What is security as code?
Security as code (SaC) is the integration of security tasks into DevOps practices. The resulting process is also known as DevSecOps. Just as DevOps automatically builds, tests, and deploys applications, SaC ensures that security measures are part of the CI/CD pipeline and, ideally, already enforced when writing code in an IDE.
The evolution of SaC
The DevOps movement took the industry by storm. When renting VMs by the minute became possible, the tooling for operational tasks had to keep up. Merging operations and development teams allowed operations to build their own tools and development to include operational experience in their software. But security requirements were still an afterthought, often ignored until the late stages of the software development life cycle (SDLC) or, worse, after the first attack.
Security as code tries to counter this issue by including a secure software development framework early in the development process, just like DevOps did with operations. Vulnerability checks and security rules are implemented as scripts that can run automatically in the CI/CD pipeline, minimizing the need for manual intervention.
This article will explain SaC, how to implement it, and discuss its benefits. Let’s dive in.
CI/CD Pipeline Security Best Practices [Cheat Sheet]
In this 13 page cheat sheet we'll cover best practices in the following areas of the CI/CD pipeline: Infrastructure security, code security, secrets management, access and authentication, monitoring and response.
Download Cheat Sheet
A closer look at SaC
SaC principles
SaC principles form the base of the approach, defining practices that you need to follow when you’re ready for implementation:
Automation, so no human has to perform repeating tasks
Continuous integration, so SaC methods are a gatekeeper between implementation and production
Infrastructure as code (IaC), so there’s secure configuration and provisioning of cloud infrastructure
Visibility and reporting, so teams can be notified about issues and learn what went wrong and how to fix it
SaC methods
Next, let’s look at SaC methods. Some work directly on the source code and some check the running application, but they all have the focus on automation in common:
Security rules codify governance decisions like geographical storage locations or coding best practices.
Access policies implement access controls for each user involved with a software project.
Vulnerability scanning checks the source code for potential issues in third-party libraries and common security vulnerabilities like injection attacks or buffer overflows.
Security testing checks the application at runtime for typical security issues like configuration errors and public secrets.
Each method must be implemented in a programmatically accessible way so a CI/CD pipeline can execute them automatically. The crucial step in this integration is to find the location in the pipeline where each SaC method is the most effective and doesn’t add extra costs or delays to the change process.
Security as Code (SaC) and Policy as Code (PaC) are closely related concepts that integrate security and policy management into the software development lifecycle through automation and codification.
Both methodologies aim to reduce manual intervention by automating processes. SaC automates security checks, while PaC automates policy enforcement. Security as Code and Policy as Code complement each other by embedding security and policy management into the development process, thereby enhancing automation, consistency, and collaboration across teams.
What are the benefits of security as code?
SaC brings a lot to the table:
| Benefit | Description |
|---|---|
| Enhanced Collaboration | SaC fosters better collaboration between development and security teams. By integrating security checks into the CI/CD pipeline, both teams can work on the same code base, addressing security issues early in the development process. This reduces the friction often seen when security is treated as a separate, later stage concern. |
| Increased Visibility | Codifying security policies and decisions provides transparency across the organization. This allows teams to track access and policy changes and facilitates self-service requests for changes, thereby increasing visibility and control over security measures. |
| Improved Efficiency and Agility | Automating security processes reduces the time and effort required for manual security checks, allowing for faster release cycles. This efficiency also frees up security teams to focus on more critical tasks, such as addressing zero-day vulnerabilities. |
| Increase permission management and visibility | SaC leverages codified access policies. |
| Eliminate unnecessary costs in the long run | SaC’s focus is on automation, which enables early fixes. |
| Consistency and Reusability | SaC ensures that security policies are consistently applied across all development activities. The use of code and automation for security processes allows for the reuse of security controls and configurations, reducing the need for repeated manual interventions. |
| Proactive Security | By integrating security measures early in the software development lifecycle, SaC helps identify and address security issues before they reach production. This proactive approach minimizes vulnerabilities and enhances the overall security posture of the organization. |
DevOps Security Best Practices [Cheat Sheet]
In this 12 page cheat sheet we'll cover best practices in the following areas of DevOps: secure coding practices, infrastructure security, monitoring and response.
