Last week we joined CircleCI to talk about embedding infrastructure-as-code (IaC) security into your CI/CD pipeline. Presented by Bridgecrew Co-founder and VP of Product Guy Eisenkot and Circle CI Solutions Engineer Vinny Thanh, this webinar also covered developer security best practices and common IaC security mistakes.
Watch the 40-minute webinar recording below or keep reading for a quick recap.
Introduction
IaC languages like Terraform and CloudFormation have emerged to make cloud management at scale more efficient, but have added layers of complexity and more risk of human error. To ensure misconfigurations aren’t introduced, you need to have a solid DevSecOps foundation, including a face CI/CD, build pipeline, and cloud security governance at the IaC layer.
DevSecOps best practices for CI/CD
Companies like CircleCI make it easy for teams to “build better software faster” as the world’s largest shared CI/CD platform. CircleCI has also pioneered the usage of reusable, sharable packages of YAML config with their Orbs technology.
See a CircleCI YAML configuration containing predefined commands, executors, and jobs in the webinar demo starting at 6:21.
By orchestrating the building, testing, and delivery of modern applications, CI/CD is crucial to modern developer workflows.
CI/CD not only facilitates the speed and consistency of deployments but is also is a great place to embed things like security into day-to-day operations.
Developer security 101
There are several security tools that can be embedded into build pipelines, including container scanning, dependency scanning, SAST, DAST, IAST, secrets management, and of course, infrastructure scanning.
More and more security activities and responsibilities are being transitioned into the hands of developers, made possible like CI/CD.
Embedding security earlier is the “secret sauce” to being able to grow fast in the cloud. One of the most important areas that developers and security teams often overlook is infrastructure-as-code security.
Infrastructure-as-code security
Through recently published research, we found that 1 in 2 Terraform modules contain misconfigurations. While misconfigurations aren’t the same as vulnerabilities—they don’t inherently represent risk, as they don’t take into account protective layers in place at the cloud account level. But IaC is also a fantastic technology to harden security earlier.
Why is IaC security overlooked? It’s still a fairly new technology and methodology, and while some errors are easy to identify, some aren’t quite as obvious:
If not spelled out as part of the resource definition, junior and less-experienced developers have no way to identify these less obvious misconfigurations. That’s where Bridgecrew comes in.
At Bridgecrew, we’re helping teams avoid those misconfigurations and streamline developer processes by:
- Continuously scanning your infrastructure-as-code for errors and finding misconfiguration issues in run-time
- Fixing issues in and with code, providing merge-ready pull requests and automated playbooks
- Preventing the deployment of code with issues by enforcing policy-as-code in all configuration models via CI/CD
Watch the demo starting at 22:56 to see Bridgecrew in action:
- Deploying Bridgecrew in your cloud accounts in run-time
- Integrating Bridgecrew with your using GitHub account
- CircleCI integration and orb configuration
- Reviewing misconfigurations in Bridgecrew
- Identifying failing checks within CircleCI build
- Remediating issues with a pull request
We also got some great questions that we addressed at the end of the webinar. If you have questions watching the recording, feel free to reach out to us at info@bridgecrew.io.
