Security Superfriends Episode 7: James Sörling

Security Superfriends | James Sorling, Security Architect, WirelessCar

Shift Left Like A Boss!

You’re a developer turned security architect. You’re the only one at your company.

The teams you support make wireless automotive systems. Those systems talk to clouds – and they support some of the largest automobile manufacturers in the world.

Automobiles + Wireless + Clouds. It’s as security as it gets!

How do you, the lone security architect, make an impact? You shift left! That’s what James Sorling did. As security architect for WirelessCar, he met developers where they were, in their toolchains, and in their workflows – getting them to scan their infrastructure as code (IaC) early in development.

He considered the tools already deployed and in use by developers and devops. SonarQube was the main static analysis solution, and AWS CloudFormation was the IaC of choice for making resources in AWS.

James did two things:

  1. He became a contributor to CFN-nag. It’s an IaC static analysis solution for AWS CloudFormation
  2. He wrote an open source module that integrated CFN-nag into SonarQube. Now, developers, DevOps, and SREs can get their CloudFormation scanned during development. This fixes security issues early and helps with compliance.

I hope you enjoy this installment of Security Superfriends! Check out some edited highlights below, and be sure to watch the video or tune in via podcasts on our Soluble channels on Apple Podcasts, Spotify, Soundcloud, and Stitcher.


Rich Seiersen: Can tell me about how you ended up being a committer to cfn-nag, and how you ended up then doing the open source module that you wrote for SonarQube.

James Sörling: I work at WirelessCar, and we work with connected cars for most of the major car manufacturers, like Volvo. Now it’s partly owned by Volkswagen, but we also have Nissan, Landrover. Volkswagen used to have their own security standard but then they migrated to use NIST 800-53. We were using AWS config rules, we detected a lot of compliance issues with the deployment into the account and it’s a bit too late. So we started using cfn-nag to detect things before they were deployed. But, then you had a new problem – how do you handle false positives and things that you don’t really want to fix? Back then the only option was to add the info to your cloudspaces and stacks, so that was really wasn’t really easy to handle. So that’s why I wrote the SonarQube cloud native plugin – to get issues into SonarQube to increase the visibility. And, to have an audit record to see what was logged and who actually changed it.

RS: You are really talking about shifting left here – the developers are writing code, they’re defining cloud infrastructure; they’re working right in real time so that they can catch the mistakes, and even address what might be a false positive right there in development in real time. What I’m hearing is you actually orchestrated a complete shift left. And my question for you then is in terms of the developers at WirelessCar - how well has this been received?

JS: We already introduced SonarQube before we started using cfn-nag, so they were quite used to that pattern. But I think one of the other things that for example if you find like an unencrypted S3 in our AWS account, maybe everything should been have tagged with the team and the owner, but a lot of cases tags were missing, so then you sort of have to say that I know somebody deployed but I can’t find which stack right so which GitHub repo does this S3 buckets belong to? So that’s why - to detect it while the CI/CD pipeline builds that stack, it’s a lot easier to find the correct resource as well.

RS: Right so being able to say – because again in security right now what’s really popular is cloud security posture management scanning in runtime – but there’s no awareness typically of the tags of the resources, ownership. It’s just a complete black box, and what I’m hearing is you’re you are able to then to resolve that, again, by being able to take care of the tagging in development.

JS: So one more thing as well that was connected to the security standard that once we have these rules in SonarQube for example I also added the NIST 800-53 grouping to the different rule set. So security for encryption in transit for example, giving the developers a connection to a security control that they have to implement.

RS: How was it received? Was it making sense?

JS: When it comes showing auditors that we do have these controls in place and we could group them by these controls and we could look at how many issues and in which progress you have issues, so it also helps to provide some proof.

RS: Ah. So for audit – that is key because audit can be really disruptive to development, devops, SREs. Audit will come in and they’ll spin a wheel and say, “Prove to me you’re doing x, y, and z,” and when it comes to things like development – again going back to the idea of traceability between the control, the actual runtime instantiated cloud resources all the way to the development process, being able to tie that together with a specific control. What I’m hearing is that you’ve solved that – you’ve made it easier to go through audit and you’ve made audit much more painless. Is that about right?

