Skip to main content

Announcing IaC+ early access: Secure your infrastructure configurations across the SDLC

Written by:

Lauren Place

blog-feature-iac-early-access

October 3, 2023

0 mins read

Designing and maintaining secure infrastructure configurations from code to cloud is a complex process involving multiple technical teams and security stakeholders.

The first challenge is writing secure infrastructure configurations pre-deployment. As organizations modernize their applications for the cloud or shift to a cloud-native application development process, application developers work with infrastructure or platform teams during the development and build process to define and deploy secure configurations in code. Many pre-deployment IaC security tools exist today, but without context from deployed environments, they often present a large amount of “critical” issues, eroding developer trust and contributing to alert fatigue. 

The second challenge is maintaining secure configurations post-deployment in the cloud. Security teams must enable developers to fix misconfigurations if anything goes awry in production.  While many post-deployment cloud security tools exist to help identify these misconfigurations in cloud environments, they lack visibility into pre-deployment developer workflows and cannot trace misconfigurations back to the source code and development owners.

To help our customers address these challenges, we’ve developed a new version of Snyk IaC called IaC+, which enables developers to find and fix misconfigurations in their existing workflows and provides a single source of truth for infrastructure configuration security across the SDLC (from code to cloud) IaC+ is powered by a new engine and expanded security ruleset. 

IaC+ is available in early access via Snyk Preview starting October 3rd, 2023. 

Deeper, more accurate pre-deployment checks for IaC

An ounce of prevention is worth a pound of treatment. At Snyk, we believe the most efficient way to secure configurations is pre-production: during the time they are being written and modified in the IDE and CLI, in addition to monitoring of Git repositories and CI pipelines. 

IaC+ supports the same integrations and workflows as our current version, with enhancements to our engine for greater accuracy of results, including multi-file analysis for Terraform to support testing modules and variables files, enabling your developers to focus on fixing the issues that matter most.

blog-iac_-high-severity-issue
IaC+ includes deeper, more accurate scans to focus your developer’s efforts on fixing the most critical issues.

In addition to multi-file analysis, IaC+ has an expanded security ruleset, adding hundreds of security and compliance-mapped rules to Snyk’s built-in ruleset, including more than a dozen frameworks such as SOC2, PCI DSS, & NIST 27001.

Improved issues triage for misconfigurations

Actionability, or the ability to move from identification to fixes, is the heart of Snyk IaC.  For faster visibility and triage of issues, IaC+ captures issues based on an entire repository instead of individual IaC files. This enables our users to view and filter issues across an entire Snyk organization, instead of investigating individual IaC files one-by-one.

blog-iac_-resources-rule
View IaC+ issues across your entire Snyk organization.

Included in this change to the way our issues are organized is a new IaC+ issues page within the Snyk UI. The Cloud issues page now includes unified visibility of pre- and post-deployment misconfiguration issues from code to cloud, providing teams with a single source of truth for configuration security across pre- and post-deployment estates.

blog-iac_-s3-bucket
IaC+ includes a unified view of pre- and post-deployment misconfiguration issues in one UI.

Unlocked code to cloud use cases

Both Snyk IaC versions now give users the ability to onboard, scan, and test deployed cloud environments for AWS, Azure, and Google Cloud. 

However, IaC+ shares the same underlying engine and data model with cloud capabilities, which enables seamless enforcement of code to cloud custom rules to complement Snyk’s evolving set of rules. Onboarding your cloud accounts to Snyk and enabling IaC+ will also unlock the ability to fix cloud issues in developer workflows, where Snyk expedites fixes by automatically tracing cloud misconfigurations back to IaC source code, providing technical teams with the fix location and relevant development owner.

blog-iac_-cloud-iam-role
IaC+ links the source IaC file in Git workflows and remediation advice for misconfigured cloud resources managed by IaC.

How do I access IaC+?

IaC+ will be available in early access via Snyk Preview for all Snyk IaC customers on the Enterprise plan starting October 3rd, 2023. To learn more about getting started with IaC+ while in Early Access, please visit our docs.

If you’re interested in trying IaC+, please reach out to your Snyk account representative or get in touch for a pilot here.

blog-feature-iac-early-access

How to Perform an Application Security Gap Analysis

In this guide we'll walk through the steps to run a Application Security Gap Analysis for asset visibility, AppSec coverage and prioritization.