Facebook Pixel
Infrastructure as Code (IaC) Auto-Remediation

Written by Mike Hogan

January 26, 2022

Find IaC Risk
Infrastructure as Code (IaC) is not as simple as some other security risks because IaC is not automatically right or wrong. Vulnerabilities are easy, if you have a vulnerability, it is bad and you want to remediate it, no questions asked. IaC may not follow a best practice, but it may still be appropriate or required. This makes auto-remediation a challenge because it may break things.

Developers use a standard way of automating their resources: infrastructure (IaC e.g. Terraform), configuration (CaC e.g. chef, puppet), containerization (e.g. Kube) and pipeline (PaC, e.g. drone). This is accomplished by using structured code that defines various parameters. This is independent of the actual underlying resources, making it portable and reusable.

When building IaC there are best practices, defined as coded parameters based on principles such as least privilege. The challenge is that some applications or pods in your Kube cluster may require escalated privilege. This creates a gray area for auto-remediation. A standard remediation tool will recommend lowering the privilege, but that could break the app. If you were to auto-remediate it, it could assume that a lower privilege is better and make that change, resulting in a broken app.

For this reason, IaC auto-remediation is a bit challenging. You can use a tool to scan your IaC and identify security risks or deviations from best practices. That tool might also recommend code to make these misconfigurations conform to best practices. The developer can step through the list of proposed remediations and make decisions one at a time. With over a thousand possible parameters, this process can be tedious and time-consuming. Yes, it’s better than committing code with risks, but there has to be a faster and better way..

You can leverage auto-remediation for the obvious misconfigurations, but what about those in the gray area? This is where machine learning can build models based on user response and correlate that to various other configurations and other variables. With this level of intelligence in the form of models, tools can organize configuration remediation based upon confidence level and enable group actions that reduce user input by more than 80%. And of course balancing developer efficiency against security demands is the ultimate goal of any developer-centric security tool.

Find IaC Risk

Related Blog

Infrastructure as Code (IaC)

Infrastructure as Code (IaC)

What is Infrastructure as Code (IaC)? You can think of IaC as a universal configuration file that tells your infrastructure platform—which can include the cloud, Kubernetes, Function-as-a-Service (FaaS), storage, and other services—how to handle a running piece of...

read more
Choosing the Right Security Policy Solution

Choosing the Right Security Policy Solution

Security policies are a critical component of your security solution and selecting the right security policy is critical to secure development. This article looks at the different types and provides insight into what to look for in a security policy to balance...

read more
Container Security Asset Management

Container Security Asset Management

Container security is the practice of correlating all inherent security risks in conjunction with the context of how the container is deployed and used. The risks can include vulnerabilities, dependencies, secrets, malware, IaC, licenses, and more. By adding the...

read more
Share This
Skip to content