Category: DevOps

Proactively Securing Cloud Workloads in the CI/CD Pipeline with Rapid7 and Azure DevOps

As organizations continue to embrace cloud-native development practices, the need for integrated security solutions that seamlessly fit into existing DevOps environments has become more pressing than ever. We recognize this critical need and have added new integration for InsightCloudSec (ICS) and Exposure Command with Azure DevOps for Infrastructure as code (IaC) tooling, empowering organizations to quickly and effectively safeguard their attack surfaces.

But first, let's quickly refresh infrastructure as code functionality within ICS to remind us of how important it is and why this new integration will play a key role in your organization's security posture. Shifting left in code security is more important than ever before and IaC is the impetus for organizations to move cloud security and compliance from being reactive (at runtime) to being preventative (during development). The key is integrating the right controls with the proper guidance directly into the CI/CD pipeline. This integration facilitates delivering secure and compliant cloud infrastructure from the start. Rapid7’s innovative IaC tool allows you to identify key insights and risks during the development process which allow you to protect and secure your attack surface before it's visible. If you want to learn more about getting started with IaC you can check out this helpful guide.

Why DevSecOps is so important

In today's fast-paced development environments, security cannot be an afterthought. The ability to integrate security checks directly into DevOps — commonly referred to as DevSecOps —  workflows is crucial for minimizing vulnerabilities and reducing the risk of breaches.

Making security a shared responsibility between development, operations and security teams has a number of key benefits:

  • It enables developers to deliver better, more-secure code faster, and, therefore, cheaper.
  • It makes security a continuous activity, allowing for issues to be caught proactively before they reach production.
  • It stops an all-too-common dynamic where security teams are only being brought in at the end of the project process in a QA role.

Impact of the new integration

With cloud environments being dynamic and complex, it’s vital to have tools that can quickly scan repositories and return actionable insights with minimal disruption to the development process. This is where the integration between InsightCloudSec and Azure DevOps makes a significant impact. By embedding security directly into the CI/CD pipeline, organizations can ensure that their code is secure before it ever reaches production, thus safeguarding their entire attack surface more effectively

The integration of InsightCloudSec with Azure DevOps introduces a suite of new capabilities designed to enhance how organizations assess and respond to potential risks within their cloud environments.

Here’s how it transforms the security landscape:

  • Extend attack surface visibility Into the CI/CD pipeline: The integration is designed to maximize the protection of your cloud environment by continuously monitoring and assessing risks by shifting security controls to the left. By catching issues early, it significantly reduces the likelihood of security threats reaching production, thereby minimizing the potential attack surface.
  • Proactive repository scanning: With this integration, security scans are executed as a seamless part of the CI/CD pipeline. As soon as IaC templates are changed in version control systems, InsightCloudSec can automatically scan repositories, identifying vulnerabilities, misconfigurations, and compliance issues. This seamless execution ensures that security checks do not hinder development velocity, allowing teams to maintain their pace while ensuring security.
  • Frictionless risk assessment and remediation: Rapid7’s integration emphasizes ease of use, ensuring that security assessments and remediation steps are as frictionless as possible. Real-time alerts and detailed insights are provided directly within Azure DevOps, enabling teams to quickly understand and address risks without needing to navigate multiple tools. This streamlined approach not only speeds up the response time but also ensures that remediation efforts are effective and aligned with organizational security policies.
  • Improved collaboration between security and DevOps teams: Driving better integration between security tooling and the CI/CD pipeline helps break down the unfortunately all too common "us vs. them" mentality that can exist between development and security teams. By automating repeatable, time-consuming tasks, such as vulnerability scanning and compliance checks, teams can shift their focus away from manual, often reactive efforts, and towards proactive collaboration. This streamlined approach empowers developers to identify and remediate security issues early in the development process without slowing down delivery, while security professionals gain visibility into code changes in real-time. The result is a more cohesive, efficient workflow where both teams work together to address complex, impactful problems, rather than being bogged down by friction and misaligned priorities.

