Accurics, provider of Terrascan static code analyzer for discovering vulnerabilities in code used to deploy infrastructure, added support for Kustomize and Helm Charts tools that are used to configure Kubernetes clusters and deploy software, respectively.
Announced during the online KubeCon + CloudNativeCon North America 2020 conference, these additions extend existing Kubernetes support within the Terrascan tool that analyzes vulnerability feeds, identity access management (IAM) privileges and other data to detect potential cloud security issues.
By incorporating open source Open Policy Agent (OPA) software, Terrascan also surfaces violations of common compliance and cybersecurity practices based on Security Operation Center (SOC) 2, General Data Protection Rule (GDPR), Payment Card Industry (PCI), the Healthcare Information Portability and Accountability Act (HIPAA), International Organization of Standardization (ISO), Center for Internet Security (CIS) Benchmark, Amazon Web Services (AWS) Best Practices and the AWS well-architected framework.
Once Terrascan creates a model of an IT environment, Accurics then monitors the application workload for changes that introduce risks. A topology for each workload is generated in real-time to identify any potential indicators of drift away from the initial deployment settings. If the drift is due to a legitimate change, Accurics will allow code to be updated. If the code introduces risks, IT teams can roll their code back to the last known secure posture using a “time machine” capability that Accurics has baked into its platform.
Cesar Rodriguez, head of developer advocacy at Accurics, says support for Kustomize and Helm Charts enables IT teams that rely on these tools to configure clusters and deploy software to make sure there are no misconfigurations when deploying infrastructure as code. Now that developers are using tools such as Terraform to programmatically spin up infrastructure, misconfiguration issues have become the root cause of a wide range of cybersecurity issues.
A recent report published by Accurcis discovered that only 4% of cloud security issues discovered after cloud infrastructure has been configured are addressed. That issues can be especially problematic in Kubernetes environments because of the inherent complexity of the platform. Many developers are simply content to just get a Kubernetes cluster up and running without making sure it’s configured properly, notes Rodriguez.
Overall, the goal is to provide IT teams with a Terrascan tool that makes it easier to mitigate misconfiguration issues as organizations embrace best DevSecOps practices, he adds.
Fresh off raising an additional $20 million funding, Accurics has already integrated Terrascan with a variety of DevOps tools, including offerings and platforms from HashiCorp, GitHub and CircleCI.
It’s too early to say how organizations will embrace DevSecOps. In some cases, DevOps teams will need to work closely with their cybersecurity counterparts. In other cases, DevOps teams will simply move forward on their own. Regardless of approach, the most critical thing now is to simply get the tools required to secure IT environments into the hands of the DevOps teams that need them.