GitGuardian adds IaC scanning to code security platform to protect SDLC | Path Tech

GitGuardian has added infrastructure-as-code (IaC) scanning to its code safety platform to reinforce the safety of software program growth. The agency stated the brand new characteristic will assist safety and growth groups write, keep, and run safe code, defending the software program growth lifecycle (SDLC) in opposition to dangers like tampering, code leakage and hardcoded credentials. The discharge displays a rising trade concentrate on enhancing the cybersecurity of software program growth processes to assist higher shield extensively used assets and provide chains from cyberthreats.

Preliminary IaC concentrate on Terraform and AWS, Azure and Google Cloud to observe

In a press launch, GitGuardian said that, whereas software-defined infrastructure unlocks velocity and consistency for engineering groups, it’s nonetheless fraught with dangers. Gartner predicts that no less than 99% of cloud safety failures can be because of consumer fault and misconfigurations by 2023. Such errors propagate from code to cloud-native environments, exposing important workloads and assets on the best way, it added.

GitGuardian stated its new IaC scanning has been constructed to assist cloud safety groups to guard their group’s infrastructure on the supply by probing for safety misconfigurations. What’s extra, the corporate is enabling this by its fashionable open-source command-line interface (CLI) for builders, ggshield, it added. The preliminary IaC launch will concentrate on Terraform and AWS, however GitGuardian outlined plans to counterpoint its insurance policies listing, assist further cloud companies suppliers like Azure and Google Cloud Platform, and combine scanning natively in developer workflows on GitHub, GitLab, or Bitbucket sooner or later. It is usually exploring alternatives in areas akin to static software safety testing (SAST) and software program composition evaluation (SCA), the agency added.

Determine, appropriate IaC safety misconfigurations early in SDLC

Chatting with CSO, GitGuardian co-founder and CTO Eric Fourrier says that misconfigured infrastructure is among the high 5 vulnerabilities recognized by OWASP and DevOps engineers are below stress to ship new options, whereas additionally needing to handle all of the configuration wanted for the companies their purposes run on. “It may be straightforward to miss all of the wanted handbook checks for securing their infrastructure as code. Typically it is so simple as forgetting to limit site visitors to their assets or failing to encrypt storage programs like databases. Or it might be as critical as leaving hardcoded credentials in configuration recordsdata.”

Organizations should shield their cloud infrastructure on the supply code degree as early within the SDLC as doable, he provides. “They have to establish and proper any IaC safety misconfigurations earlier than they’re pushed towards manufacturing, shifting the safety left. As a substitute of simply attacking customer-facing purposes, it’s changing into an increasing number of widespread for dangerous actors to go in any case elements of a corporation’s infrastructure, at a number of factors alongside the SDLC. As GitOps and CI/CD have created software program factories, there are a lot of extra targets that enhance the assault floor past the code produced by growth groups, together with open-source libraries, APIs, containers, and a rising listing of companies.”

Software program growth safety excessive on the agenda

Software program growth safety has been a sizzling subject not too long ago, with different assets launched this 12 months to assist enhance the cybersecurity of the SDLC amid important threats posed to organizations. A main instance is detailed steerage from the US authorities’s Cybersecurity and Infrastructure Safety Company (CISA) and the US Nationwide Safety Company (NSA) advising builders how you can higher safe the software program provide chain with a major concentrate on open-source software program, revealed in August.

The steerage outlined recommendation consistent with trade greatest practices and rules that software program builders are strongly inspired to reference. These rules embrace safety necessities planning, designing software program structure from a safety perspective, including security measures, and sustaining the safety of software program and the underlying infrastructure (e.g., environments, supply code evaluation, testing).

Chatting with CSO in September, Dave Stapleton, CISO at CyberGRX, predicted that the brand new US-led steerage may have a constructive influence throughout the globe as provide chains cross metropolis, state, nation, and continent traces. “One necessary level introduced up by the federal authorities is that many remediation and mitigation approaches will rely closely on upstream and downstream stakeholders, evoking the shared accountability mannequin,” he added.

The US Nationwide Institute of Requirements and Expertise (NIST) and the Heart for Web Safety (CIS) additionally each revealed new software program growth and provide chain safety steerage in the previous few months, once more outlining methods and greatest practices for managing and evaluating software program lifecycles.

Copyright © 2022 IDG Communications, Inc.

GitGuardian adds IaC scanning to code security platform to protect SDLC