JS: Yeah for a subset of controls that are more tied directly to one type of AWS resource, for example.

RS: Right that makes a lot of sense. So security, as I’ve said, has historically struggled with getting security capabilities integrated into development. I was just reading about Spotify. So I was CISO at Twilio, and so years ago, we were doing like 20, 30,000 releases a year. Spotify does 20,000 deployments a day. So as a developer turned security architect, what are you seeing that works? It sounds like what you’re doing is working. What’s working and what are you seeing as some of the gaps that need to be addressed that are challenging – particularly as it relates to high velocity, continuous integration, continuous deployment, cloud native, et cetera.

JS: I’m a security architect for about 15 teams, but I don’t have any of my own developers or resources. So yeah it’s still just basic hygiene and stuff to get developers to make maintenance a priority. But I get them, they’re always trying to deliver business value, the customers are pushing for deadlines. So I think that a subset of the teams are doing a great job, and then it’s always a few teams that are slightly behind, but I think it changed a lot now since Volkwagen took over the company because they seem to really value security. But I think you can’t really do it bottom-up, it has to come from the top. I think that’s the big challenge to get the management to see that they have to be sort of engaged and involved in security.

RS: From a security perspective, what are the things that you’re seeing going on where you’re going, “Oh my gosh this has to be fixed, it’s not being fixed but it has to be fixed.” What are some of the big risks you’re seeing out there? And what are you seeing as some of the promising open source solutions that might help with some of those issues?

JS: I think multi-cloud is a big issue. For example, even if you are quite proficient in AWS, if you have a Chinese customer, you might have to do Alibaba. Some already have a partnership with Microsoft for Azure, and some people will already have a partnership with Google, so I think the range of technologies that any mid size or large company has to manage today is increasing. When I started with AWS in 2008, this was a basic infrastructure as a service S3 and today I can’t even mention it’s like 300 different services. So I think it’s just an explosion of both services and the cloud providers.

RS: Right. Increasingly finding solutions that can cut across all those becomes very difficult. So what are some of the interesting open source security solutions? What are you seeing that looks promising on the horizon from an open source perspective but it’s caught your interest?

JS: I started to work on cfn-nag because we used to have a lot of CloudFormation, and it already had the most rules, but I think now that Bridgecrew got bought by Palo Alto and really made a massive investment in Checkov there’s also the infrastructure code the security assessment tool. It already supports Terraform CloudFormation, Azure ARM and also Google, it’s good with tools that sort of expand so you can use one tool for many cloud providers.

RS: I agree with that. Checkov is a really great solution and if you can get things like Checkov or tf-sec or cfn-nag – getting those deployed across your organization – oftentimes that ends up being the challenge: how do you get that out there easily? How do you get buy-in? How do you get usage? How do you monitor it?

JS: Yes one point but I really see more in the future is not just pointing out your problems but also creating pull requests with fixes. You also have like you, Snyk, Dependabot, they’re doing it just helps you maintain products by creating fixes with the pull request. I think also yes power is also another in this area, but that sort of resolves known issues in the yaml codes.

RS: Right yeah, there’s a new concept of GitOps oriented solutions where they’re able to integrate seamlessly with your repositories. So they’re not only scanning the repositories, but on pull requests or other changes, they’re doing their thing. Like developers are coding away, and in the case of if it’s integrated with SonarQube able to do it right then, right there and do the the PR update, and in some cases depending on the nature of the rule set, this is where maybe an OPA comes in, it’s able to you’re able to say hey um either we’ll make a change, and/or if it’s before it gets promoted right in integrated domain we’ll see it will block that. I do think this is the next level sort of thing for the enterprise.

JS: Yeah and then you also have the like Security Hub and auto remediations, but then you have the problem that it could have auto remediation in your operations environment, but how do you then manage your configuration management and change control. Because then at the end you don’t really know what’s deployed and what’s in your repos.

Be sure to watch the video for more, and subscribe to our Soluble channel to see more great episodes of Security Superfriends.

Want to catch the latest and greatest in Security Superfriends? Subscribe to our Youtube channel for past shows and updates, and listen on Apple Podcasts, Spotify, Soundcloud, Stitcher, or wherever else you get your podcasts.