KICS - Keeping Infrastructure as Code Secure

About Checkmarx

Checkmarx is the global leader in software security solutions for modern enterprise software development. Checkmarx delivers the industry’s most comprehensive Software Security Platform that unifies with DevOps and provides static and interactive application security testing, software composition analysis and developer AppSec awareness and training programs to reduce and remediate risk from software vulnerabilities. Checkmarx is trusted by more than 40 percent of the Fortune 100 and half of the Fortune 50, including leading organizations such as SAP, Samsung and Salesforce.com.

Checkmarx

Contact KICS core team at kics@checkmarx.com or join the chat on Gitter.

Infrastructure as Code

Infrastructure as Code (IaC) is the creation, provisioning and configuration of software-defined compute (SDC), network and storage infrastructure through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools.

IaC automates the manual tasks usually associated with computing infrastructure configuration and implementation. By doing this, you can:

  • Speed up configuration and implementation of new computing infrastructure
  • Reduce the cost and resource needed to scale and manage large infrastructure
  • Eliminate the inconsistencies that inevitably occur when multiple individuals manually configure new equipment or applications.

The core concepts of Infrastructure as Code are:

  • Defined in code
  • Stored in a repository
  • Declarative or Imperative
  • Idempotence and Consistency
  • Push or Pull

Main Benefits of Infrastructure as Code:

  • Fully automated deployment
  • Consistent environments
  • Repeatable process
  • Reusable components ("DRY")
  • Documented Architecture

Infrastructure as Code Testing

Infrastructure as Code testing examines configuration definitions and scripts used to instantiate infrastructure to ensure the resulting resources are secure.

IaC security testing tools must be able to consume configuration files and scripts in relevant formats, apply tests to ensure conformance with common configuration hardening standards (i.e., Center for Internet Security Benchmarks and many others), identify security issues associated with specific operational environments, identify embedded secrets, and perform other tests supporting organization-specific standards and compliance requirements. Optionally, tools can automatically remediate errors (e.g., changing read/write permissions on storage resources). This capability specifically examines IaC testing in the context of the development process, however tools may also support examination of deployed production instances and responding to issues identified in those systems.