Cloud security company, Fugue, developed a tool to aid devs in configuring cloud infrastructure. While the motive is altruistic, Regula has a downside.
We have long discussed that threat actors change their tactics on a regular basis. They have to if they want to keep up their nefarious activities. As businesses and manufacturers discover and patch their own vulnerabilities, as well as those breached by hackers, these bad actors have to continue to find new ways to breach environments. Digital transformation is a hot button topic right now, many businesses are in some stage of the process, which means that threat actors have to figure out how to work in the cloud, which they have done and will continue to do. The most common way they get in is through a misconfiguration, including those in the infrastructure. A new tool called Regula was announced at the end of June, an open-source repository for infrastructure-as-code security.
Fugue, a cloud security company, announced Regula 1.0 on June 29. The open-source repository comes with prebuilt libraries that implement policies that validate configurations on the big three cloud providers: AWS, Microsoft Azure and Google Cloud. From DevOps.com:
“Regula is based on the Open Policy Agent (OPA) software being advanced under the auspices of the Cloud Native Computing Foundation (CNCF) and is compatible with both Terraform and AWS CloudFormation tools for configuring cloud infrastructure.
Developers can also build custom rules on top of OPA using libraries that Fugue created for the Rego programing language that is part of the OPA specification. Regula supports output formats such as JUnit, Test Anything Protocol (TAP) and JSON to make it easier to integrate Regula with other tools and frameworks that make up a DevOps workflow. Input formats supported include Terraform HCL, Terraform plan JSON, AWS CloudFormation and Serverless Application Model templates.”
There’s more information on that site regarding what else the tool can do, or you can read the Fugue announcement on their website. The tool is designed to simplify securing infrastructure-as-code because many misconfigurations are honest mistakes by devs. This is aimed at helping them know if there are any misconfigurations prior to completion.
According to PurpleSec, cybercrime rose 600% due to the COVID-19 pandemic. Even with people returning to the office, the rate at which attacks and breaches occur isn’t going to go down. If anything, threat actors are more emboldened than ever to keep up their activities because, right now, they’re winning. While this could be a great tool for a dev to use to double-check themselves, relying on it entirely is a bad idea.
When this happens, the coder doesn’t look as closely at the code they are using and is more likely to miss an error. It also means that if they are trusting this tool to do all of the heavy-lifting with security, they may not keep up with that knowledge on their own. Which can lead to even more misses when their outdated code is used and no one catches it.
One thing is for sure, there needs to be a better and simpler way to secure cloud environments. Developers should be doing everything they can to learn more about the cloud so they can ensure they are coding securely. Businesses should be bringing in experts for full code reviews and to put another set of eyes on their security protocols. Regula is aimed to be helpful, but at the end of the day, it’s a tool that is programmed by humans.