Webinar recap: Infrastructure-as-code scanning in your CI/CD workflow with Bridgecrew and CircleCI

https://bridgecrew.io/webinar/cicd-infrastructure-as-code-circleci-orbs/?preview=true

Last week we joined CircleCI to talk about embedding infrastructure-as-code (IaC) security into your CI/CD pipeline. Presented by Bridgecrew Co-founder and VP of Product Guy Eisenkot and Circle CI Solutions Engineer Vinny Thanh, this webinar also covered developer security best practices and common IaC security mistakes.

Watch the 40-minute webinar recording below or keep reading for a quick recap.

Introduction

IaC languages like Terraform and CloudFormation have emerged to make cloud management at scale more efficient, but have added layers of complexity and more risk of human error. To ensure misconfigurations aren’t introduced, you need to have a solid DevSecOps foundation, including a face CI/CD, build pipeline, and cloud security governance at the IaC layer.

DevSecOps best practices for CI/CD

Companies like CircleCI make it easy for teams to “build better software faster” as the world’s largest shared CI/CD platform. CircleCI has also pioneered the usage of reusable, sharable packages of YAML config with their Orbs technology.

See a CircleCI YAML configuration containing predefined commands, executors, and jobs in the webinar demo starting at 6:21.

By orchestrating the building, testing, and delivery of modern applications, CI/CD is crucial to modern developer workflows.

Bridgecrew and CircleCI

 

CI/CD not only facilitates the speed and consistency of deployments but is also is a great place to embed things like security into day-to-day operations.

Developer security 101

There are several security tools that can be embedded into build pipelines, including container scanning, dependency scanning, SAST, DAST, IAST, secrets management, and of course, infrastructure scanning.

More and more security activities and responsibilities are being transitioned into the hands of developers, made possible like CI/CD.

blank

Embedding security earlier is the “secret sauce” to being able to grow fast in the cloud. One of the most important areas that developers and security teams often overlook is infrastructure-as-code security.

Infrastructure-as-code security

Through recently published research, we found that 1 in 2 Terraform modules contain misconfigurations. While misconfigurations aren’t the same as vulnerabilities—they don’t inherently represent risk, as they don’t take into account protective layers in place at the cloud account level. But IaC is also a fantastic technology to harden security earlier.

blank

 

Why is IaC security overlooked? It’s still a fairly new technology and methodology, and while some errors are easy to identify, some aren’t quite as obvious:

blank

If not spelled out as part of the resource definition, junior and less-experienced developers have no way to identify these less obvious misconfigurations. That’s where Bridgecrew comes in.

At Bridgecrew, we’re helping teams avoid those misconfigurations and streamline developer processes by:

  • Continuously scanning your infrastructure-as-code for errors and finding misconfiguration issues in run-time
  • Fixing issues in and with code, providing merge-ready pull requests and automated playbooks
  • Preventing the deployment of code with issues by enforcing policy-as-code in all configuration models via CI/CD

Watch the demo starting at 22:56 to see Bridgecrew in action:

We also got some great questions that we addressed at the end of the webinar. If you have questions watching the recording, feel free to reach out to us at info@bridgecrew.io.