GitGuardian adds IaC scanning to code security platform to protect SDLC

GitGuardian has added infrastructure-as-code (IaC) scanning to its code security platform to enhance the security of software development. The firm said the new feature will help security and development teams write, maintain, and run secure code, protecting the software development lifecycle (SDLC) against risks like tampering, code leakage and hardcoded credentials. The release reflects a growing industry focus on improving the cybersecurity of software development processes to help better protect widely used resources and supply chains from cyberthreats.

Initial IaC focus on Terraform and AWS, Azure and Google Cloud to follow

In a press release, GitGuardian stated that, while software-defined infrastructure unlocks speed and consistency for engineering teams, it is still fraught with risks. Gartner predicts that at least 99% of cloud security failures will be due to user fault and misconfigurations by 2023. Such errors propagate from code to cloud-native environments, exposing critical workloads and resources on the way, it added.

GitGuardian said its new IaC scanning has been built to support cloud security teams to protect their organization’s infrastructure at the source by probing for security misconfigurations. What’s more, the company is enabling this through its popular open-source command-line interface (CLI) for developers, ggshield, it added. The initial IaC release will focus on Terraform and AWS, but GitGuardian outlined plans to enrich its policies directory, support additional cloud services providers like Azure and Google Cloud Platform, and integrate scanning natively in developer workflows on GitHub, GitLab, or Bitbucket in the future. It is also exploring opportunities in areas such as static application security testing (SAST) and software composition analysis (SCA), the firm added.

Identify, correct IaC security misconfigurations early in SDLC

Speaking to CSO, GitGuardian co-founder and CTO Eric Fourrier says that misconfigured infrastructure is one of the top five vulnerabilities identified by OWASP and DevOps engineers are under pressure to deliver new features, while also needing to manage all the configuration needed for the services their applications run on. “It can be easy to overlook all the needed manual checks for securing their infrastructure as code. Sometimes it is as simple as forgetting to restrict traffic to their resources or failing to encrypt storage systems like databases. Or it could be as serious as leaving hardcoded credentials in configuration files.”

Organizations must protect their cloud infrastructure at the source code level as early in the SDLC as possible, he adds. “They must identify and correct any IaC security misconfigurations before they are pushed toward production, shifting the security left. Instead of just attacking customer-facing applications, it is becoming more and more common for bad actors to go after all parts of an organization’s infrastructure, at multiple points along the SDLC. As GitOps and CI/CD have created software factories, there are many more targets that increase the attack surface beyond the code produced by development teams, including open-source libraries, APIs, containers, and a growing list of services.”

Software development security high on the agenda

Software development security has been a hot topic recently, with other resources released this year to help improve the cybersecurity of the SDLC amid significant threats posed to organizations. A prime example is detailed guidance from the US government’s Cybersecurity and Infrastructure Security Agency (CISA) and the US National Security Agency (NSA) advising developers how to better secure the software supply chain with a significant focus on open-source software, published in August.

The guidance outlined advice in line with industry best practices and principles that software developers are strongly encouraged to reference. These principles include security requirements planning, designing software architecture from a security perspective, adding security features, and maintaining the security of software and the underlying infrastructure (e.g., environments, source code review, testing).

Speaking to CSO in September, Dave Stapleton, CISO at CyberGRX, predicted that the new US-led guidance will have a positive impact across the globe as supply chains cross city, state, country, and continent lines. “One important point brought up by the federal government is that many remediation and mitigation approaches will depend heavily on upstream and downstream stakeholders, evoking the shared responsibility model,” he added.

The US National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS) also both published new software development and supply chain security guidance in the last few months, again outlining strategies and best practices for managing and evaluating software lifecycles.