Slide 1

Slide 1 text

Shifting Terraform security left Gareth Rushgrove

Slide 2

Slide 2 text

Gareth Rushgrove Director, Product Management, Snyk Devops Weekly curator Open Source contributor @garethr

Slide 3

Slide 3 text

Agenda Cloud security 01 Static analysis 02 Example Terraform tools 03 Demos 04 Conclusions 05

Slide 4

Slide 4 text

Cloud security Standards, benchmarks and best practices

Slide 5

Slide 5 text

The financial giant said the intruder exploited a configuration vulnerability “ “ Configuration is a security risk

Slide 6

Slide 6 text

Some kind of misconfiguration is encountered on an penetration test over 96% of the time. “ “ Configuration is a security risk

Slide 7

Slide 7 text

While CSPs often provide tools to help manage cloud configuration, misconfiguration of cloud resources remains the most prevalent cloud vulnerability “ “ Configuration is a security risk

Slide 8

Slide 8 text

Center for Internet Security Benchmarks

Slide 9

Slide 9 text

CIS Benchmarks Azure and AWS

Slide 10

Slide 10 text

Static analysis What and why

Slide 11

Slide 11 text

Static analysis Static program analysis is the analysis of computer software that is performed without actually executing programs

Slide 12

Slide 12 text

A typical testing progression Acceptance tests Unit tests Integration tests Static analysis

Slide 13

Slide 13 text

The importance of fast feedback Acceptance tests Unit tests Integration tests Static analysis Fast Middling Slow Slower

Slide 14

Slide 14 text

Insecure Terraform Can you spot issues in the following code? resource "aws_security_group_rule" "my-rule" { type = "ingress" cidr_blocks = ["0.0.0.0/0"] } resource "aws_alb_listener" "my-alb-listener" { port = "80" protocol = "HTTP" } resource "aws_db_security_group" "my-group" { } resource "azurerm_managed_disk" "source" { encryption_settings { enabled = false } }

Slide 15

Slide 15 text

Insecure Terraform Can you spot issues in the following code? resource "aws_security_group_rule" "my-rule" { type = "ingress" cidr_blocks = ["0.0.0.0/0"] } resource "aws_alb_listener" "my-alb-listener" { port = "80" protocol = "HTTP" } resource "aws_db_security_group" "my-group" { } resource "azurerm_managed_disk" "source" { encryption_settings { enabled = false } } Wide open ingress rule

Slide 16

Slide 16 text

Insecure Terraform Can you spot issues in the following code? resource "aws_security_group_rule" "my-rule" { type = "ingress" cidr_blocks = ["0.0.0.0/0"] } resource "aws_alb_listener" "my-alb-listener" { port = "80" protocol = "HTTP" } resource "aws_db_security_group" "my-group" { } resource "azurerm_managed_disk" "source" { encryption_settings { enabled = false } } Use of unencrypted transport protocol

Slide 17

Slide 17 text

Insecure Terraform Can you spot issues in the following code? resource "aws_security_group_rule" "my-rule" { type = "ingress" cidr_blocks = ["0.0.0.0/0"] } resource "aws_alb_listener" "my-alb-listener" { port = "80" protocol = "HTTP" } resource "aws_db_security_group" "my-group" { } resource "azurerm_managed_disk" "source" { encryption_settings { enabled = false } } Unencrypted storage

Slide 18

Slide 18 text

Example Terraform tools Things to try out

Slide 19

Slide 19 text

Terrascan github.com/cesar-rodriguez/terrascan

Slide 20

Slide 20 text

Terrascan Project overview A collection of security and best practice tests for static code analysis of terraform templates using terraform_validate. Active, started 4 months ago 333 Python 35 rules, mainly for AWS @cesar-rodriguez Ran 16 tests in 0.015s OK Processed 19 files in C:\DEV\terraforms\backends\10-network-analytics Results (took 1.08 seconds): Failures: (2) [high] [aws_dynamodb_table.encryption.server_side_encryption.ena [high] [aws_s3_bucket.noEncryption] should have property: 'server Errors: (0)

Slide 21

Slide 21 text

Terrafirma github.com/wayfair/terrafirma

Slide 22

Slide 22 text

Terrafirma Project overview Terrafirma is a Terraform static analysis tool designed for detecting security misconfigurations. Inactive, created 2 years ago 17 Python 14 rules, mainly for GCP --- ISSUE FW_1 - Source range open to Internet - SEVERITY WARN - RESOURCE example_fw_rule.google_compute_firewall --- ISSUE FW_2 - SSH Open - SEVERITY INFO - RESOURCE example_fw_rule.google_compute_firewall

