Nothing Special   »   [go: up one dir, main page]

Definition

As network, storage, and compute resources are increasingly abstracted, their creation, deployment architecture, and provisioning are increasingly automated via configuration or code. A person need not physically connect network cables, install operating systems, or configure hardware/software resources through multiple interfaces; rather, the entire hardware/software infrastructure may be specified through code, called infrastructure-as-code (IaC).

Who uses infrastructure-as-code?

Any person or organization that needs known-good computing environments for development, testing, deployment, or other purposes may use IaC. Additionally, any person or organization relying on cloud hosting is an ideal candidate for IaC thanks to the degree to which its techniques are well-suited to such environments.


What are the benefits of using IaC over its alternatives?

  • IaC makes it far simpler to create and manage known-good computing environments, whether working with on-premise resources, co-located resources, or cloud resources.
  • IaC automates environment creation and management, making it much faster to stand up a single machine/VM/container or many such “nodes” at once.
  • IaC technologies that “orchestrate” said processes manage the often-tricky details of standing up multiple nodes of different types that are essential to a working overall system, e.g., a load balancing node in front of a number of “web farm” nodes, all relying connected to a database node, etc.
  • These and other factors make IaC an ideal technology for provisioning computing environments for developers, test labs, sales demonstrations, free trials, production systems, etc.

What are some security considerations of using IaC?

  • Users must take care to ensure their scripts and images are from a trusted source. A single provisioning script or VM/container image from an unscrupulous source may expose all connected resources to attack.
  • Users must be mindful of using sensitive data within IaC scripts and images as a single leak could have major consequences. For example, if a database containing sensitive customer data gets leaked, the company responsible will likely suffer substantial legal, financial, and brand damages. 

What are some of the best practices surrounding securing IaC?

  • Keep all resources on separate virtual networks to limit access.
  • Follow typical best practices for compartmentalizing permissions and managing passwords and other access tokens.
  • Perform real-time scans within the IDE as developers or cloud-ops code up the cloud infrastructure.
  • Gate the cloud deployment in the last stage of the CI/CD pipeline.

How can Black Duck help?

Black Duck offers a tandem solution to IaC challenges: CodeSight™ SE, along with Coverity® SAST, both powered by our Rapid Scan Static for IaC scanning.

CodeSight SE helps developers write better code by alerting them to issues in source code, open source dependencies, API calls, cryptographyIaC, and more.

Rapid Scan is a fast, lightweight static analysis engine that can be used to scan web and mobile applications, microservices, and IaC configurations. Rapid Scan runs automatically, without additional configuration, with every Coverity scan and can also be run as part of full CI builds with conventional scan completion times. Rapid Scan can also be deployed as a standalone scan engine in Code Sight or via the command line interface, as well as in automated build pipelines.


Explore how to build security into DevOps