4.     Once security tools are organically embedded into the development pipeline, you start to gain visibil-
          ity into the cloud environment. Essentially, you have put security guardrails around your CI/CD process. You
          are now in a position to enforce security controls into the CI/CD pipeline with the intent to stop the pipeline
          upon detecting security violations. While the inclination might be to enforce the violated rules first in order
          to prevent the same risk from occurring, doing so would stop the pipeline. Instead, you should work with
          the developer to mitigate the problem and be part of the solution. Only until after the violation was resolved
          should you enforce the rule. You should always start with security controls that do not have violations, this
          way you don’t impact the pipeline. In other words, you want your guardrails to be invisible during the initial
          implementation. By taking a pragmatic approach to implementing security controls, the IaC security solution
          would have a better chance to gain acceptance by the developers community.

          5.     A common critique of security testing tools is that they produce many false positives.
          According to the ATARC (Advanced Technology Academic Research Center) Federal DevSecOps Land-
          scape survey, too many false positives is the number one frustration with security testing. IaC security tools
          are no exception. A robust security tool needs to be doing more than just basic key-value analysis. For exam-
          ple, if a tool is flagging an AWS security group as a potential issue, it should check to see if the security group
          is in use, what subnet(s) it is used in, if there are firewall rules blocking access, are there Internet routes,
          etc. Essentially, the tool should employ the same logic a human would to determine if it is a real security risk
          before raising an issue. Without checking these conditions, you would almost certainly experience a lot of
          unnecessary noise. A noisy security tool can negate your security efforts, so be aware of this pitfall and pick
          an intelligent tool.
          IaC Security is Essential to Your DevOps Journey
          DevOps teams have the opportunity to “shift left” security processes in such a way without
          sacrificing speed. More importantly, the shift-left security approach is a new paradigm that is moving toward
          a preventive cloud security strategy. By integrating IaC security into the CI/CD pipeline, you can now take the
          appropriate preventive steps to remediate misconfigurations and security risks
          before they make it into your cloud environment. With IaC security, you can deploy fast while
          reducing the opportunity for exploitation by this shift.












          About the Author


          Ulrica de Fort-Menares is the Vice President of
          Product and Strategy at Indeni. Ulrica is responsible
          for the strategy, partnerships and execution of the
          Indeni product portfolio. With over 30 years of
          experience  in the high-tech industry, she has  held
          various leadership positions in product management,
          software development and network engineering. She
          is the holder of 7 patents in network technologies.


          Ulrica can be reached online at https://www.linkedin.
          com/in/ulrica-de-fort-menares/ and at our company
          website https://indeni.com/about-indeni/






             32    Cyber Defense eMagazine – April 2021 Edition
                   Copyright © 2021, Cyber Defense Magazine.  All rights reserved worldwide.