《Snyk:2021年IaC技术洞察报告(英文版)(13页).pdf》由会员分享,可在线阅读,更多相关《Snyk:2021年IaC技术洞察报告(英文版)(13页).pdf(13页珍藏版)》请在三个皮匠报告上搜索。
1、Infrastructure as Code Security InsightsSNYK RESEARCH REPORTFebruary 2021Cloud native applications are more than just the code developers create-todays applications include infrastructure as code(IaC)that dictate how the applications are setup on cloud infrastructure and how containerized applicatio
2、ns will run on Kubernetes.The use of IaC allows for faster,repeatable deployments,but its usage also increases the burden on developers to secure not only their code,but also the infrastructure configuration,in addition to code dependencies and containers.In this survey,Snyk sought to take stock of
3、how IaC is being deployed by companies both large and small.Feedback from a wide range of roles in these companies went into our outlook on the state of IaC,highlighting the value of IaC,as well as also roadblocks to its widespread use and what we can do to overcome them.While our survey shows that
4、many organizations have not coalesced on one“right”way to use IaC or who should be responsible for writing and maintaining it,we did find that respondents who are taking advantage of automated security testing for their IaC definitions are finding and fixing misconfigurations faster than their peers
5、.The high performers in our survey are finding and fixing issues in their IaC definitions within a single day;whereas the lower performers take more than a week to realize there is a security issue and then then up to 2 more days to fix it.IntroductionRespondents performing automated security testin
6、g as part of their release pipelines were faster to find and fix vulnerabilities Teams with fully automated security checksTeams with no or only partially automated security checksTeams that only check security after deployment76%59%38%KEY TAKE AWAYCan you fix an issue in under 1 day?SEE SNYK IAC IN
7、 ACTIONThe benefits to speed and reliability when everything is in code and automated can be immense.But the benefits do come with a cost,namely an increasing burden on developers to secure not just their own code but its dependencies,containers,and now,the infrastructure configuration.To start our
8、research,we first explored what companies were taking on the challenge of implementing IaC and which tools theyre currently using as they develop best practices.We found that many companies are only starting out on their IaC journey,with 63%just beginning to explore the technology and only 7%stating
9、 theyve implemented IaC to the best of current industry capabilities.While there are many tools either in use or being considered,71%would prefer to standardize on a common toolset/workflow across all IaC configuration types and formats.Current IaC Practices63%of companies are just starting out7%of
10、companies are implementing the best of current industry capabilitiesIn use todayAWS CloudFormation 36%Azure Resource Manager30%Kubernetes(incl.YAML,JSON and Helm)Considering for the future Cloud SDKs(AWS CDK,Azure SDKs)AWS CloudFormationKubernetes(incl.YAML,JSON and Helm)25%AnsibleAzure Resource Man
11、ager17%Terraform Google Could Deployment Manager14%Docker ComposeOther Kubernetes tools14%Google Could Deployment ManagerServerless Framework14%14%26%24%22%18%18%16%The opportunity is still wide open for most organizations to lay a firm foundation and implement the right tools and practices before w
12、idely adopting IaC.SNYK RESEARCH REPORTInfrastructure as Code Security Insights 3We looked at how three different clusters of respondents to our survey fared when it comes to finding and fixing configuration issues that arise from using infrastructure as code:These respondents said they always perfo
13、rmed automated security testing as part of their release pipelines.It may come as no surprise that the fully automated group outperformed both of the other groups at both discovering and fixing issues.When it comes to finding issues,the high performers were able to dis-cover issues in less than a da
14、y roughly twice as often as respondents in the other two groups.And the fully automated cluster was able to fix issues quickly,in less than half a day,over 60%more often than either of the other clusters.There were differences at the other end of the responses,too.The two lower performing clusters t
15、ook 1 week or more to discover IaC issues in over half their cases,where the fully automated cluster only took that long 30%of the time.Fixing the issues is where the cluster that only runs post-deployment checks really suffered.They were only able to fix these IaC issues in less than a day half as
16、often as the fully automated respondents,and in 62%of the cases it took longer than a day to implement the fix.Full automation:This cluster includes respondents who have no auto-mation up to those who have partial automation of security checks.This cluster may use some automation,but they only perfo
17、rm checks after infrastructure is deployed,either via audit tools,pen testing,or investigating security incidentsLess than full automation:Only post-deployment checks:Can you detect an issue in less than 1 day?How often do you go 1 week or longer before finding an issue?Can you fix an issue in less
18、than 1 day?How often does it take you over a day to fix an issue?Fully automatedFully automatedFully automatedFully automatedNot automatedNot automatedNot automatedNot automatedChecks after deploymentChecks after deploymentChecks after deploymentChecks after deployment34%30%76%25%14%54%59%41%18%60%3