Integration benefits at-a-glance

The integration between Rapid7’s InsightCloudSec and Azure DevOps will help organizations using the Azure ecosystem of tools easily advance their cloud security programs by shifting left, offering organizations the tools they need to effectively safeguard their attack surfaces without slowing down their development processes. By doing so, organizations can proactively address risks before they become significant threats, leading to a more secure and resilient cloud environment.

Automated scans and seamless alerting within Azure DevOps reduce the time it takes to identify and remediate vulnerabilities, helping organizations maintain a rapid development cycle without sacrificing security. The integration also fosters improved collaboration between security and development teams, ensuring that security is a shared responsibility. With clear and actionable insights provided within the same environment developers use daily, security becomes an integral part of the DevOps workflow.

By delivering seamless, frictionless security assessments and remediation steps directly within the CI/CD pipeline, Rapid7 continues to empower organizations to build, deploy, and maintain secure cloud environments with confidence.

As organizations navigate the complexities of cloud security, this integration will be a vital asset in ensuring that their cloud environments remain secure, compliant, and resilient against ever-evolving threats. Be sure to stay tuned for more updates as we continue to invest in driving more seamless integration between security and development processes.


In today’s fast-paced technological landscape, the adoption of Infrastructure as Code (IaC) has revolutionized the way organizations manage and deploy their IT infrastructure. IaC allows teams to define and provision infrastructure through code, enabling automation, scalability, and consistency. However, with the benefits of IaC come unique security challenges, prompting the emergence of Infrastructure as Code scanning as a crucial component of modern DevOps practices.

Understanding Infrastructure as Code (IaC)

Infrastructure as Code represents a paradigm shift from traditional manual infrastructure management to a code-driven approach. Instead of configuring servers and networks manually, infrastructure components such as virtual machines, networks, and storage are defined in code using declarative languages like YAML, JSON, or HCL (HashiCorp Configuration Language). This code, stored in version control systems, can be easily versioned, tested, and deployed, facilitating rapid and reliable infrastructure changes.

The Need for IaC Scanning

While IaC offers numerous benefits, it also introduces new security risks. Misconfigurations or vulnerabilities in infrastructure code can lead to serious security breaches, exposing organizations to data breaches, compliance violations, and financial losses. Traditional security tools and practices designed for monolithic, static infrastructure environments are often inadequate in the dynamic, ephemeral world of IaC.

Infrastructure as Code scanning addresses these challenges by providing automated analysis and validation of infrastructure code for security vulnerabilities, compliance violations, and best practices. By integrating scanning into the DevOps pipeline, organizations can detect and remediate issues early in the development lifecycle, minimizing risks and accelerating time to market.

How Infrastructure as Code Scanning Works

Infrastructure as Code scanning tools analyze code repositories containing infrastructure definitions, such as Terraform configurations, AWS CloudFormation templates, or Kubernetes YAML files. These tools parse the code, identifying potential security issues based on predefined rulesets, industry standards (such as CIS benchmarks), and best practices.

Key features of Infrastructure as Code scanning tools include:

1. Static Analysis: Tools perform static analysis of infrastructure code to identify security vulnerabilities, such as overly permissive security group rules, exposed sensitive data, or lack of encryption.

2. Policy Enforcement: Organizations can define custom policies or leverage preconfigured policy packs to enforce compliance with regulatory requirements (e.g., GDPR, HIPAA) and security best practices.

3. Integration with CI/CD Pipelines: Scanning tools seamlessly integrate with CI/CD pipelines, enabling automated scanning of infrastructure code as part of the development workflow. Issues detected during scanning can trigger build failures or alerts, prompting developers to address them promptly.

4. Continuous Monitoring: Infrastructure as Code scanning is not a one-time activity but rather a continuous process. Tools monitor code repositories for changes, automatically re-scanning updated code to ensure ongoing security and compliance.

Benefits of Infrastructure as Code Scanning

1. Early Detection and Remediation: By detecting security issues early in the development lifecycle, organizations can address them before deployment, reducing the likelihood of costly security breaches in production environments.

