Last week we held the first episode of the #CodifiedSecurity Office Hours, our series of live community chats covering the latest news in cloud security and open source. Joining us on Episode 01, we had Mike Urbanski, Bridgecrew’s Director of Solutions Architecture, and Barak Schoster, CTO of Bridgecrew and creator of Checkov.
Check out the full recording below or keep reading for a quick recap of the discussion—interesting reads, new tech, Bridgecrew R&D, and some cool community suggestions.
To kick-off our first Office Hours, we wanted to give a shout-out to the contributors of the latest PRs on our open-source projects! You’re all awesomesauce. 😊
Seeing the #CodifiedSecurity community grow from all of the contributed PRs, issues, conversations, doc updates, and feature suggestions has been amazing.
Interesting #CodifiedSecurity reads
For many of us at Bridgecrew, COVID-19 lockdowns have had a negative effect on our queues of interesting blogs and articles that we’d normally get from office watercooler conversations. To keep up this essential person-to-person “analog Reddit” for the community, we thought we’d discuss our latest geeky InfoSec reads.
- Security September: Still Early Days for ABAC by One Cloud Please – This is a great writeup on disclosures made to cloud providers and how one pen tester was able to get around tag-based security controls.
- Twilio Labs’ SOCless project – SOCless is a “serverless framework built to help security teams easily automate their incident response and operations processes using AWS Step Functions and AWS Lambda services.” Mike gave his take on the value of building a custom solution like this, especially if you’re only interested in a very specific subset of issues or alerts (in his case, DLP).
- A SOCless Detection Team at Netflix – Although not as recent, Barak shared this great resource on the architecture and methodologies that go along with detection engineering.
New in #CodifiedSecurity
In this section of the show, we dove into the new stuff–Bridgecrew features, R&D, ideas, and of course, a beer or two. 🍻
Custom Policies in Bridgecrew
Faced with writing Python checks for Checkov or learning an entirely new domain-specific language (DSL) for OPA, how do we bridge the gap between engineering-written checks and organizational checks? This is a question we’ve been getting a lot from the community lately, so we switched gears to address the challenge.
As an example of the issue in action, we discussed resource tagging, which has no one-size-fits-all policy that can be codified into Python since every organization, team, and use case will be different. To solve this problem, we’ve created Custom Policies at Bridgecrew! Our platform includes a UI policy builder that enables the easy creation of checks and instant feedback while building the policy of current resources that match your infrastructure. This fully-customizable policy engine makes it super easy for anyone to add a new check and validate that it’s going to catch the right things!
Mike took us through a demo, adding checks to validate that each security group had an “owner” tag set and showing results from both build-time Terraform as well as live run-time AWS accounts.
Graph all the things!
Barak kicked us off with an overview of how graph databases can go beyond single-layer IaC security checks into analyzing paths of interrelated objects. With more complex hosted services like Kubernetes, those dependencies become even more important.
For example, we can easily determine, ‘does this VM ever have public ingress on port 80’ regardless of whether that is through a public IP and security group attached directly to the instance, or whether it’s through an inbound NAT mapping, through a chain of interconnected VPC’s and network policy objects. In the same vein as Cartography by Lyft and CloudMapper by Duo Labs, the team is working on some cool tech to start mapping dependencies for IaC.
Automated cloud threat modeling
We also discussed a Terraform provider for building threat models as code by Marqeta. Barak provides his insights into taking this further, with the possibility of dynamically creating these models from the infrastructure as code manifests themselves, potentially displaying the output in something like the blast-radius open source tool! If this interests you, shout in the #general channel of our Slack community; it would be fun to build more of a conversation around these ideas.
Checkov Time Machine
Last but hopefully not least, we discussed a community suggestion by Kevin Hock to reduce inertia for embedding security tools in developer pipelines. Kevin built a “Checkov Time Machine” to go back through a project’s commits day-by-day to identify which checks would cause the most noise across a history of Terraform changes. This project aims to reduce noise and friction when initially embedding Checkov into your pipeline because the last thing we want is to introduce a new tool that suddenly fails every build.
This descended into a live architecture session, where we discussed the possibility of keeping track of the latest violations of specific checks. That way, historical issues can be spaced out over multiple PRs to spread the load and, again, not cause alert overload in the pipeline. We mused over ideas for achieving this without needing Checkov to become a service by keeping pre-committed output for historical commits inline in git itself.
That’s all we had time for on Episode 01, but make sure to join us for the next one. You’re invited to join us live every month, along with the experts at Bridgecrew and special guests!
In Episode 02, we’ll have some Terraform-module-scanning fun with Checkov and take a closer look at AirIAM.
Any questions or suggestions for the next show? We’d love to hear them in our #office-hours Slack channel. Also, feel free to reach out if you have your own project, idea, or demo to share with the #CodifiedSecurity community.
Catch you next time!