is available to both free users of Snyk and as a paid add-on to Snyk Open Source and Snyk Container with additional features for teams and larger organizations, the company said. Pricing for Snyk ranges from free to the Standard plan, which starts at $417 a month for up to 10 users, to the Pro plan, which starts at $1,999 a month for up to 50 users.
IaC analysis is to some degree a maturation and evolution of the realm of static code analysis, and fits in the same operational space as DevOps workflows get more common, said Dave Shackleford, founder of the Voodoo Security consultancy in Roswell, Ga.
"This is an area that's been a bit of a gap for cloud architecture and controls deployments, where a single mistake or misconfiguration in IaC templates could easily open the door to vulnerable attack surface," he said. "I would expect more vendors in this and related spaces to follow suit."
Accurics upgrades Terrascan
Meanwhile, cloud-native security software vendor Accurics delivered an upgrade to its Terrascan open source static code analyzer that enables developers to build secure infrastructure as code. The new release helps to secure Terraform templates and also supports Kubernetes, service mesh and serverless.
Accurics made the announcement during KubeCon + CloudNativeCon Europe 2020 Virtual.
"I kept thinking about the problem we had where developers relied on security experts to help them secure their infrastructure as code(IaC)," said Cesar Rodriguez, head of developer advocacy at Accurics, in a blog post describing how he developed Terrascan. "I thought that there should be a way to automatically scan IaC similar to what we were doing for application code (e.g. Java, Python, C#, etc.), where we had static code analysis tools to give developers immediate feedback on security risks."