Page 89 - Cyber Defense eMagazine December 2022 Edition
P. 89
infrastructure, uncaught mistakes can result in sneaky security vulnerabilities. A single misconfiguration
in an IaC manifest can impact runtime or network security: for instance, traffic can be left unrestricted to
a resource or data mistakenly exposed to the exterior.
Not only that, but static vulnerabilities need to be specifically addressed as well: hard-coded credentials
are the most critical. No matter the level of awareness about the importance of not storing plaintext
credentials in configuration files, mistakes still happen on a frequent basis.
In fact, misconfigurations are one of the top ten vulnerabilities identified by OWASP. Therefore, it is logical
to anticipate potential vulnerabilities by setting up the right guardrails to ship clean code from the start.
This responsibility, part quality, part security, should be shared to implement a genuine DevSecOps
philosophy. Failing to do so could mean a potentially costly security failure is around the corner.
Infrastructure-as-Code responsibility is at the crossroads between DevOps, AppSec, and CloudOps
engineers. Enabling their collaboration from source to deployment is the only way for an organization to
shield itself from future threats. Tools are starting to emerge to cater to this new paradigm.
Since IaC has reached new heights in the realm of automation, it is evident that automation is part of the
answer. Bringing automated scanning for misconfigured vulnerabilities and hard-coded credentials will
strengthen organizations’ overall security posture. More than that, it will also participate in raising
awareness about IaC security best practices and common mistakes.
Conclusion
Infrastructure-as-code is here to stay. The benefits it brings are entirely transforming the software
development cycle and opening new doors for automation and innovation. While its advantages have
been praised for some time, its associated threats are becoming more apparent. Security needs to fully
embrace this new paradigm centered around the dynamism and ephemerality of the underlying resources
offered by the cloud. Bridging the gap between security, operations, and development activities,
leveraging automation to build efficient security solutions, will be essential for organizations to raise the
bar of their security posture. The first step in that direction must be to protect their cloud infrastructure at
the source code level as early in the SDLC as possible.
About the Author
Thomas has worked both as an analyst and as a software engineer
consultant for various big French companies. His passion for tech
and open source led him to join GitGuardian as technical content
writer. He focuses now on clarifying the transformative changes that
cybersecurity and software are going through.
Thomas can be reached online at LinkedIn, TWITTER, and at our
company website https://www.gitguardian.com/
Cyber Defense eMagazine – December 2022 Edition 89
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.