2. Consistency and Compliance: IaC scanning promotes consistency and adherence to compliance requirements across infrastructure deployments by enforcing standardized security policies and configurations.

3. Cost Savings: Proactively identifying and fixing security vulnerabilities during development saves organizations the substantial costs associated with security incidents, regulatory fines, and reputational damage.

4. Streamlined Audits and Reporting: Infrastructure as Code scanning generates comprehensive reports detailing security findings and compliance status, facilitating audits and demonstrating adherence to regulatory requirements.

Conclusion

As organizations embrace Infrastructure as Code to drive agility and innovation, ensuring the security of their cloud infrastructure becomes paramount. Infrastructure as Code scanning plays a pivotal role in enhancing security posture by identifying and mitigating risks associated with misconfigurations and vulnerabilities in infrastructure code. By integrating scanning into the DevOps pipeline, organizations can achieve greater visibility, control, and confidence in their cloud deployments, ultimately enabling them to deliver secure and resilient applications at scale.

The post Demystifying Infrastructure as Code (IaC) Scanning: Enhancing Security in DevOps appeared first on Cybersecurity Insiders.

As digital transformation continues to reshape the business landscape, it surfaces a new set of cybersecurity challenges. In a recent interview with Kaus Phaltankar, CEO and co-founder of Caveonix, shared his insights on the rising cybersecurity threats and how AI technologies are instrumental in addressing them.

The Paradigm Shift in Cybersecurity Challenges

Digital transformation, while beneficial, has exposed organizations to sophisticated threats like ransomware, such as the recent attacks on MOVEit file transfer platform. Kaus emphasizes that these threats necessitate an evolved defense mechanism. “The traditional ways of dealing with cybersecurity threats are no longer adequate. We need proactive, continuous, and holistic approaches to deal with this evolving landscape,” says Phaltankar.

Comprehensive Approach to Compliance Automation

Today’s businesses grapple with the complexities of regulatory compliance in hybrid cloud environments. Kaus acknowledges this and highlights how Caveonix incorporates over 2,000+ built-in customizable security controls, ensuring alignment with an array of industry and regulatory frameworks including NIST, PCI, and HIPAA. “Our platform facilitates a comprehensive and application-centric approach to IT governance, ensuring continuous compliance,” he adds.

The Role of AI-Driven Insights

Kaus credits AI as the game-changer in today’s cybersecurity landscape. AI-driven insights not only detect risks but prioritize remediations based on their potential impact. “We can prioritize the top 20% of security or compliance mitigations to create an 80% impact on overall risk, maximizing resource efficiency,” he elaborates.

Hybrid Cloud Visibility and Security

As organizations increasingly embrace hybrid cloud environments, there’s a need for solutions providing seamless visibility across diverse tech stacks. “Our platform offers a unified view of inventory, security, and compliance postures, in real-time, across various public and private cloud providers,” says Phaltankar.

Shift-Left: Early Security Integration

A shift-left strategy—integrating security into the development phase—is fundamental to proactive security management. Caveonix’s Neural-Insight AI engine exemplifies this approach by securing the entire DevOps cycle. “By integrating AI into the DevOps cycle, we’re ensuring secure code deployment and significantly mitigating security risks,” Kaus asserts. “By adopting proactive measures, automating compliance, leveraging AI-driven insights, and integrating security early in the development cycle, organizations can effectively protect their digital assets against evolving cybersecurity threats.”

As Phaltankar concluded, “Whether you’re at an evolving or advanced stage in your digital transformation journey, we’ve got your back.” It’s clear that Caveonix is here to make hybrid cloud security and compliance as streamlined and effective as possible.

With ransomware threats looming large and digital transformation becoming inevitable, the future of cybersecurity lies in comprehensive platforms like Caveonix that offer holistic, AI-driven, and application-centric solutions.

The post Securing the Digital Frontier: How Caveonix Empowers Cyber Defense appeared first on Cybersecurity Insiders.

