How to push security earlier into the dev process

Brandon Butler

A new crop of products is emerging that aim to implant security best practices and compliance checks as early and often as possible when new infrastructure is spun up in the cloud or when new applications are launched in a rapid development environment.

The idea behind these products is that security should be incorporated into the entire life cycle of resources being used or applications being developed. Some vendors contend that too often security assessments are either not performed, or they’re done too late in the process of managing resources and apps. Tools from companies like Amazon Web Services, Microsoft and Chef are all aiming to ensure security best practices are automatically enforced as early on in the process as possible.

Today Chef – the company that is best known for its automation software scripts – announced a new product named Chef Compliance. The service allows users to write a short script that will run tests to ensure various security best practices are being followed.

For example, a common one is to use a key-based authentication for access to a server or virtual machine; that’s opposed to using a password-based authentication, which could be more easily compromised. Using Chef Compliance, users can set up a script that automatically tests each new server or VM that is spun up to ensure that key-based authentication is being used. The system can be configured to send an alert if a server is found to be out of compliance with the test. There are a variety of different tests Chef Compliance can be configured to run on both applications and infrastructure. “The goal is to move from a moment in time security to continuous compliance checks of security,” says Chef’s Vice President of Business Development Ken Cheney. Compliance is offered as part of a bundle of premium features from the company, which runs $127 per node.

AWS announced a similar service at its re:Invent conference this fall. Amazon Inspector is an automated security assessment service that scans for security vulnerabilities or deviations of best practices. Users deploy an Inspector agent in their AWS environment and customers to choose from a library of tests Inspector can run on the environment. Inspector will create a prioritized list of security issues found, plus recommendations of how to fix them. It can be configured, for example, to test to ensure the most up-to-date and patched versions of software, such as operating systems are being used. It can be configured to test all Elastic Compute Cloud (EC2) instances to ensure the settings for who can access it and what it can be used for are all in place. Inspector is currently in a limited preview.

1  2  Next Page