It is no big secret that infrastructure has changed over the last decade. We went from tools such as autossh, to configuration management, and ended up with Infrastructure as Code (IaC) concepts. We came a long way from racking servers and spinning up machines by hand and are now opting to leave that work to cloud providers large and small.
For setting up and managing the modern infrastructure, tools such as CloudFormation or Terraform are rapidly becoming unavoidable. Codifying everything, including every infrastructure component, is fast becoming a daily routine for every system administrator, developer, and DevOps practitioner.
With these new concepts and tools come numerous benefits, but also some potential issues. With every change, there is an increasing chance of introducing drift between the state of real-world infrastructure and the state described in the source code management (SCM) solution like GitHub or GitLab. Ensuring that the infrastructure-level tooling is used in a secure manner while keeping it accessible to both system administrators and developers is a hard challenge for most organizations.
Improving the insight into the state of infrastructure security for developers, system administrators and security teams is an objective that Accurics tries to reach with their software offering. So far, they seem to be on the right track for making IaC concepts accessible to all three of the aforementioned categories.
Keeping your IaC solution safe and minimizing configuration drift between SCM and real-world infrastructure
Launching from stealth in April 2020, Accurics aims to be a developer-first cybersecurity startup. With a strong focus on shifting security left, into the development phase, the software allows users to identify potential security issues early in the development cycle, when they are easier to mitigate.
Accurics aims to help with common Infrastructure as Code tooling, like Terraform, Kubernetes YAML or OpenFaaS YAML files. It detects vulnerabilities in those files before the infrastructure is deployed. Even better, it provides visualization and impact assessment by showing potential breach paths, so you can see how a series of vulnerabilities can be chained into an issue affecting the security of your infrastructure.
The solution boasts of features such as self-healing (which makes it easy to fix potential issues through automation) and drift remediation. It has numerous integrations available out of the box and numerous implementation possibilities. To quote an old song, “Papa’s got a brand new bag”.
We already mentioned some of the challenges in terms of modern infrastructure. If we add modern infrastructure management and application delivery approaches such as GitOps and bring in container management platforms like Kubernetes, it is clear that any solution trying to make sure your infrastructure is safe has its work cut out for it. Luckily, Accurics brings something to the table for each of these areas.
There is built-in support for Kubernetes-related tools such as Helm or Kustomize, along with Terraform in terms of the underlying infrastructure. In terms of cloud vendors, there is support for AWS, GCP and Azure.
Want a hybrid or on-premises approach? There is support for that as well. In terms of SCM tooling, there is support for GitLab, GitHub and Bitbucket. Want the software to do more than just opening a pull request, with proper comments along with security fixes? Have it ping you on Slack or update the appropriate Jira ticket.
In terms of cloud support, AWS and Azure are both first-class citizens, while the GCP part is mostly oriented towards supporting the Kubernetes offering at this time. Accurics makes it easy for the end user to leverage various rule packs, which bring additional checks to the cloud environments (e.g., CIS benchmark). The software can check things such as VPCs, IAM account permissions, or S3 access rights, making sure that proper restrictions are in place. For building custom rules, a Custom Policy Builder tool is available in the UI.
When scanning for security issues, the software relies on both MITRE ATT&CK and the Cyber Kill Chain methodologies. The UI makes it easy to visualize potential issues, with the appropriate security context. Support for compliance checks is also present and visible in a separate tab in the UI. Compliance state is visualized on the IaC, Kubernetes and infrastructure level.
Standing on the shoulders of giants
Along with the commercial offerings, there are several open-source projects you can leverage to get a better insight into what Accurics is all about. The open-source scanning tool leveraged by the commercial offering is built around the Terrascan project.
The repository contains numerous rules which can be applied out of the box to your infrastructure, giving you additional insight into the state of your infrastructure security. The rule format is somewhat specific and depends on the customized version of the Rego parser, in order to improve rule readability and increase the level of abstraction and reusability for the rules themselves.
If you’re looking for integration possibilities in terms of CI, make sure you check out the terrascan-action project.
Building a software solution that aims to be developer-centric, while providing visibility into the state of the real world infrastructure, the state defined in an SCM solution, and ensuring that the appropriate rules (whether on the organizational or regulatory level) are enforced is challenging.
Combining that with self-healing concepts and a usable UI raises that challenge to the next level, which is why a small number of companies have the expertise to take on these types of challenges.
So far, Accurics looks to have chosen a winning approach to solving that problem. With experienced security startup people in the key positions to steady the ship, there is every indication that they will stay the course.
Contributing author: Tonimir Kisasondi, co-founder at Apatura.