Integrating Cloud Security With DevOps and CI/CD Tools

This is the latest post in our blog series on shifting left in cloud security. In our last post, we kicked off the series with a high-level overview about Rapid7’s approach to shifting cloud security into the application development lifecycle. For this post, we’ll dive into a key aspect of our approach: integrating cloud security with developer and DevOps tooling.

Incentivizing adoption by reducing friction

When integrating security into any part of the development lifecycle there are some important factors to consider, including the security tools you’ll integrate, the processes you’ll ask developers to follow, and how aggressively you intend to enforce certain policies. When making these decisions, it’s important to consider the goals of adopting DevOps practices and infrastructure as code (IaC) respectively: to improve the velocity of application development and delivery, and to empower development teams to provision cloud infrastructure resources on a self-service basis.  

Infusing security into these goals requires guardrails and routine checks to make sure the need for speed doesn’t create vulnerabilities or potentially exploitable misconfigurations. For IaC development, this is accomplished by having individual developers scan templates and plans as early as possible, and at key points in the CI/CD pipeline, before they’re considered for use in staging or production deployment. This is much easier said than done, as it relies on organizational buy-in, particularly from the developers who are typically laser-focused on bringing new products and features to market as fast as possible with the highest quality possible.

As with anything that relies on multiple teams collaborating in a process, the goal is to make it as easy as possible to adopt and demonstrate tangible value to all involved. Shifting security left into the software development lifecycle (SDLC) via developers and CI/CD tool integrations is a perfect application of this. One common example is allowing developers to execute scans on IaC templates or plans prior to a push or pull request, using a local command-line interface (CLI) tool.

The comfort of the CLI

In this context, a CLI tool allows a developer to interact with IaC security scanning features via a terminal prompt for familiarity and convenience. This comfortable experience will encourage adoption by using the CLI rather than engaging with a security product interface or API directly. In late 2021, we released our first CLI tool to initiate IaC scans in InsightCloudSec (ICS): mimics.

mimics has many intended uses that will expand over the time, but for now, the primary goals are:

  1. Enabling developers to execute on-demand security scans of their IaC plans and templates with results delivered directly in the CLI, thereby shortening the discovery and feedback loop for security and compliance issues to the point of immediate remediation
  2. Enabling DevOps teams to easily integrate IaC security scans at any point in the CI/CD workflow, thereby standardizing the process and enforcing security compliance checks and remediation as needed before progressing to the next integration or deployment step

In all cases, the mimics CLI simplifies integration and doesn’t require more costly script-based integration with the ICS API.  In some cases, unique IaC security capabilities are exclusively available via mimics.

Introducing GitHub Actions integration

InsightCloudSec recently launched a GitHub Action to facilitate a bidirectional integration with our IaC scanning feature. Our goal is to streamline the incorporation of IaC security scans into your cloud application CI/CD process governed by GitHub. If you’re not familiar with GitHub Actions, they allow you to automate, customize, and execute workflow steps, including security and compliance checks. In doing so, users can discover, create, and share Actions with other community members.

A great use of the mimics CLI is to integrate with GitHub using our Action to trigger an ICS IaC scan at defined points in your workflow. Upon completion of the scan, you’ll receive an overall pass/fail result in reply, as well as detailed findings, if any, in SARIF format for display in the GitHub Advanced Security module as security alerts. If you don’t subscribe to the GitHub Advance Security module, you can still trigger IaC security scans and receive an overall pass/fail result to govern the workflow step, plus a detailed findings report in one of various readable formats.

More DevOps tool integrations on the way

As you can see, Rapid7’s InsightCloudSec is meeting developers and DevOps teams where they are today and expanding in the near future. We want to make integrating security controls by development teams easier. And we aren’t stopping there. We have a deep roadmap of additional integrations that will be coming soon. However, it’s important to note that you’re not limited by our formal integrations. The mimics CLI makes your custom integrations a snap, and we have examples in our product documents.

We understand the profound impact shifting security left can have on organizational buy-in, overall team efficiency, and of course, cloud security outcomes. Keep an eye out for upcoming enhancements that will further help you seamlessly integrate security throughout the entire SDLC.

