Introducing IaC Security from Black Duck

The news is just in, and it’s big: Black Duck now offers IaC scanning functionality. With no additional licenses required, this capability is available immediately for all existing Black Duck customers. Let’s dig into exactly what this means for you, how it helps your existing security efforts, and what you can expect in the months to come. 

IaC has moved away from infrastructure and security experts

What drove our development of IaC scanning capabilities? The shift to the developer…

At its core, IaC continues to help simplify the provisioning and management of infrastructure for cloud environments. Infrastructure can be provisioned in scalable and reproducible methods across deployments, but while this helps improve overall usability and functionality, scalability demands have pushed infrastructure deployment “left,” to the developer. 

This in itself is not a problem, but shifting responsibility to development teams does introduce complications when considering the implications to security.

IaC security used to be the job of IT and ops teams, who were at least semi-versed in security and best practices. As the development and release velocity of cloud-native applications increase, though, provisioning and configuration activities have naturally fallen upon developers. The security problem here is twofold: first, this shift increases the likelihood of the introduction of complex security weaknesses that developers are not equipped to handle, and second, developers are rarely security experts. Lack of experience and lack of bandwidth mean that security does not receive the attention and expertise it requires. 

Using your SCA pipeline integration to inject IaC security scans

What value does leveraging the IaC capabilities within your existing SCA solution provide?

IaC spans the gap between traditional code and infrastructure/deployment configurations. But the shift to using IaC to configure, manage, and deploy applications has introduced a new genre of risk—misconfiguration or poor security controls in IaC. 

These issues are not detectable by traditional SCA approaches since security threats within IaC are not typically known or previously disclosed vulnerabilities. But Black Duck’s new capability stems from the realization that the SCA tools already running inside many organizations’ build and deployment pipelines are ideal candidates to expand existing scanning capabilities to include IaC coverage. In simple terms, we added IaC scanning capabilities to existing SCA scans, meaning they can go anywhere SCA scans go.

IaC scans can be run within Black Duck effortlessly and catch issues earlier and in more places in the application development life cycle. Black Duck SCA scans can be enabled in virtually any part of the development pipeline, making them an ideal candidate to also run IaC scans. Since IaC issues are typically high criticality, identifying them as early as possible in development pipelines is critical to avoiding issues later down the line (e.g., in production). Our new IaC scanning capability enables development and DevOps teams to rapidly identify these non-CVE security issues from within Black Duck, with no real expertise needed.