It’s time once again for the #CodifiedSecurity Office Hours! In Episode 03, we featured our first special guest, Corcoran Smith from Slalom Consulting. Corcoran is an early-adopter of our open source static analysis tool for infrastructure as code, Checkov. He joined Barak and myself to share his insights into common security challenges from the consulting world.
Along with Corcoran and even more community contributors in the Twitch chat, we were excited to jump into the cloud security topics that have been on our minds these last couple weeks! You can watch the full recording below, or keep reading for a quick recap of the discussion–including good reads from industry innovators, the latest from Bridgecrew R&D, and some cool new developments from our community.
The crew and I kicked off the episode with hearty introductions, presenting #Githubification (you’ll have to watch for a little dose of that particular rabbit-hole!) and Corcoran’s Halloween hat.
As always, we wanted to give a shout-out to the community and their latest PRs on Checkov and AirIAM. It’s truly awesome to see new contributors and regulars appearing in PRs, issues, and Slack discussions week on week. Thanks again for being a part of our growing community!
We covered a quick roundup of updates for those interested, highlighting some unmerged issues and PRs which may have deeper dependancies into other ongoing projects, such as Terraform variable rendering. We dig more into these changes later in the episode!
A couple of notable Checkov updates:
- You’ll have seen a number of PRs popping up through Barak and Nimrod’s behind-the-scenes work to improve CloudFormation scanning capabilities.
- Along with an update to running Checkov with no parameters, we now offer a simple onboarding question for saving your Checkov scans to Bridgecrew. This enables you to easily visualize and share your Checkov results across your entire team.
We also discussed an idea submitted by Scott Piper via Twitter, that Checkov should detect scenarios which would require AWS “root” credentials to fix, such as a policy to lock all non-root accounts and roles out of the bucket. We implemented this in PR #627–thanks for the great suggestion Scott!
In closing the community updates section, we also called for more use cases and conversations on how to skip modules, annotation of custom modules, and direct scanning of modules in Terraform. If you have thoughts on any of these topics, please jump into our dedicated #checkov Slack channel!
A chat with Corcoran Smith
We opened up the discussion for Corcoran to share some recurring themes that he and his team at Slalom Consulting witness while helping enterprises secure their development processes. To gain full insight, we recommend watching our full interview with Corcoran, but if you’re in need of a taster, we wind our way through some excellent topics such as:
- Enterprises still expressing concerns passing security responsibilities over to development teams. How Checkov helped Slalom provide that assurance, making it easier to build trust and shared visibility between teams.
- Some teams still feeling safer with automation only up to a point, along with a manual set of controls.
- Teams still wanting agents for security monitoring with a potential manual review of the resulting security dashboard, missing out on achieving the end-to-end “CI/CD goodness”.
- Agents > Dashboard > Ticket, often still wastes half a sprint looping through manual processes.
- Licensing and its impact on visibility into a platform for all relevant parties.
- How to enable conversations and break down barriers between teams by opening up information.
- Addressing policies unique to the business or processes within a specific company, which are often hard to visualize and track outside of the security team.
- Appreciating the often overwhelmed security team, tasked with onboarding multiple teams and projects.
From the reading list
Barak highlighted two leaders in cybersecurity to watch; firstly, Scott Piper and his roadmap of ten steps to start with when establishing a new AWS cloud account in a secure manner. Barak also suggested following Netflix’s Head of Security, Jason Chan, for cutting-edge ideas and security information.
TFVars support, plan scanning, and “Offensive Terraform”
Barak has spent time thinking about how to use Checkov at the planning stage as well as in static scanning. He pointed out that, currently, Checkov can scan certain variables in the code. But plan files contain dynamic environment objects that are injected later in the process. The best opportunity to check these variables in the plan file would be within the CI/CD run. To make use of this extra context for validating security posture before deployment, listen to Barak’s example of dev vs. prod environments. Barak hopes to implement the ability to scan a plan file from Checkov within the next two weeks to give users more power in those steps.
We then discussed TFVars support vs. Plan support, and what each would mean for policy enforcement. Barak explained the benefits of checking the same policies at different stages of the build pipeline, in addition to the flexibility gained from having both TFVars and Plan support.
One community member, Rob Eden, is working on support for local module scanning and dynamically downloading them from the relevant registries with Checkov. The idea is to analyze third-part modules, such as EKS (which itself provisions multiple VPC, EC2 and other resources), with Checkov if they are referenced in your Terraform manifests.
Library Offensive Terraform has further highlighted the need for module scanning by creating five or six Terraform modules that allow account takeover. These modules send access keys C2C, compromise IAM, or turn accounts public.
By popular demand
As requested, you can look here for the story of Corcoran’s dog and the home-brewed beer. Come for the #CodifiedSecurity, stay for the hat!
We’ll be back later this month with more stories and tech tangents in Episode 04. Until then, you can chat with us in our community Slack channel. Feel free to join us there to suggest topics or request to get involved in our next livestream!