If you’re interested in learning more about how InsightCloudSec helps your team get contextualized insight into your cloud security and risk posture, be sure to check out our bi-weekly demo series Gaining Layered Context in Cloud Security, which goes live every other Wednesday at 1pm EST.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


CI/CD is a recommended technique for DevOps teams and a best practice in agile methodology. CI/CD is a method for consistently delivering apps to clients by automating the app development phases. Continuous integration, continuous delivery, and continuous deployment are the key concepts. CI/CD adds continuous automation and monitoring throughout the whole application lifetime, from the […]… Read More

The post Everything You Need to Know About CI/CD and Security appeared first on The State of Security.

The rising number of cyber attacks against software applications has emphasized how security must serve as an important factor in software development.  More than the traditional Software Development Lifecycle (SDLC) procedures, now security-integrated development lifecycles are being widely adapted. These aren’t the typical security assessments that are performed at the very end of development of […]… Read More

The post Top trends in Application Security in 2022 appeared first on The State of Security.

Shift Left: Secure Your Innovation Pipeline

There’s no shortage of buzzwords in the tech world. Some are purely marketing spin. But others are colloquial ways for the industry to talk about complex topics that have a massive impact on how organizations and teams drive innovation and work more efficiently. Here at Rapid7, we believe the “shift left” movement very much falls in the latter category.

Because we see shifting left as so critical to an effective cloud security strategy, we’re kicking off a new blog series covering how organizations can seamlessly incorporate security best practices and technologies into their existing DevOps workflows — and, of course, how InsightCloudSec and the brilliant team here at Rapid7 can help.

What does “shift left” actually mean?

For those who might not be familiar with the term, “shift left” can be used interchangeably with DevOps methodologies. The idea is to “shift” tasks that have typically been performed by centralized and dedicated operations teams earlier in the software development life cycle (SDLC). In the case of security, this means weaving security guardrails and checks into development, fixing problems at the source rather than waiting to do so upon deployment or production.

Shift Left: Secure Your Innovation Pipeline

Historically, security was centered around applying checks and scanning for known vulnerabilities after software was built as part of the test and release processes. While this is an important step in the cycle, there are many instances in which this is too late to begin thinking about the integrity of your software and supporting infrastructure — particularly as organizations adopt DevOps practices, resources are increasingly provisioned declaratively, and the development cycle becomes a more iterative, continuous process.

Our philosophy on shift left

One of the most commonly cited concerns we hear from organizations attempting to shift left is the potential to create a bottleneck in development, as developers need to complete additional steps to clear compliance and security hurdles. This is a crucial consideration, given that accelerating software development and increasing efficiency is often the driving force behind adopting DevOps practices in the first place. Security must catch up to the pace of development, not slow it down.

Shift left is very much about decentralizing security to match the speed and scale of the cloud, and when done poorly, it can erode trust and be viewed as a gating factor to releasing high-quality code. This is what drives Rapid7’s fundamental belief that in order to effectively shift security left, you need to avoid adding friction into the process, and instead embrace the developer experience and meet devs where they are today.

How do you accomplish this? Here’s a few core concepts that we here at Rapid7 endorse:

Provide real-time feedback with clear remediation guidance

The main goal of DevOps is to accelerate the pace of software development and improve operating efficiency. In order to accomplish this without compromising quality and security, you must make sure that insights derived from your tooling are actionable and made available to the relevant stakeholders in real time. For instance, if an issue is detected in an IaC template, the developer should be immediately notified and provided with step-by-step guidance on how to fix the issue directly in the template itself.

Establish clear and consistent security and compliance standards

It’s important for an organization to have a clear and consistent definition of what “good” looks like. A well-centered definition of security and compliance controls helps establish a common standard for the entire organization, making measurement of compliance and risk easier to establish and report. Working from a single, centrally managed policy set makes it that much easier to ensure that teams are building compliant workloads from the start, and you can limit the time wasted repeatedly fixing issues after they reach production. A common standard for security that everyone is accountable for also establishes trust with the development community.

