Risk Ranking Terraform Changes

Rich Seiersen

Understanding Cloud Infrastructure Blast Radius in Modern Cloud Development

TL:DR Can you reason about the security impact of a Terraform change? The last thing you want is for a small change to blow something up. We’re helping customers perform static IaC security assessments early in development. If a team needs to make a change or update, our platform helps you understand the security impact of the change if executed, and alert and/or block issues before things can blow up.

“Context is worth 80 IQ points.” – Alan Kay

The Importance of Scanning for Security Hygiene

We all know that security scanning is a good practice to proactively reduce risk. Scan the clouds, application code, container images – scan anything and everything! It’s what security teams do. We take pride in knowing what we have, what state it’s in, and we want to do whatever we can to find issues before the bad guys do.

It’s important to work security scanning into software development cycles in an efficient, non disruptive way. Especially when development teams are frequently deploying and updating code, and security teams are vastly outnumbered.

Static IaC Testing for Developers

For modern software development, developers are provisioning and updating their code straight into production in the cloud. They are able to do this by using declarative Infrastructure as Code (IaC) – things like Terraform, CloudFormation, Kubernetes manifests, Helm Charts, etc. – to automate provisioning their cloud infrastructure.

The code manages the resources for their applications – servers, databases, networks, logs, application deployment, and configurations. The advantage is that developers can provision their own infrastructure using software development practices – writing, testing, and executing code. If they want to make changes or tear down the infrastructure, they code it, test it, and deploy the changes.

While developers are experts on their applications, they have varying skills and experience in testing and provisioning IaC. There are a variety of excellent open source IaC testing solutions, but developers may or may not be using them.

At Soluble, we give developers access to leading IaC testing solutions so they can run the tests, identify any issues or misconfigurations, and fix them before committing code. By integrating the IaC scanning into their continuous integration/ continuous development (CI/CD) workflows, it makes it easy for them to run the scans, just as they would scan their code or do QA, before pushing it to production.

Context for Prioritizing Work

In my last blog post, I talked about the need to stay on top of your cloud native security capabilities and how to use them to your advantage. The key to getting the upper hand is context.

Scanning alone lacks context. For example, the scanner may think nothing of an IAM security group change made by a developer to an S3 bucket. It’s not aware of your runtime IAM policy. It’s also not aware of connected cloud resources. It can’t alert you to the far reaching impacts of your changes.

What’s important is helping developers effectively use IaC testing tools, and giving them the right data during their development cycles– in their tool chains and pipelines – maximizing context – to fix issues. You want to do this in a way that doesn’t overwhelm them with extra work or noise.

Understanding Blast Radius of Terraform Changes

At Soluble, we’re helping customers understand the impact of code changes on their security posture. This way, when a pull request (PR) comes up, they can understand the security implications without having to open the PR and examine it. Also, if there is a security issue, they can prioritize their work. Do they need to take action right now, in an hour, in a day…or which ones can wait until the next sprint?

Our platform uses the information from the code repository and IaC scans, and correlates it with results in IAM policies and runtime cloud states.

By forecasting possible cascading impacts, it helps prioritize issues and take action when it counts – alerting on issues to fix, or blocking changes that would have ill effects.

Can you understand the security implications of a Terraform change? Would you like to try Soluble to gain context of how the change affects your security posture? Contact us to connect to our platform. We’d love to get your feedback.