Day Two Cloud 125: Scanning Infrastructure-as-Code For Security Issues
It’s always better to catch misconfigurations and vulnerabilities earlier in your pipeline rather than later. That’s especially true for cloud services where a simple configuration error can expose sensitive assets to the entire Internet. On today’s Day Two Cloud podcast we discuss how to incorporate security checks early in your Infrastructure-as-Code (IaC) workflows to reduce risk. Our guest is Christophe Tafani-Dereeper, Cloud Security Engineer at Nexthink. We discuss: * What shift-left means in software development * How DevSecOps fits into IaC practices * Common cloud security risks * Using static scans to spot misconfigurations * Tools available to help * Digging into Terraform examples * More Takeaways: Try to minimize the noise, focus on what matters to you Using IaC is a good opportunity to find misconfigurations before it gets to production Shift left, but also start left! Show Links: @christophetd – Christope on Twitter Christophe on LinkedIn Christophhe’s Blog Shifting Cloud Security Left — Scanning Infrastructure as Code for Security Issues – Christophe’s blog Scanning Infrastructure As Code for Security Flaws – IaC Scanning DevSlop NSA Releases Guidance on Mitigating Cloud Vulnerabilities – Cybersecurity & Infrastructure Security Agency Starting Left rather than Shifting Left? – OWASP (PDF) Introducing the State of Open Source Terraform Security Report – BridgeCrew Infrastructure drifts aren’t like Pokemons, you can’t catch ’em all – driftctl Shifting Cloud Security Left: Scanning Infrastructure as Code for Security Issues – OWASP DevSlop via YouTube Transcript: [00:00:06.770] – Ned Welcome to Day Two Cloud. Today, we are going to be talking about scanning infrastructure as code. Why? It’s critical if you’re trying to create a secure environment in the cloud. And one thing that really jumped out to me is it’s not just scanning at once. It’s scanning it multiple times at the right time. What jumped out to you, Ethan? [00:00:25.190] – Ethan Well, scanning infrastructure of code. Maybe some people think we’re talking about scanning containers or virtual machines. No, we’re talking about the code that would stand that stuff up. So, like, TerraForm, we get into the TerraForm stuff specifically, like looking at your plans and so on. Are you about to create something that’s horrifyingly insecure and Christophe really gets into it because of this tremendous blog post, we’re going to discuss Ned, where he reviews a whole bunch of tools that help us with this. [00:00:49.