Big thanks to Zohar Alon, CEO and co-founder of Dome9 Security for talking with me about the company's support for automated security and compliance assessment of AWS CloudFormation templates (CFT) in the Dome9 Compliance Engine. Customers are now able to test the security and compliance of their infrastructure templates and harden security before deploying software-defined infrastructure in live environments.
According to the 2017 State of DevOps report from Puppet, organizations that incorporate security and quality early and often in the development process spend 50 percent less time remediating security issues. Much of the focus of security in DevOps, or DevSecOps, has been on application security tools and practices. A considerable gap for the development community is security testing for infrastructure blueprints. The new capabilities of the Dome9 Arc platform speed up the compliance lifecycle and protect against accidental exposure and external attacks.
“Organizations are dealing with the challenge of building security into their DevOps processes to minimize incident risk without slowing down the pace of innovation,” said Zohar. “Dome9 offers DevOps and security teams an automated and, more importantly, a faster and more accurate way to ensure their infrastructure meets compliance requirements and security best practices.”
Testing CFTs is a manual process today. DevOps teams create CFTs and then submit them to the security teams for review. The back-and-forth between security and operations teams to better understand and assess CFTs creates lengthy delays and slows DevOps down while introducing the risk of errors into the process.
Dome9 solves the problem by automating the assessment of CFTs against compliance standards such as PCI DSS and industry best practice specifications such as the CIS AWS Foundations Benchmark. More specifically, the Dome9 Compliance Engine:
- Takes care of resolving CFT parameter values and intrinsic functions and simulating the deployment of the CFT.
- Offers customers a way to run assessments programmatically using the Dome9 API, allowing security and compliance checks for CFTs to be built into DevOps scripts and workflows.
Zohar envisions this new capability to smooth workflow and resolve conflicts between developers and security teams improving their productivity.
By providing continuous compliance checks, the risk of leaving something out is reduced and makes security for infrastructure as code transparent to the developer.