Integrate seamlessly with existing tool chains and processes

When adding any tools or additional steps into the development life cycle, it is critically important to integrate them with existing tools and processes to avoid adding friction and creating bottlenecks. This means that your security tools must be compatible with existing CI/CD tools (e.g., GitHub, Jenkins, Puppet, etc.) to make the process of scanning resources and remediating issues seamless, and to enable developers to complete their tasks without ever leaving the tools they are most comfortable working with.

Enable automation by shifting security left

Automation can be a powerful tool for teams managing sprawling and complex cloud environments. Shifting security left with IaC scanning allows you to catch faulty source templates before they’re ever used, allowing teams to leverage automation to deploy their cloud infrastructure resources with the confidence that they will align to organizational security standards.

Shifting cloud security left with IaC scanning

Infrastructure as code (IaC) refers to the ability to provision cloud infrastructure resources declaratively, by writing code in the same development environments used to write the software it is intended to support. IaC is a critical component of shifting left, as it empowers developers to write, test, and release software and infrastructure resources programmatically in a highly integrated process. This is typically done through pre-configured templates based on policies determined by operations teams, making development a shared and reproducible process.

When it comes to IaC security, we’re primarily talking about integrating the process of checking IaC templates to be sure that they won’t result in non-compliant infrastructure. But it shouldn’t stop there. In a perfect world, the IaC scanning tool will identify why a given template will be non-compliant, but it should also tell you how to fix it (bonus points if it can fix the problem for you!).

IaC scanning with InsightCloudSec

By this point, it should be clear that we here at Rapid7 strongly believe in incorporating security and compliance as early as possible in the development process, but we know this can be a daunting task. That’s why we built powerful capabilities into the InsightCloudSec platform to make integrating IaC scanning into your development workflows as easy and seamless as possible.

With IaC scanning in InsightCloudSec, your teams can identify and evaluate risk before infrastructure is ever built, stopping non-compliant or misconfigured resources from ever reaching production, and improving efficiency by fixing problems at the source once and for all, rather than repeatedly addressing them in runtime. With out-of-the-box support for popular IaC tools like Terraform and CloudFormation, InsightCloudSec provides teams with a common understanding of good that is consistent throughout the entire development life cycle.

Shifting security left requires consistency

Consistency is critical when shifting left, because if you’re scanning IaC templates with checks against policies that differ from those being applied in production, there’s a high likelihood that after some — likely short — period of time, those policy sets are going to drift, leading to missed vulnerabilities, misconfigurations, and/or non-compliant workloads. That may not seem like the end of the world, but it creates real problems for communicating issues across teams and increases the risk of inconsistent application of policies. When you lack consistency, it creates confusion among your stakeholders and erodes confidence in the effectiveness of your security program.

To address this, InsightCloudSec applies the same exact set of configuration standards and security policies across your entire CI/CD pipeline and even across your various cloud platforms (if your organization is one of the many that employ a hybrid cloud strategy). That means teams using IaC templates to provision infrastructure resources for their cloud-native applications can be confident they are deploying workloads that are in line with existing compliance and security standards — without having to apply a distinct set of checks, or cross-reference them with those being used in production environments.

Sounds amazing, right?! There’s a whole lot more that InsightCloudSec has to offer cloud security teams that we don’t have time to cover in this post, so follow this link if you’d like to learn more.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


The Center for Internet Security’s Critical Security Controls has become an industry standard set of controls for securing the enterprise. Now on version 8, the original 20 controls are down to 18 with several sub controls added. The first six basic controls can prevent 85 percent of the most common cyber attacks, and even though […]… Read More

The post How DevOps and CIS Security Controls Fit Together appeared first on The State of Security.

GitOps is arguably the hottest trend in software development today. It is a new work model that is widely adopted due to its simplicity and the strong benefits it provides for development pipelines in terms of resilience, predictability, and auditability. Another important aspect of GitOps is that it makes security easier, especially in complex cloud […]… Read More

The post What Is GitOps and How Will it Impact Digital Forensics? appeared first on The State of Security.