October 3, 20230 mins read
Designing and maintaining secure infrastructure configurations from code to cloud is a complex process involving multiple technical teams and security stakeholders.
The first challenge is writing secure infrastructure configurations pre-deployment. As organizations modernize their applications for the cloud or shift to a cloud-native application development process, application developers work with infrastructure or platform teams during the development and build process to define and deploy secure configurations in code. Many pre-deployment IaC security tools exist today, but without context from deployed environments, they often present a large amount of “critical” issues, eroding developer trust and contributing to alert fatigue.
The second challenge is maintaining secure configurations post-deployment in the cloud. Security teams must enable developers to fix misconfigurations if anything goes awry in production. While many post-deployment cloud security tools exist to help identify these misconfigurations in cloud environments, they lack visibility into pre-deployment developer workflows and cannot trace misconfigurations back to the source code and development owners.
To help our customers address these challenges, we’ve developed a new version of Snyk IaC called IaC+, which enables developers to find and fix misconfigurations in their existing workflows and provides a single source of truth for infrastructure configuration security across the SDLC (from code to cloud) IaC+ is powered by a new engine and expanded security ruleset.
IaC+ is available in early access via Snyk Preview starting October 3rd, 2023.
Deeper, more accurate pre-deployment checks for IaC
An ounce of prevention is worth a pound of treatment. At Snyk, we believe the most efficient way to secure configurations is pre-production: during the time they are being written and modified in the IDE and CLI, in addition to monitoring of Git repositories and CI pipelines.
IaC+ supports the same integrations and workflows as our current version, with enhancements to our engine for greater accuracy of results, including multi-file analysis for Terraform to support testing modules and variables files, enabling your developers to focus on fixing the issues that matter most.
In addition to multi-file analysis, IaC+ has an expanded security ruleset, adding hundreds of security and compliance-mapped rules to Snyk’s built-in ruleset, including more than a dozen frameworks such as SOC2, PCI DSS, & NIST 27001.
Improved issues triage for misconfigurations
Actionability, or the ability to move from identification to fixes, is the heart of Snyk IaC. For faster visibility and triage of issues, IaC+ captures issues based on an entire repository instead of individual IaC files. This enables our users to view and filter issues across an entire Snyk organization, instead of investigating individual IaC files one-by-one.
Included in this change to the way our issues are organized is a new IaC+ issues page within the Snyk UI. The Cloud issues page now includes unified visibility of pre- and post-deployment misconfiguration issues from code to cloud, providing teams with a single source of truth for configuration security across pre- and post-deployment estates.
Unlocked code to cloud use cases
Both Snyk IaC versions now give users the ability to onboard, scan, and test deployed cloud environments for AWS, Azure, and Google Cloud.
However, IaC+ shares the same underlying engine and data model with cloud capabilities, which enables seamless enforcement of code to cloud custom rules to complement Snyk’s evolving set of rules. Onboarding your cloud accounts to Snyk and enabling IaC+ will also unlock the ability to fix cloud issues in developer workflows, where Snyk expedites fixes by automatically tracing cloud misconfigurations back to IaC source code, providing technical teams with the fix location and relevant development owner.
How do I access IaC+?
IaC+ will be available in early access via Snyk Preview for all Snyk IaC customers on the Enterprise plan starting October 3rd, 2023. To learn more about getting started with IaC+ while in Early Access, please visit our docs.
If you’re interested in trying IaC+, please reach out to your Snyk account representative or get in touch for a pilot here.