Containerization increased significantly to manage the rising demand of application deployments to meet customer requirements. Containers help in automating infrastructure provisioning, application configuration, and deployment across multiple cloud platforms, and hence improve cost and resource efficiencies. However, there are risks involved in Infrastructure as Code ( IaC)
Top 3 risks in IaC include:
1. Insecure default configuration templates
Adoption of infrastructure as code (IaC) increases the efforts to set up the system environment, prepare the build set ups, and configuration of infrastructure. In most cases, it is to automate most repetitive manual activities with known parameters.
Configure templates are the core for containerization. Any misconfiguration in the template such as vulnerable OS images, out dated libraries, or third-party applications, could result in multiplication of vulnerabilities in the environments.
Unit 42 of Palo Alto research indicates while IaC offers security teams a predictable way to enforce security standards, this powerful capability remains largely unharnessed. In the same report, researchers found nearly 200,000 insecure IaC templates in use.
Remediation :
Build security tested standardized templates. Build the security with-in the container.
Scann the IaC templates for vulnerable configuration and image templates
2. Secrets that are stored in clear text
While building automation, secrets are required. To build ease of use, developers might end up adding secrets in the IaC templates, which results in a high risk vulnerability that could be easily exploited across multiple set of systems and applications.
Basic concept of security is to never leave the keys in the open. Secrets like Passwords, API keys and secret tokens should not be documented in the code.
Remediation :
Using secure password vaults or secret management solutions for storing all your application secrets and refer to these vaults, instead of the secrets themselves, inside configuration files
3. Weak Change Management
Any unauthorized, unapproved change in configuration template leads to domino effect of numerous systems and applications. Unauthorized drifts may cause cost implications, chaos, performance issues, and security risks.
Remediation :
Monitoring the cloud infrastructure and IaC templates frequently to find existing or potential drifts that can be addressed quickly