Page 31 - Cyber Defense eMagazine April 2021 Edition
P. 31
Modernize your Security Programs with Shift Left IaC Security
The software development process has been shifting left to deliver software faster and with
improved quality. The same should be done for the infrastructure with IaC security testing. By
starting security testing early in the delivery pipeline, teams have more time to address them before pushing
code into production.
Modern security programs should be fully automated and integrated into the DevOps pipeline. Full automa-
tion means that developers don’t need to get in line for security reviews. Instead, IaC
templates will be automatically evaluated for security impacts every time an infrastructure change or a new
resource is about to be deployed. Developers will be alerted to the security issues relating to the infrastruc-
ture that need correction. Essentially, it’s like putting guardrails in place to protect organizations from security
risks in the cloud. Security risks can be instantly remediated at the time they are made allowing developers
to move fast. You can think of the shift left security approach as testing IaC continuously and preventing in-
secure infrastructure from being deployed.
Best Practices for IaC Security
While it makes sense to integrate security controls at the beginning of the production pipeline,
getting the developers community to adopt DevOps security requires more than just the right IaC security
tools. Remember developers are always under relentless pressure to meet insane
deadlines, any potential speedbump is considered a threat.
Top five best practices for IaC security:
1. Do not expect the developers to come outside their normal workflows. Instead, integrate your IaC security
solution with the developers’ workflows. Ideally, you want to bring IaC security into the tools that developers
want to use and are already familiar with: Jenkins, GitLab, CircleCI, GitHub, JIRA, Slack, etc. Essentially a
developer-centric security tool has a better chance to get adopted by developers.
2. Far too often security programs focus on the technology. Let’s not forget that a successful DevOps
transformation needs to bring people, process and technology together. On the people front, you want to
empathize with the developer side in order to strike a balance between the
developer and the security side of the house. Have a partner on the developer side to make joint
decisions and reflect back on them. It is also important to establish common goals between
developers and security teams. These shared goals must come from senior management. For
example, when the production pipeline is halted, the security team must be part of the solution
working alongside with the developers to resolve the security issues.
3. When you are ready to integrate your IaC security tool into the CI/CD, be sure the tool is in a learning
mode. That means the tool cannot stop the pipeline just yet. The last thing you want is the tool stopping the
CI/CD pipeline the moment it is implemented, negatively impacting the developers.
31 Cyber Defense eMagazine – April 2021 Edition
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.