Slide 23

Slide 23 text

Checkov github.com/bridgecrewio/checkov

Slide 24

Slide 24 text

Checkov Project overview Checkov is a static code analysis tool for infrastructure as code. It scans cloud infrastructure managed in Terraform and detects misconfigurations. Active, created 3 months ago 511 Python 50 rules, for AWS, Azure and GCP @schosterbarak, @tronxd, @guyeisenkot, @nimrodkor Passed checks: 4, Failed checks: 0, Skipped checks: 0 Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest" PASSED for resource: aws_s3_bucket.foo-bucket File: /example.tf:1-25 Check: "Ensure the S3 bucket has access logging enabled" PASSED for resource: aws_s3_bucket.foo-bucket File: /example.tf:1-25

Slide 25

Slide 25 text

tfsec github.com/liamg/tfsec

Slide 26

Slide 26 text

tfsec Project overview tfsec uses static analysis of your terraform templates to spot potential security issues - Checks for sensitive data inclusion across all providers - Checks for violations of AWS, Azure and GCP security best practice recommendations - Scans modules (currently only local modules are supported) - Evaluates expressions as well as literal values Active, started 4 months ago 927 35 rules, mainly for AWS @liamg

Slide 27

Slide 27 text

tfsec Detect common configuration issues $ tfsec 5 potential problems detected: Problem 1 [AWS018][ERROR] Resource 'aws_security_group_rule.my-rule' should include a description for auditing purposes. /Users/garethr/Documents/terraform-security/main.tf:1-4 1 | resource "aws_security_group_rule" "my-rule" { 2 | type = "ingress" 3 | cidr_blocks = ["0.0.0.0/0"] 4 | } 5 | 6 | resource "aws_alb_listener" "my-alb-listener"{ 7 | port = "80" See https://github.com/liamg/tfsec/wiki/AWS018 for more information. Problem 2 [AWS006][WARNING] Resource 'aws_security_group_rule.my-rule' defines a fully open ingress security group rule. /Users/garethr/Documents/terraform-security/main.tf:3 Decision (any JSON value)

Slide 28

Slide 28 text

Conftest github.com/instrumenta/conftest

Slide 29

Slide 29 text

Conftest Project overview Write tests against structured configuration data using the Open Policy Agent Rego query language. - Currently supports YAML, JSON, INI, TOML, HOCON, HCL, CUE, Dockerfile, HCL2, EDN, VCL and XML - Share policies using OCI registries, Git, S3 - Built-in debugging and testing tools Active, started 10 months ago 828 Write your own rules @garethr, @jpreese, @blokje5, @boranx, @KeisukeYamashita, @xchapter7x, @proplex, ...

Slide 30

Slide 30 text

Conftest Running tests against your configuration $ conftest test -i hcl2 main.tf FAIL - main.tf - ALB `my-alb-listener` is using HTTP rather than HTTPS FAIL - main.tf - ASG `my-rule` defines a fully open ingress FAIL - main.tf - Azure disk `source` is not encrypted Decision (any JSON value)

Slide 31

Slide 31 text

What is Open Policy Agent? github.com/open-policy-agent/opa Service OPA .rego Query (any JSON value) Decision (any JSON value) Data (JSON) Policy (Rego) Request, Event, etc. - An open source policy engine - Written in Go - WebAssembly support coming along - A CNCF project - Usable as a library and a service - A vibrant open source community - Provides a declarative DSL for writing policy called Rego

Slide 32

Slide 32 text

Conftest Write assertions in Rego package main deny[msg] { proto := input.resource.aws_alb_listener[lb].protocol proto == "HTTP" msg = sprintf("ALB `%v` is using HTTP rather than HTTPS", [lb]) } deny[msg] { rule := input.resource.aws_security_group_rule[name] rule.type == "ingress" contains(rule.cidr_blocks, "0.0.0.0/0") msg = sprintf("ASG `%v` defines a fully open ingress", [name]) }

Slide 33

Slide 33 text

Conftest Write unit tests for Rego in Rego test_blank_input { no_violations with input as {} } test_correctly_encrypted_azure_disk { no_violations with input as {"resource": { "azurerm_managed_disk": { "sample": { "enc } test_unencrypted_azure_disk { deny["Azure disk `sample` is not encrypted"] with input as {"resource": { "azurerm_ma }

Slide 34

Slide 34 text

Conftest integrations Easy to run in common CI/CD systems

Slide 35

Slide 35 text

Demo

Slide 36

Slide 36 text

Conclusions If all you remember is...

Slide 37

Slide 37 text

Cost/benefit Static analysis is cheap to run, but can result in false positives and false negatives

Slide 38

Slide 38 text

Developer proximity The closer feedback is provided to the original author of the code, the cheaper it should be to address issues

Slide 39

Slide 39 text

Terraform tooling Lots of new Terraform development tools emerging at the moment (not just for static analysis)

Slide 40

Slide 40 text

Shift security left Automatically catching security issues during development means less issues in production, and more time to focus on finding and fixing them

Slide 41

Slide 41 text

Thanks for listening Sign up for free at snyk.io/signup