Getting Better at Security, Code Quality and Leveraging Infrastructure as Code with Rosemary Wang
Bridging technical and cultural barriers between infrastructure, security and application development is far from simple. It’s no secret that companies must ensure their infrastructure is deployed securely and that the code used to deploy the infrastructure is free from vulnerabilities.
Preceding her talk at GOTO Chicago in May, Rosemary Wang, developer advocate at HashiCorp and author of 'Infrastructure as Code, Patterns and Practices' talked with us for a short chat about her view on shifting left vs shifting right, pros and cons of a policy-as-code approach, how infrastructure as code can help developers speed up the delivery of software applications and potential security challenges that must be addressed. More often than not, developers are unaware of what they’re deploying and whether the configuration is correct. Reminiscing her own mistakes, Rosemary said that the first time she deployed a database, she didn't know she was supposed to turn on a little attribute that said encrypt. It all starts by automating infrastructure by applying changes in a codified manner.
Why security matters
Infrastructure security is critical to the success of any software application or service. With Infrastructure as Code (IaC), you can automate and audit the deployment of your infrastructure, which ensures that your infrastructure configuration is consistent. However, it is essential to ensure the code defining the infrastructure adheres to security and compliance practices. Any misconfigurations in the code can lead to vulnerabilities in your infrastructure, which opens the possibility for security breaches and data loss.
Compliance: Many organizations have compliance requirements that must be met when deploying infrastructure. These requirements can include regulations such as HIPAA or PCI-DSS. With IaC, you can automate the deployment of compliant infrastructure. However, you must ensure that the code deploying the infrastructure captures and enforces compliance requirements. Failure to comply with regulations can result in hefty fines and legal consequences.
Scalability: One of the benefits of IaC is that it enables you to scale your infrastructure up or down easily. However, as you scale your infrastructure, you must ensure that it remains secure. The code used to deploy the infrastructure must be scalable and secure to ensure that your infrastructure can handle the increased workload.
Collaboration: With IaC, multiple teams can work together to deploy and manage infrastructure. Collaboration is critical to the success of any software application or service. However, it is essential that infrastructure as code captures security and compliance requirements for everyone's knowledge. Anyone who makes changes to infrastructure can do so safely and securely.
To ensure that your IaC is secure, you must follow security best practices.
Secure coding: Ensure that your code is free from vulnerabilities. Follow secure coding practices and use tools to scan your code for vulnerabilities.
Least privilege: Grant access to your infrastructure on a need-to-know basis. Ensure that your infrastructure is only accessible to those who need it.
Encryption: Ensure that your data is encrypted both in transit and at rest.
Version control: Use version control to track changes to your code. This can help you identify any unauthorized changes to your code.
Testing: Test your infrastructure thoroughly before deploying it. This can help you identify any vulnerabilities or misconfigurations in your infrastructure.
Shifting left or right?
The industry has been divided about testing before production or after. There are things that you have to capture on the left side right before things go to production that you know are probably not great for your environment. However, you also need a shift right approach or a dynamic analysis of your infrastructure system. You can't have one without the other.
The best way to ensure that your system is secure is that you monitor the known vulnerabilities as well as unknown unknowns. Which means, test not just for things that you know are not secure but also for things that might come up in your environment later. The idea is that with dynamic analysis, or at least runtime analysis, you're able to get a full view of things that you don’t necessarily expect. And that’s why you need tools that help you observe or understand why it's not secure and how you can remediate it.
Ideally, an enterprise will perform both static and dynamic analysis. This approach will benefit from the synergistic relationship that exists between static and dynamic testing.
Infrastructure as code is an excellent way to automate the deployment and management of infrastructure resources. However, it is essential to ensure that your code is secure to avoid security breaches and data loss. By following security best practices, you can ensure that your IaC is secure and compliant with regulations.
Maximize the benefit of the cloud
In the context of cloud-native architecture, scalability is only one aspect of achieving true elasticity. Elasticity requires a more nuanced understanding of workload patterns and usage to optimize cost and efficiency. This involves identifying peak demand and workload fluctuations, as well as distinguishing between idle and active workloads. To optimize resource usage, metadata and tagging can be used to identify resources that are not optimized or underutilized, which can be adjusted to improve overall performance.
However, more complex optimizations may require replatforming efforts, such as rebuilding systems to handle increased traffic and optimize cost. These efforts may involve selecting new infrastructure components that can better handle the workload or reconfiguring existing components to better align with usage patterns. Although this can be a significant undertaking, it is often necessary to achieve true cloud-native capabilities.
While some optimizations may involve simple tweaks, others may require more complex replatforming efforts to optimize cost and efficiency. By implementing these strategies, organizations can achieve a cloud-native architecture that can handle the required traffic and provide optimal performance at a lower cost.
(No) One tool to scan them all
Securing infrastructure and applications is a complex and multifaceted task that requires multiple tools to accomplish effectively. While many companies search for a single tool that can do it all, the reality is that multiple tools are necessary to manage different aspects of security. Vulnerability management, application dependency scanning, infrastructure and network scanning, and application code scanning all require different tools to be properly addressed.
However, the tools themselves are not the most critical component of securing infrastructure and applications. Rather, it is essential to focus on developing and implementing policies that can be codified and decoupled from specific tools. Policies represent the core principles and values of an organization's security posture, and they remain relatively constant over time, even as security tools and technologies evolve.
By creating abstracted policies that are separate from specific security tools, organizations can maintain a consistent and secure security posture, even as they adopt new tools and technologies. This allows organizations to be proactive in their security measures and address potential vulnerabilities before they become larger issues.
In addition, by decoupling policies from specific tools, organizations can more easily integrate new tools into their security strategies without having to rework their entire approach. This approach also makes it easier to understand which tools are most effective for a specific task, as policies provide a clear framework for evaluating tool effectiveness.
Discuss infrastructure as code with Rosemary in Chicago
Rosemary will elaborate more on how to use policy as code to provision and configure infrastructure with security in mind at GOTO Chicago this May.
Meet her in person along with a bunch of other incredible speakers and learn about static analysis of infrastructure as code vs dynamic analysis of running infrastructure as well as the patterns and limitations of testing your infrastructure before you deploy.