Modernize your Security Programs with Shift Left IaC Security
          The software development process has been shifting left to deliver software faster and with
          improved quality. The same should be done for the infrastructure with IaC security testing. By
          starting security testing early in the delivery pipeline, teams have more time to address them before pushing
          code into production.


          Modern security programs should be fully automated and integrated into the DevOps pipeline. Full automa-
          tion means that developers don’t need to get in line for security reviews. Instead, IaC
          templates will be automatically evaluated for security impacts every time an infrastructure change or a new
          resource is about to be deployed. Developers will be alerted to the security issues relating to the infrastruc-
          ture that need correction. Essentially, it’s like putting guardrails in place to protect organizations from security
          risks in the cloud. Security risks can be instantly remediated at the time they are made allowing developers
          to move fast. You can think of the shift left security approach as testing IaC continuously and preventing in-
          secure infrastructure from being deployed.
          Best Practices for IaC Security
          While it makes sense to integrate security controls at the beginning of the production pipeline,
          getting the developers community to adopt DevOps security requires more than just the right IaC security
          tools. Remember developers are always under relentless pressure to meet insane
          deadlines, any potential speedbump is considered a threat.


          Top five best practices for IaC security:

          1. Do not expect the developers to come outside their normal workflows. Instead, integrate your IaC security
          solution with the developers’ workflows. Ideally, you want to bring IaC security into the tools that developers
          want to use and are already familiar with: Jenkins, GitLab, CircleCI, GitHub, JIRA, Slack, etc. Essentially a
          developer-centric security tool has a better chance to get adopted by developers.

          2.     Far too often security programs focus on the technology. Let’s not forget that a successful DevOps
          transformation needs to bring people, process and technology together. On the people front, you want to
          empathize with the developer side in order to strike a balance between the
          developer and the security side of the house. Have a partner on the developer side to make joint
          decisions and reflect back on them. It is also important to establish common goals between
          developers and security teams. These shared goals must come from senior management. For
          example, when the production pipeline is halted, the security team must be part of the solution
          working alongside with the developers to resolve the security issues.

          3.     When you are ready to integrate your IaC security tool into the CI/CD, be sure the tool is in a learning
          mode. That means the tool cannot stop the pipeline just yet. The last thing you want is the tool stopping the
          CI/CD pipeline the moment it is implemented, negatively impacting the developers.






















             31    Cyber Defense eMagazine – April 2021 Edition
                   Copyright © 2021, Cyber Defense Magazine.  All rights reserved worldwide.