Infrastructure-as-code is quickly gaining traction but security lags, as confirmed by new research from developer-first cloud security startup Bridgecrew.
SAN FRANCISCO, July 22, 2020 /PRNewswire/ — Bridgecrew, who came out of stealth mode this April, published its first research report to analyze the infrastructure-as-code (IaC) security ecosystem. The State of Open Source Terraform Security report shows there’s a lot of room for improvement.
The IaC security challenge
Popularized by open-source frameworks such as HashiCorp’s Terraform, IaC is used to provision cloud resources with improved scalability and immutability. As is common for emerging technologies, however, security hasn’t yet caught up.
“At a time when organizations are embracing DevSecOps principles more and more, we were surprised by the gaps in security coverage and awareness at the IaC level,” said Guy Eisenkot, Co-founder and VP of Product, Bridgecrew. “Teams have relied on cloud providers’ native tools and traditional security posture management solutions, but they aren’t getting the commit to cloud visibility they need.”
IaC adds another layer of complexity to already convoluted native-cloud environments, making it difficult to know if security controls are in place, and where they should be governed.
Bridgecrew sees this challenge as an access and knowledge gap. The San Francisco-based startup has spent the last 16 months helping teams bridge those gaps with its open-source tools, SaaS platform, and now with research like this.
Bridgecrew used Checkov, its open-source IaC security tool, to scan the Terraform Registry, the largest public resource of IaC modules. The report analyzes compliance trends across categories (e.g., encryption, networking) and cloud providers. Here are some top findings:
- 44% of modules used to provision AWS, Azure, and Google Cloud resources are misconfigured.
- Misconfigured modules have been downloaded over 15 million times since 2017.
- Q2 2020 had the highest quarter-over-quarter module growth and an increase in misconfigurations.
“IaC compliance is a huge area of risk for cloud-native organizations, but it’s also a huge opportunity in terms of both security and cost-management,” says Barak Schoster, Co-founder and CTO, Bridgecrew. “Knowing about the risks is the first step to seizing that opportunity.”
Bridgecrew is the codified cloud security platform trusted by teams from Brex, Databricks, OneMain Financial, and more. Founded in 2019, Bridgecrew is backed by top-tier VCs, including Battery Ventures, NFX, and Sorensen Ventures. Get started for free at bridgecrew.io.