Shift left security — IaC

In the ever-evolving world of software development, Infrastructure as Code (IaC) has emerged as a critical practice to streamline and automate the provisioning of infrastructure resources. This blog post aims to provide a comprehensive understanding of IaC, Terraform, vulnerability scanning using CSPM (Cloud Security Posture Management), and the importance of Shift Left Security. We’ll also delve into the introduction of Checkov, integrating it into the Harness pipeline, shifting left to pre-commit, and finally, using it as an IDE plugin.

What is IaC?

Infrastructure as Code is a development practice that allows developers and operations teams to manage and provision infrastructure using code. With IaC, infrastructure is defined in code files, which can be version-controlled and treated as software artifacts. This approach enables repeatability, consistency, scalability, and collaboration between teams, making it an essential DevOps and DevSecOps technique.

There are several IaC tools available such as Terrafom, AWS CloudFormation, Ansible, Puppet…etc

Terraform

Terraform is a popular open-source IaC tool by HashiCorp. It allows users to define and manage infrastructure resources across multiple cloud providers and on-premises environments using a declarative configuration language. Terraform simplifies the provisioning process by providing a unified workflow, enabling organizations to achieve cloud-agnostic infrastructure management.

Terraform Plan, Apply, and Destroy:

Terraform follows a three-step process for infrastructure management:

• terraform plan: This step generates an execution plan by comparing the current configuration with the desired state defined in the Terraform code. It identifies any changes needed to reach the desired state without actually making any modifications.
• terraform apply: During this phase, Terraform executes the planned changes, creating or updating the infrastructure resources accordingly. It ensures the actual infrastructure matches the defined state.
• terraform destroy: When resources are no longer needed, Terraform can remove them by executing this command. It helps prevent unnecessary expenses and ensures a clean slate for future deployments.

Vulnerability Scanning using CSPM:

Cloud Security Posture Management (CSPM) tools play a vital role in identifying and remediating security risks within cloud environments. CSPM tools continuously scan cloud resources for misconfigurations, security gaps, and compliance violations.

As the following picture is depicting

1. AWS services (E.g S3 bucket) is provisioned using Terraform
2. AWS services are being scanned by CSPM tools (E.g. Scoutsuite) for vulnerabilities or misconfigurations

What are the problems with this approach?

a. Feedback loop is longer
b. Increased Vulnerability Discovery Time
c. Higher Remediation Costs
d. Higher Risk of Exploitation
e. Reactive Security Approach

The Importance of Shift Left Security:

Shift Left Security is the practice of integrating security checks and measures early in the development process. By identifying and fixing vulnerabilities early, above problems can be addressed.

Introduction to Checkov:

Checkov is an open-source static analysis tool designed to scan IaC code and identify potential security risks and misconfigurations before creating the cloud resources. It supports various IaC frameworks like Terraform, CloudFormation, Kubernetes YAML, and more. By integrating Checkov into the CI/CD pipeline, developers can proactively detect and remediate security issues before they reach production.

Following screenshot depicts the scan results of Terraform code.

Integrating Checkov into Harness Pipeline:

Harness, a Continuous Delivery platform, allows easy integration of Checkov scans into the deployment pipeline. By adding Checkov as a verification step, Harness ensures that only secure and compliant infrastructure code gets deployed. Deployment gets failed if Terraform code has any vulnerabilities.

This approach shifts the vulnerability scanning from after provisioning the cloud services to before provisioning.

Sample Terraform security scan in pipeline.

With vulnerabilities in Terraform code: Failed at “Security Scan TF” stage

Now developer is supposed to review the vulnerabilities identified by Checkov and push the code to VCM after fixing the vulnerabilities.

With no vulnerabilities in Terraform code: success at “Security Scan TF” stage.

Is it possible to shift the Checkov scanning further left ? YES

Shifting Checkov Scanning to Pre-Commit:

Taking Shift Left Security a step further, developers can integrate Checkov scans into their version control system’s pre-commit hooks. This way, developers get real-time feedback on potential security issues before code is committed, reducing the chances of vulnerabilities reaching the repository.

Pre-requisites:

1. checkov must be installed in developers laptop
2. create pre-commit, without any extension, file at /<your git repo>/.git/hooks with below content

echo "Checkov Pre-Commit scanning - Scanning the Terraform code for vulnerabilities/misconfigurations"
checkov -d .

Now, checkov scan will be triggered when developer try to do git commit. Commit gets failed if there are any vulnerabilities in the Terraform code.

The vulnerability scanning has been shifted left to Pre-commit in Developer’s laptop ← CICD pipeline (before provisioning cloud services)← Scanning after provisioning cloud services

Commit gets successful if there are no vulnerabilities in Terraform code.

Note: Pre-commit hooks can be bypassble using --no-verify falg. 
Terraform code scanning in CICD pipeline will scan in these case. 

Shifting Checkov Scanning to IDE Plugin:

To provide developers with an even more seamless experience, Checkov offers IDE plugins. These plugins integrate directly into the developer’s IDE, highlighting security risks as they write code. This immediate feedback encourages developers to address issues as they occur, fostering a security-first mindset.

I’ve enabled Checkov IDE plugin in Visual Studio Code IDE to identify vulnerabilities when writing the code.

The vulnerability scanning has been shifted left further to IDE (when writing the code) ← Pre-commit in Developer’s laptop (after writing the code) ← CICD pipeline (before provisioning cloud services) ← Scanning after provisioning cloud services

Advantages in shifting the security to left:

By embracing Shift Left Security and integrating IaC vulnerability scanning tools, organizations can benefit from:

• Immediate feedback loop
• Early detection and remediation of Vulnerabilities
• Lower Remediation Costs
• Reduced Risk of Exploitation
• Proactive Security Approach
• Enhanced compliance and adherence to industry regulations.
• Improved collaboration between development, operations, and security teams.

Infrastructure as Code and Shift Left Security are indispensable practices for modern software development, enabling faster, more secure, and cost-effective deployments. Integrating IaC vulnerability scanning tools into the development pipeline and shifting left empowers developers to become security champions, delivering resilient and secure applications to end-users.

Note: The mention of various tools in the write-up is purely for informative purposes and to highlight, not to promote,  the possibilities for implementing Shift Left Security. The choice of IaC and security tools ultimately depends on the specific needs, preferences, and expertise of the development and security teams. Each team may have different requirements, and they should carefully evaluate and select the tools that best fit their project goals and organizational needs. The key is to focus on the concept of Shift Left Security and how it can benefit the software development process by integrating security checks early in the development lifecycle.