Today everything is software, and software is everything.
In this ever-evolving landscape of cloud technology, infrastructure as code (IaC) has revolutionized resource management in public clouds through automation using declarative scripts. However, this efficiency comes with a flip side—increased risk for misconfiguration and bigger attack surfaces.
The recent State of Secrets Sprawl 2023 Report revealed that 21.5% of Terraform repositories carry security policy vulnerabilities, highlighting the crucial importance of secure IaC scripts. This trend is further amplified by the rapid growth in usage of the Hashicorp Configuration Language (HCL), driven by the popularity surge of the Terraform tool and the increasing adoption of IaC practices to automate deployments. A simple misconfiguration like an exposed AWS S3 bucket or a vulnerable instance can compromise critical resources, and hardcoded credentials can trigger a chain reaction of errors across cloud environments.
In 2022, GitGuardian announced its Infra as Code Security capabilities, setting the stage for a more proactive and integrated approach to software-defined infrastructure security. Embracing the "Shift Left" ideology, we enabled IaC scanning through ggshield, our CLI for developers. This move allowed IaC authors to preemptively detect and prevent vulnerabilities from propagating to cloud environments, bolstering security from the start.
Today, we're excited to take your IaC security game to the next level. In this blog post, we'll delve into the power and possibilities of this new addition within your dashboard, exploring how it empowers SREs, Platform, Cloud, and Application Security Engineers to safeguard their cloud resources efficiently and precisely.
Why integrate Infra as Code Security in the GitGuardian dashboard?
While IaC writers could stop vulnerabilities in their tracks with ggshield IaC scanning, cloud engineers and security professionals faced hurdles in managing IaC incidents once detected within the repositories. This gap called for a comprehensive solution that bridges the divide between detection and incident management. So, we introduced the Infra as Code Security capabilities into the GitGuardian dashboard for a centralized view of all misconfigurations and exposed secrets across scanned repositories.
Native integrations and pre-built policies
We're kicking things off by offering support for GitHub and GitLab native integrations.
We focus on scanning IaC templates like Terraform and CloudFormation for misconfigurations affecting your AWS, Azure, GCP services, Kubernetes clusters, and Docker containers, safeguarding your deployments.
You'll find 100+ pre-built policies at your disposal, each designed to address specific types of misconfigurations and vulnerabilities across your infrastructure. Some of these critical and high-severity policies are:
Networking (Misconfiguration):
Misconfigured remote server access ports such as SSH or RDP can pose a significant threat, potentially allowing unauthorized access to machines. Vulnerabilities or brute-force attacks can exploit these openings, leading to unauthorized entry and potential data breaches.
Secrets (Vulnerability in Code):
Many security teams inadvertently hardcode sensitive information like AWS secret keys, access codes, and IP addresses into IaC templates. When exposed, these vulnerabilities can be exploited by attackers to gain unauthorized access and compromise key information.
Data (Misconfiguration):
Misconfigured S3 buckets lacking proper encryption can result in data leakage, exposing sensitive information to potential threats.
Permission (Misconfiguration):
Incorrectly assigning permissions to cloud resources can greatly expand the attack surface. For instance, improperly configuring permissions for your CloudTrail bucket can lead to unintended access and security risks.
Detecting and addressing these misconfigurations is vital to maintaining a robust and secure cloud infrastructure.
What will your IaC security incident management look like?
Leveraging the Infra as Code Security capabilities within the GitGuardian platform, cloud engineers and security professionals gain unprecedented control over IaC incidents triggered within their repositories. This release complements the automated secrets detection and remediation capabilities, providing a holistic security approach.
Upon entering the Infra as Code Security section, you are greeted with a comprehensive overview of their incidents. Each incident is assigned a unique ID, detection date, matched rule information, and status. Additionally, the severity of the misconfiguration is set by default, sparing users the need to manually determine it themselves. The location details offer insights into the repository, filename, and resource name, facilitating quick assessment. You can tailor the view to suit their needs with our filtering and ordering options, ensuring a seamless experience.
Incident prioritization and resolution
Each IaC security incident is enriched with vital information for efficient prioritization. Every facet is covered, from vulnerability description and potential impacts to complexity, category, and data exposure. You can gain insights into exploit visibility in logs, user interaction requirements, and necessary privileges, ensuring informed decision-making. Remediation guidelines and our public documentation offer steps for resolution so that you can swiftly address your incidents.
Resolving an IaC security incident requires fixing the underlying vulnerability within the IaC file itself. A collaborative effort is vital here, as you need to collaborate with the team responsible for IaC files. Clear communication, including incident location and corresponding rule links, streamlines the resolution process. Once fixed, the incident's status is automatically updated to "resolved," ensuring seamless tracking.
For incidents that may not require immediate resolution, GitGuardian offers flexibility. You can temporarily or permanently ignore incidents, aligning with your risk assessment and resource availability. Temporary ignoring includes specifying a grace period, allowing you to tailor incident management to your unique circumstances.
Dwayne McDaniel, Security Advocate at GitGuardian, put together this short demo for you to get the gist of this new release.
More updates are coming
The Infra as Code Security capabilities in the GitGuardian dashboard open another new chapter in your secure software development by adding an extra security layer to your infrastructure. As organizations harness the power of IaC scanning, vulnerabilities are thwarted at inception, and incident management is streamlined for efficiency. This addition is a testament to GitGuardian's commitment to empowering teams with all the tools they need to safeguard their cloud-native application landscapes.
Exciting updates await in our Infra as Code Security roadmap throughout 2023. Soon, you can also monitor significant IaC vulnerabilities in Google Cloud Deployment Manager and Bitbucket repositories, ensuring your cloud infrastructure's constant surveillance and protection at its source. Moreover, we will introduce new analytics to empower Security Engineers and Managers to track their progress, identify potential bottlenecks, and make informed decisions to strengthen their cloud security posture. To streamline the remediation process, we're also working on collaborative features to simplify and expedite IaC incident resolution.
Explore our Infra as Code Security capabilities
All you need is a GitGuardian account. If you’re already a customer of the GitGuardian platform, you’ll get these new enhancements for free during our beta phase by joining our waitlist. If you’re not already a GitGuardian user or customer, you can get started for free or explore your plan options.
Join us in creating a more secure software future, one line of code at a time.
PS: also, check the excellent IaC security cheat sheet!
