Introducing IaC Security from Black Duck
The news is just in, and it’s big: Black Duck now offers IaC scanning functionality. With no additional licenses required, this capability is available immediately for all existing Black Duck customers. Let’s dig into exactly what this means for you, how it helps your existing security efforts, and what you can expect in the months to come.
IaC has moved away from infrastructure and security experts
What drove our development of IaC scanning capabilities? The shift to the developer…
At its core, IaC continues to help simplify the provisioning and management of infrastructure for cloud environments. Infrastructure can be provisioned in scalable and reproducible methods across deployments, but while this helps improve overall usability and functionality, scalability demands have pushed infrastructure deployment “left,” to the developer.
This in itself is not a problem, but shifting responsibility to development teams does introduce complications when considering the implications to security.
IaC security used to be the job of IT and ops teams, who were at least semi-versed in security and best practices. As the development and release velocity of cloud-native applications increase, though, provisioning and configuration activities have naturally fallen upon developers. The security problem here is twofold: first, this shift increases the likelihood of the introduction of complex security weaknesses that developers are not equipped to handle, and second, developers are rarely security experts. Lack of experience and lack of bandwidth mean that security does not receive the attention and expertise it requires.
Using your SCA pipeline integration to inject IaC security scans
What value does leveraging the IaC capabilities within your existing SCA solution provide?
IaC spans the gap between traditional code and infrastructure/deployment configurations. But the shift to using IaC to configure, manage, and deploy applications has introduced a new genre of risk—misconfiguration or poor security controls in IaC.
These issues are not detectable by traditional SCA approaches since security threats within IaC are not typically known or previously disclosed vulnerabilities. But Black Duck’s new capability stems from the realization that the SCA tools already running inside many organizations’ build and deployment pipelines are ideal candidates to expand existing scanning capabilities to include IaC coverage. In simple terms, we added IaC scanning capabilities to existing SCA scans, meaning they can go anywhere SCA scans go.
IaC scans can be run within Black Duck effortlessly and catch issues earlier and in more places in the application development life cycle. Black Duck SCA scans can be enabled in virtually any part of the development pipeline, making them an ideal candidate to also run IaC scans. Since IaC issues are typically high criticality, identifying them as early as possible in development pipelines is critical to avoiding issues later down the line (e.g., in production). Our new IaC scanning capability enables development and DevOps teams to rapidly identify these non-CVE security issues from within Black Duck, with no real expertise needed.
The Black Duck IaC scanning process
What do the nuts and bolts look like?
Black Duck IaC scans can be run anywhere a Black Duck scan is executed and are enabled with the addition of a simple parameter. This gives users the control to trigger when and where IaC scans should take place. By initiating scans and consuming results from both command-line and Black Duck UI, development teams and security teams alike can leverage them from their existing workflow.
Black Duck also supports all the popular IaC platforms and file formats:
- Terraform, AWS CloudFormation, Kubernetes, Helm, and others
- JSON, YAML, HCL, and others
Figure 1: IaC issues discovered by Black Duck
Black Duck IaC scanning allows Black Duck to detect additional types of security issues. In the future, we will expand this to support improved detection of container security issues and API misuse of cloud providers such as AWS, GCP, etc.
This post was originally published in https://www.synopsys.com/blogs/software-security/black-duck-iac/