GitGuardian has announced a new code security platform - going beyond secrets - by adding code leakage, Infrastructure-as-Code (IaC) Security and Software Development Lifecycle (SDLC) intrusion detection.
With the addition of IaC Security, cloud security teams can protect their organization's infrastructure at the source and collaborate with developers.
The recent breaches at Intel and Toyota are proof that even large companies with sizable AppSec teams are exposed to private code going public and to secrets being hardcoded.
We sat down with MacKenzie Jackson, Developer Advocate, GitGuardian to discuss the company's newly launched platform and how it helps organizations overcome key security challenges.
What is new about this platform?
GitGuardian Internal Monitoring platform will now include Infrastructure as Code security. This new release complements the current automated secrets detection and remediation offering. The Infrastructure as Code (IaC) scanning capabilities are intended to assist security and cloud practitioners in implementing controls to detect and correct security misconfigurations in infrastructure configuration files like Terraform before deployment. Infrastructure as Code scanning is available via GitGuardian’s open-source command line interface (CLI), ggshield.
This scanning aims to shift cloud security left. The ggshield CLI allows DevOps, Platform Engineering, and Site Reliability Engineering teams to thoroughly scan multiple repositories or submodules for over 70 security policies. The command-line interface application also provides an option to set a severity threshold to filter critical issues and fix them before executing the Terraform plan and creating the corresponding infrastructure. In the GitGuardian dashboard, Application and Cloud Security teams can enforce and monitor the usage of IaC security scanning thanks to analytics and reporting capabilities.
GitGuardian’s vision is to build a robust platform for the DevOps generation from which more future innovations like SCA or SAST will be launched. GitGuardian offers a Free tier for individual developers & teams of 25 members or less. The company also provides Business and Enterprise tiers with more advanced features for the GitGuardian Internal Monitoring platform.
What challenges does it aim to solve?
There are risks associated with software-defined cloud infrastructure. Security teams often hardcode sensitive information via secret keys in IaC templates or simply forget to restrict traffic to their resources or encrypt storage systems like databases. Misconfigurations like these propagate from code to the cloud and extend organizations’ attack surfaces.
To reduce the chances of misconfigurations, organizations must protect their cloud infrastructure at the source code level from the outset. Shifting security left, they must identify and correct any Infrastructure as Code security misconfigurations before they are applied. This will help Cloud Security and Operations teams avoid the costs of fixing them later. GitGuardian Internal Monitoring platform will now provide such capabilities.
IaC security tools can save developers and security teams a lot of time. But today, code security tool sprawl leads to an orchestration challenge for most teams. Some tools on the market provide extensive coverage of IaC misconfigurations, but their secret detection component is somewhat lacking. With our platform, teams in charge of writing Terraform files can use a single comprehensive tool to detect misconfigurations and hardcoded credentials in their IaC configurations.
Another common challenge is the significant number of false positives. Most IaC security scanning tools overwhelm the end user with numerous alerts, some of which are more concerned with code quality than proper security and hence not significant enough to resolve. GitGuardian Internal Monitoring provides an option in the command that allows users to scan IaC configurations for a specific security vulnerability severity or higher and thus helps prioritize remediation accordingly.
Also, IaC scanners occasionally generate multiple alerts for connected misconfigurations. To reduce the number of raised misconfigurations for a given scan, ggshield IaC "connects the dots" on its own and combines multiple policies into one.
From your point of view, why are organizations struggling with these challenges?
The Infrastructure as Code market is currently in its early stages of development. The shift left strategy, and IaC security has not yet been industrialized in some organizations, although most businesses have switched to Terraform or CloudFormation for their infrastructure. Team initiatives are beginning to take shape, but there isn't a solid drive to impose IaC security tools across the organization yet. Some organizations still examine their applications and infrastructure during the run phase, which can be late.
Developers and DevOps engineers in more mature organizations have specialized tools for various code security needs. But when new tools are added without careful thought and effective integration, it results in sprawl, causing greater harm than good.
Today's tools and open-source technologies, such as Kubernetes by Google and Terraform by HashiCorp, have shown the advantages of infrastructure automation above traditional programming and manual provisioning for DevOps, Platform Engineering, and Site Reliability Engineering teams. So, we anticipate that the IaC market will expand rapidly and users will realize the benefits of an effective platform strategy.