Page 32 - Cyber Defense eMagazine April 2021 Edition
P. 32
4. Once security tools are organically embedded into the development pipeline, you start to gain visibil-
ity into the cloud environment. Essentially, you have put security guardrails around your CI/CD process. You
are now in a position to enforce security controls into the CI/CD pipeline with the intent to stop the pipeline
upon detecting security violations. While the inclination might be to enforce the violated rules first in order
to prevent the same risk from occurring, doing so would stop the pipeline. Instead, you should work with
the developer to mitigate the problem and be part of the solution. Only until after the violation was resolved
should you enforce the rule. You should always start with security controls that do not have violations, this
way you don’t impact the pipeline. In other words, you want your guardrails to be invisible during the initial
implementation. By taking a pragmatic approach to implementing security controls, the IaC security solution
would have a better chance to gain acceptance by the developers community.
5. A common critique of security testing tools is that they produce many false positives.
According to the ATARC (Advanced Technology Academic Research Center) Federal DevSecOps Land-
scape survey, too many false positives is the number one frustration with security testing. IaC security tools
are no exception. A robust security tool needs to be doing more than just basic key-value analysis. For exam-
ple, if a tool is flagging an AWS security group as a potential issue, it should check to see if the security group
is in use, what subnet(s) it is used in, if there are firewall rules blocking access, are there Internet routes,
etc. Essentially, the tool should employ the same logic a human would to determine if it is a real security risk
before raising an issue. Without checking these conditions, you would almost certainly experience a lot of
unnecessary noise. A noisy security tool can negate your security efforts, so be aware of this pitfall and pick
an intelligent tool.
IaC Security is Essential to Your DevOps Journey
DevOps teams have the opportunity to “shift left” security processes in such a way without
sacrificing speed. More importantly, the shift-left security approach is a new paradigm that is moving toward
a preventive cloud security strategy. By integrating IaC security into the CI/CD pipeline, you can now take the
appropriate preventive steps to remediate misconfigurations and security risks
before they make it into your cloud environment. With IaC security, you can deploy fast while
reducing the opportunity for exploitation by this shift.
About the Author
Ulrica de Fort-Menares is the Vice President of
Product and Strategy at Indeni. Ulrica is responsible
for the strategy, partnerships and execution of the
Indeni product portfolio. With over 30 years of
experience in the high-tech industry, she has held
various leadership positions in product management,
software development and network engineering. She
is the holder of 7 patents in network technologies.
Ulrica can be reached online at https://www.linkedin.
com/in/ulrica-de-fort-menares/ and at our company
website https://indeni.com/about-indeni/
32 Cyber Defense eMagazine – April 2021 Edition
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.