19、8%62%4Currently,modern applications deploy automatically on infrastructure created and configured via code.As a result,security so often takes a back seat to a speedy deployment,meaning configuration issues are not uncovered until after these applications have been deployed.Even Gartner*states,“By 2
20、025,70%of attacks against containers will be from known vulnerabilities and misconfigurations that could have been remediated.”Yet,all this does not necessarily mean speed is inherently risky when it comes to IaC.In fact,the automated testing and release gates that are in place for other forms of co
21、de can be used with IaC and help make security best practices part of the development and release process.The highest performers in this survey-those who are both finding and fixing configuration issues fastest-are already doing exactly that.Does Speed Equate to Safety?70%By 2025of attacks against c
22、ontainers will be from known vulnerabilities and misconfigurations that could have been remediated.Gartner,2020No CI testingSometimesUsuallyAlways40%7%27%24%Do you include IaC security tests in your CI pipeline*Gartner Magic Quadrant for Application Security Testing;April 20205SNYK RESEARCH REPORTIn
23、frastructure as Code Security Insights While the highest performers are finding and fixing security issues as part of their release pipelines,this type of automated testing is still nascent when it comes to security testing.Of those surveyed,60%said their current workflow for IaC and configuration c
24、ode does go through continuous integration(CI)testing,but security checks are not always part of those tests.Only 32%of respondents include security checks in their pipelines.In fact,most security issues are still being discovered after deployment,through pen testing,audits,and investigating securit
25、y incidents.For those who are only using these post-deployment checks,it takes a week or more to discover a security issue in half the cases and over a day to fix those issues in nearly 2/3 of the cases.All in all,thats potentially 9 days of running with a security vulnerability versus less than one
26、 day for the highest performers.How do you find out about security issues in your configurations and IaC?45%43%35%33%32%21%Current IaC Security Practices Audit running environments after deployment Pen testingManual code scansFrom investigating incidentsAutomated testing/CITools from our IaC or publ
27、ic cloud providerSNYK RESEARCH REPORTInfrastructure as Code Security Insights 6For those who said their IaC and configuration code goes through CI testing,the biggest barrier to integrating security checks is a lack of standardized best practices on what to check,with each of their separate teams ma
28、king their own decision about what to test.When you couple that with the 41%who said their barrier was unclear benchmarks for security,the shortest path to improved IaC security can be paved with better tools that offer clearer guidance,while still providing teams with the freedom to determine whats
29、 most important for their needs.62%41%22%22%16%11%So what is standing in the way of making a change?41%said their barrier was unclear benchmarks for securityEach team makes their own decisions about what to test Wo do not have a clear set of benchmarks on what to test againstWe have not decided what
30、 is important for us to testWe do not have the right testing toolsConcerned it would slow us down too muchThere is no clear owner to address issues that are discoveredWhat is limiting you from always integrating security checks into the IaC testing process?SNYK RESEARCH REPORTInfrastructure as Code
31、Security Insights 7Finding the issue is just one piece of the puzzle-once an issue is discovered somebody has to fix it.When faced with a choice,52%of respondents claim they usually remediate a security issue by directly tweaking the infrastructure instead of addressing it by modifying the IaC sourc
32、e code.This opens up the possibility for a number of issues in the long-term because the infrastructure and the codified definitions used to create it will start to drift;either that or the modified infrastructure will be reset to its misconfigured state on the next deployment.For those that choose
33、this manual remediation path,their reasoning is split between a lack of standardization,knowledge,and communication,along with a desire to speed up the fixes as much as possible.Infrastructure Remediation 39%38%38%23%23%22%9%Lack of standardized workflow and practicesConcern that redeploying from co
34、de will create new issues Faster/easier to tweak the infrastructure Tracing infrastructure issues back to code is complex/slowLack of communication between developers and operatorsLack of security knowledge in the team responsible for the code No automated tests to ensure the IaC changes work before
35、 Why do you directly modify the infrastructure instead of fixing the code?How often do you directly modify infrastructure,rather than fixing the configuration in your IaC code?34%35%13%18%Most of the time-we usually change the infrastructure directly instead of modifying the cource codeRarelyNever-w
36、e always fix the code first52%remediate a security issue by directly tweaking the infrastructure instead of addressing it by modifying the IaC source codeOften8SNYK RESEARCH REPORTInfrastructure as Code Security Insights While a lack of standardized workflow and prac-tices was the leading reason res
37、pondents chose to remediate a security issue manually,a total of 61%of respondents also pointed to speed-related issues.Namely that its faster and/or easier to tweak the infrastructure because tracking issues back to the IaC definitions is too complex and/or slow.Again,this points to two underlying
