Sonatype Unveils Full-Spectrum Software Supply Chain Management | Press Release

Secure What You Build and Where You Run It:  Say Hello to the Infrastructure as Code Pack for Nexus Lifecycle

March 16, 2021 By Kevin Miller

What is the IaC Pack and Why Should You Care? 

The Infrastructure as Code Pack is a new add-on to Nexus Lifecycle that enables developers to easily find and fix security vulnerabilities in their cloud infrastructure templates.

Helping developers find and fix security vulnerabilities in third party libraries is already an extensive part of the Nexus Platform. Now, we’ve added the ability to simultaneously prevent security and compliance issues due to misconfigurations in Terraform files. All of this vulnerability information is displayed in the same report, bringing application health and cloud security together in one place. 

The IaC Pack is a critical step towards empowering Developers and Site Reliability Engineers (SREs) with guardrails and feedback early in the development process to catch cloud infrastructure configuration and compliance issues before they end up in production where they can be exploited by bad actors. (and no we don’t mean Nicolas Cage or Keanu Reeves) We want to make things as easy as possible for developers - and this is one additional way we’re trying to lessen the load that the modern developer now has to carry.

What is IaC?

Infrastructure as Code (IaC) uses scripts to automate the provisioning and modifying of IT infrastructure. Traditionally, managing servers and infrastructure was a very manual, time consuming process. Cloud native development and virtualization have helped eliminate the problem of physical hardware management, and IaC emerged as a framework for writing and deploying these configurations the same way you would any other line of code. IaC is a much more efficient way of building cloud infrastructure, but also comes with a lot of inherent security risks that need to be addressed to avoid breaches and keep your infrastructure safe. 

Cloud misconfigurations are the number one cause of cloud-based data breaches.

According to Gartner, cloud misconfigurations are the number one cause of cloud-based data breaches.

“Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement and mistakes.”

— Neil MacDonald, Gartner

The National Security Agency (NSA) agreed with this as well:

“Misconfiguration of cloud resources remains the most prevalent cloud vulnerability and can be exploited to access cloud data and services.”

— The National Security Agency, Mitigating Cloud Vulnerabilities 

So what are these misconfigurations? Some common groups of cloud misconfigurations include:

  • Security Group Rules
  • Object storage access policies
  • Insecure IAM (Identity and access management) policies
  • Encryption
  • Logging

As a developer that sits on the front lines of application and infrastructure security, how do you protect against these configuration errors and ensure your cloud environments are safe? 

Compliance is Key for Cloud Infrastructure

Along with security considerations, every major industry has compliance standards that include controls for cloud infrastructure. If an organization is operating under regulations like HIPPA or GDPR for example, it is imperative that their infrastructure adheres to those specifications.

The real problem is there are hundreds if not thousands of security rules that apply to cloud infrastructure configurations, and those rules all map to the different compliance standards. The process of mapping all of these rules is very labor-intensive and time-consuming. It’s a good thing that Sonatype has already done that work!

The IaC Pack leverages the most comprehensive set of compliance policy mappings for cloud infrastructure, and we’ve added them to Nexus Lifecycle to ensure your infrastructure as code is both secure and compliant.

The IaC Pack provides out-of-the-box support for the following compliance standards:

  • CIS Foundations Benchmarks
  • CIS Docker Benchmark
  • CIS Controls
  • GDPR
  • HIPAA
  • ISO 27001
  • NIST 800-53
  • PCI
  • CSA Cloud Controls Matrix
  • SOC 2

What is Terraform?

Terraform is by far the most popular IaC tool, and can be used to build and manage cloud infrastructure across multiple providers including AWS, Azure, and GCP.

Because infrastructure can be very large and complex, a single Terraform file rarely expresses all of the configuration attributes for the infrastructure it’s creating. IaC is generally broken into chunks or separate files - similar to a manifest file in your application - outlining what you would like your infrastructure to look like (as declared).

A resolved Terraform plan gets generated during the build process, combining all of the terraform files into one consolidated view that more accurately represents your infrastructure. The Infrastructure as Code Pack scans this resolved Terraform plan, the actual infrastructure as it will be deployed, providing more accurate results than simply scanning or linting the individual terraform files. This helps eliminate false positives and ensures that you’re not wasting any time on work that isn’t critical to your infrastructure security or compliance.

Also keep an eye out for AWS Cloud Formation support coming soon.

Nexus Lifecycle combined with the Infrastructure as Code Pack gives you the information you need to choose the best open source components and avoid cloud infrastructure misconfigurations, all in the same place.

Want to learn more? 

Visit our website, or click here to schedule a demo of the IaC Pack. Not an existing Nexus Lifecycle customer? Learn more about keeping your applications secure with the Nexus Platform.

Tags: News and Views, Product, infrastructure as code

Written by Kevin Miller

Kevin Miller is a Product Marketing Manager at Sonatype where he works to empower the development community to shift component choice and security left. He believes that putting the right tools and options in the hands of developers will help accelerate software innovation and minimize open source risk.