2023 - Q3 OWASP Meetup: IaC Security w/ Jon Zeolla

IaC Security

Jon Zeolla

Let's talk through the progression of Infrastructure as Code (IaC) in a company that has embraced cloud native practices, and how you can quickly get to the point of having many modular repos, all independently versioned and maintained, while being leveraged by other IaC. Then I will discuss how you can add security into these in a way that respects your development/SRE teams. Allowing teams to manage and configure their tools independently and in a distributed manner, while still having centralized visibility (through logs and metrics extracted from their pipelines, with associated dashboards and SLA/O/Is) and the ability to quickly deploy new IaC-specific security policies. We will also discuss a reasonable onramp – ensuring that teams don't need to triage piles of findings only to discover that most of them are false positives or low-priority noise. This will include a discussion of a real world roll-out, and a method that was developed to add passive security scans into existing IaC pipelines with no changes other than running the existing commands (terraform, ansible, etc.) inside of a new docker container.