The Role of Open Source in Cloud Security: A Case Study With Terrascan by Tenable
Open-source software and cloud-native infrastructure are inextricably linked and can play a key role in helping to manage security.
Join the DZone community and get the full member experience.Join For Free
From Kubernetes to Argo to Docker to Terraform, the most influential cloud-native innovations are open source. The high velocity and mass adoption of projects like Kubernetes show that in order to keep pace with innovation, the cloud-native community must come together, share best practices, foster collaboration, and contribute to next-generation technologies.
Open-Source and Cloud-Native
The Cloud Native Computing Foundation (CNCF), the largest open-source community in the world and the host of international events like KubeCon + CloudNativeCon and CloudNativeSecurityCon, rallies around the idea that open source and democratizing innovation are the best ways to make cloud-native technologies widely available. As a subset of the Linux Foundation, the CNCF brings together thousands of developers and cloud architects around the world to create and maintain hundreds of cloud-native open-source projects.
With cloud infrastructure becoming increasingly complex, open-source tools like Terrascan by Tenable can help ensure the code developers write to provision cloud resources is secure and compliant with industry standards. By providing transparency and flexibility, open-source software can help organizations customize their security solutions to meet their unique needs and adapt to changing cyber threats.
Many companies are taking advantage of these benefits. According to Open UK’s “State of Open: The UK in 2021 Phase Three The Values of Open” report that surveyed over 273 respondents, the vast majority (89%) are using open-source software.
Let’s look at how cloud security might play out using Terrascan by Tenable as an example.
What Is Terrascan by Tenable?
Terrascan by Tenable is a static code analyzer that can detect compliance and security violations across infrastructure as code (IaC) to mitigate risks before provisioning cloud-native infrastructure. You can scan many IaC types, including Azure Resource Manager, Kubernetes, Docker, and Terraform (hence the name “Terrascan”).
Because it’s a code analyzer, Terrascan can be integrated into many tools in the development pipeline. When integrated, misconfiguration scanning is automated as part of the commit or build process. It can run on a developer’s laptop, a software configuration manager (SCM) (e.g., GitHub), and continuous integration/continuous development (CI/CD)servers (e.g., ArgoCD and Jenkins) or in your browser with the Terrascan sandbox. In addition, it also has a built-in admission controller for Kubernetes, which helps control new resources created on a cluster. With integration into Kubernetes admission controllers, you can prevent insecure resources from entering your Kubernetes environment.
Terrascan by Tenable in Action: A Case Study
To illustrate the benefits of Terrascan, let's consider a hypothetical scenario based on real-world customer experiences in which a company is migrating its on-premises infrastructure to the cloud. The DevOps team is using Terraform to automate infrastructure provisioning, but the security team is concerned about potential security issues in the company’s code and the propagation of misconfigurations in runtime. Because of this, they have to slow down developers and ensure that all IaC is secure through rigorous manual processes.
Terrascan scans the company’s Terraform code against a set of policies based on industry frameworks, such as the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST), and identifies weaknesses in the developers’ code that could allow unauthorized access to port 22 (SSH). By discovering the problem in the code, the security team can require the cloud resource to only allow secure shell (SSH) access from a specific subnet classless inter-domain routing (CIDR) that complies with their security policies.
As a result, developers are able to remediate the issue before it leaves a developer workstation, gets pushed to a git repository, or is provisioned in the cloud. They’ve saved time and headaches, ensuring that their cloud environment is secure and compliant with industry — and their security team’s — standards.
Terrascan has more than 500 built-in policies. By integrating Terrascan into CI/CD pipelines, developers ensure their code is scanned for security issues at every stage of development. They’re making sure that only secure code makes it into production.
In summary, open-source tools like Terrascan are an important part of ensuring security in cloud infrastructure. By standardizing security policies and democratizing access to them, the cloud-native community can work together to identify and mitigate potential risks, ultimately creating a more secure cloud environment for everyone.
Published at DZone with permission of Christina DePinto. See the original article here.
Opinions expressed by DZone contributors are their own.