38、issues:First,when security checks are only performed after infrastructure has been deployed,its too late in the process.It separates the security checks from the code and its likely that pen test reports and audit tools dont provide data thats directly actionable by the owners of the IaC code.Second
39、,for teams that are stretched thin,a lack of bandwidth could lead to the decision(consciously or not)to overlook some security in favor of speed.For those teams that are at their limit,the right tools can make a world of difference to equip developers with what they need to prioritize security.But b
40、efore a tool can be decided on,teams must first determine who holds final responsibility for IaC.said speed-related issues were the reason they remediate a security issue manually61%SNYK RESEARCH REPORTInfrastructure as Code Security Insights 9One of the barriers to shifting IaC security left was th
41、at teams struggled to standardize prac-tices across their organization,leaving each team to audit IaC as they see fit.In addition to the obvious security issues this presents,it speaks to a larger disconnect on responsibility.A common theme of this survey is the diffi-culty to pin down security owne
42、rship when it comes to IaC-so where does the industry currently stand?Today it seems there is no consensus on who is responsible for the security within IaC.Developers and DevOps roles have a slightly bigger role than other individual teams and a good number say its a shared responsibility,potential
43、ly fitting in to the newer DevSecOps models.When asked which team should be responsible for IaC security,if it is not a shared responsibility,the answers shifted heavily to the developers/DevOps groups.So whats stopping these security responsibili-ties from shifting further left?Mostly,its con-fiden
44、ce in the broader organizations ability to readily spot and fix issues in the code.Who Holds Responsibility for IaC Security?29%52%28%24%23%24%20%It is a shared responsibility Developers/DevOpsDevelopers/DevOpsInfrastructureInfrastructureSecuritySecurityWho is responsible for configuration security
45、in IaC today?Who should be responsible?10SNYK RESEARCH REPORTInfrastructure as Code Security Insights Snyks long-standing developer-first approach led to the creation of Snyk Infrastructure as Code(Snyk IaC)to help solve these problems.This latest tool moves the security controls for infrastructure
46、and configurations to the beginning of the development lifecycle,so devel-opers can proactively determine whether their applica-tion and infrastructure specifications are safe.Designed to fit a developers workflow,Snyk IaC helps pinpoint how to write secure Kubernetes and Terraform config-urations,a
47、nd even provides automated fixes as code in your choice of source code management systems.Together with Snyk Container and Snyk Open Source,you can finally embed your security expertise across your entire development organization.To secure your organization and learn more about Synk IaC visit snyk.i
48、o/product/infrastructure-as-code-security/.How confident are you in your ability to spot configuration issues in IaC?Snyk Infrastructure as Code:Find and fix configuration security issues the way cloud native experts do.What would make you more confident in your organisations ability to spot IaC mis
49、configurations?67%48%42%37%29%26%22%Greatly confidentFairly confidentNot confidentSomewhat confident4%22%25%49%A clear and scalable solution to IaC security challenges is to invest in the tools and training needed to drive up confidence and help with bandwidth for these teams,allowing them to deploy
50、 code quickly and securely.In the same report cited above,Gartner also sees the potential for these automated tools and predicts that,by 2025,organizations will speed up their remediation of coding vulnerabilities by 30%with code suggestions applied from automated solutions,reducing time spent fixin
51、g bugs by 50%.Professional trainingAutomated code testing for IaC in CI/CDAudit tools specific to IaC and configurationPlaybooks to followTools built-in to IDEsPeermentoringIndustry or infrastructure vendor benchmarksSNYK RESEARCH REPORTInfrastructure as Code Security Insights 11This vendor neutral
52、research was independently conducted by Virtual Intelligence Briefing(ViB).ViB is an interactive on-line community focused on emerging through rapid growth stage technologies.ViBs community is comprised of more than 2.2M IT practitioners and decision makers who share their opinions by engaging in so
53、phisticated surveys across multiple IT domains.The survey methodology incorporated extensive quality control mechanisms at 3 levels:targeting,in-survey behavior,and post-survey analysis.The Calculated Margin of error at a 95%confidence level is 3.9%.After receiving 543 responses from members of our
54、opted-in 2M+IT community,we screened out about 120 respondents who met the role,level and company size requirements,but who indicated they were not currently using,or considering using,the IaC/Configuration tools listed in the survey.This extensive process led to a survey pool of 481 qualified indiv
55、iduals in order to present the most accurate look at the current state of IaC.Survey MethodologyCloud&Platform1-500 employeesDevelopers and DecOps1000-2000Architects500-1000Infrastructure5000-10,00010,000-15,00015,000+Security&Compliance%28%30%14%12%23%31%8%4%8%16%15%Survey respondents by roleSurvey respondents by company sizeSNYK RESEARCH REPORTInfrastructure as Code Security Insights 12SEE SNYK IAC IN ACTION