Download Cheat Sheet
How is security as code implemented?
There are two main categories of SaC. Security rules and access policies expressed in programming or policy languages form the first category. Vulnerability scans and security tests form the tools category. Let’s examine how to implement both.
Security rules and access policies
Security rules can include governance decisions, like deploying only in a specific country or requiring every deployment to have two instances. Such restrictions are usually enforced by a cloud provider and controlled via IaC at resource definition time inside the CI/CD pipeline and related DevOps tools.
Other security checks can include coding best practices for a specific programming language or platform. Tools like linters enforce these rules, ensuring each line of code adheres to them. Linters run directly in an IDE while writing code, meaning developers must comply before pushing changes to a source code repository. Still, security checks should also be part of the CI/CD pipeline to catch any code push that doesn’t comply.
Access and security policies are usually defined as documents enforced by authorization libraries and services directly in the application code or by the cloud provider for inter-application communication.
Vulnerability scans and security tests
Like the code linters, vulnerability scans can also run early in the SDLC. If developers scan their code before pushing it to a repository, they can fix issues quickly when they still remember what they programmed. However, as with the linters, the scans should always run early in the CI/CD pipeline, as they carry out static analysis that doesn’t require compilation or deployment.
Security tests, which perform dynamic analysis, usually require the execution of the whole application or its components. It isn’t feasible for some systems to run in the developer’s environment, so the tests must run at the end of the CI/CD pipeline before production delivery happens.
What are security as code best practices?
Now that the what and how are clear, let’s discuss the best practices for SaC:
Automate security scans and tests so no team member has to execute them manually. Automation may include Git hooks that scan before committing or pushing, but it must always include CI/CD steps that get executed before changes go to production.
Build a continuous feedback loop that prevents issues from being ignored or forgotten. Found vulnerabilities need to be fixed as soon as possible and in a way that allows the implementing team to learn from the error and prevent it in the future.
Evaluate and monitor automated security policies to prevent resorting to admin privileges as a default. Manually granting granular permissions can become daunting, but there are tools that can generate policies from usage patterns in access logs.
Automate complex or time-consuming manual tests with scripts. Humans are creative problem solvers but aren’t particularly good at repeating complex and potentially boring tasks. A custom script ensures the procedure is always followed in the exact same way, independent of the team’s stress level.
Validate test scripts' accuracy and efficiency. Just writing a script and hoping for the best isn’t enough. More often than not, a typo in a script can lead to devastating results like too many permissions or the wrong number of provisioned resources. Also, an inefficient script might cost time that could be invested better.
Test new code within a staging environment that resembles production as closely as possible. Cloning production data into staging might help here. Subtle differences between development and production might lead to developers making wrong assumptions, leaving a system more vulnerable.
Scheduled or continuous monitoring should automatically create logs; otherwise, malicious access might go unnoticed and vulnerabilities will be harder to reproduce and fix in the production environment.
Making the most of SaC with Wiz
Wiz finds misconfigurations in your cloud environment with thousands of built-in security as code policies, based on Rego. your production environment. In addition, our code security solutions integrate with your version control repositories to ensure all code is scanned for vulnerabilities like secrets and misconfigurations. We correlate production issues with your source code so your teams can eliminate potential threats quickly.
And in the spirit of the shift-left approach, Wiz runs on your developers’ machines. Simply run the Wiz CLI alongside VS Code to receive notifications about potential issues. This way, you can catch security problems before they’re pushed into a repository.
You can also use Wiz to review your software supply chain. This means not only is your code secured but also all the third-party libraries you leverage in your software development lifecycle.
Simply put? Wiz offers an all-in-one solution for your SaC needs. Schedule a demo and see for yourself.
See why Wiz is one of the few cloud security platforms that security and devops teams both love to use.
