Facebook Pixel
ANNOUNCEMENT : Carbonetes’ open-source tools Jacked, BOM Diggity, and BrainIAC are out now!
ANNOUNCEMENT : Carbonetes' Lite app is now available. Try it out now!

Infrastructure as Code (IaC) Auto-Remediation

Written by Mike Hogan
January 26, 2022

Infrastructure as Code (IaC) is not as simple as some other security risks because IaC is not automatically right or wrong. Vulnerabilities are easy, if you have a vulnerability, it is bad and you want to remediate it, no questions asked. IaC may not follow a best practice, but it may still be appropriate or required. This makes auto-remediation a challenge because it may break things.

Developers use a standard way of automating their resources: infrastructure (IaC e.g. Terraform), configuration (CaC e.g. chef, puppet), containerization (e.g. Kube) and pipeline (PaC, e.g. drone). This is accomplished by using structured code that defines various parameters. This is independent of the actual underlying resources, making it portable and reusable.

When building IaC there are best practices, defined as coded parameters based on principles such as least privilege. The challenge is that some applications or pods in your Kube cluster may require escalated privilege. This creates a gray area for auto-remediation. A standard remediation tool will recommend lowering the privilege, but that could break the app. If you were to auto-remediate it, it could assume that a lower privilege is better and make that change, resulting in a broken app.

For this reason, IaC auto-remediation is a bit challenging. You can use a tool to scan your IaC and identify security risks or deviations from best practices. That tool might also recommend code to make these misconfigurations conform to best practices. The developer can step through the list of proposed remediations and make decisions one at a time. With over a thousand possible parameters, this process can be tedious and time-consuming. Yes, it's better than committing code with risks, but there has to be a faster and better way..

You can leverage auto-remediation for the obvious misconfigurations, but what about those in the gray area? This is where machine learning can build models based on user response and correlate that to various other configurations and other variables. With this level of intelligence in the form of models, tools can organize configuration remediation based upon confidence level and enable group actions that reduce user input by more than 80%. And of course balancing developer efficiency against security demands is the ultimate goal of any developer-centric security tool.

Related Blog

The Intricacies of GenAI-Generated Code: Navigating the Challenges of Weak Links
The Intricacies of GenAI-Generated Code: Navigating the Challenges of Weak Links

Boosted by GenAI in the world of technology, code development has been vastly improved with efficiency without necessarily compromising originality. Nevertheless, behind all the wonders of automated coding stands a silent but important concern - the oversight of weak links within GenAI-created code.   The Promise of GenAI-Generated Code GenAI's learning tool, which can imitate...

[ read more ]
Is Artificial Intelligence a Threat to Cybersecurity?
Is Artificial Intelligence a Threat to Cybersecurity?

With the growth of technology, AI and cybersecurity have engendered questions about threats that may come from the use of artificial intelligence. In trying to get into details on this complex dance, we must analyze and determine whether AI threatens cybersecurity or functions as a beneficial ally.   The Dual Nature of AI in Cybersecurity...

[ read more ]
What's Next for IaC and Cloud-Native Container Security in 2024?
What's Next for IaC and Cloud-Native Container Security in 2024?

The cloud-native revolution has transformed how we develop and deploy applications. Infrastructure as code (IaC) and containerization with technologies like Docker and Kubernetes have become foundational elements for building and managing modern software systems.

[ read more ]
1 2 3 24
chevron-down