2020 was a year that lasted, if not close to a decade, then long enough that we’ve lost track of how long it’s been. We don’t think anyone could have predicted what 2020 would look like in January but we’re almost done with it. Despite all of the negative things that have transpired, there has been innovation in the security as code space. IT leadership and security vendors are increasingly taking their message directly to developers, empowering them directly to test, find and fix issues even before these issues can make it to dedicated security teams. We, for one, are overjoyed at this, as we also believe that integrating directly into CI / CD and developer workflows is how we start to make security truly effective.
What follows is our lucky 7 list of favorite Security as Code tools—tools that have seen strong adoption in the companies we work with—plus one bonus tool we’re really optimistic about. They range from major CNCF / open source projects to commercial offerings, and they cover everything from Policy as Code to innovative infrastructure testing to automated dynamic application testing and even a major foray into Zero Trust.
So, in no particular order, here is a proposed list of Security of Code tools that your team should consider using in 2021:
- Open Policy Agent (OPA) by Styra
- This policy as code framework debuted in late 2016, joined the CNCF in early 2018, and showed Styra to be a leading innovator in this space. Today, this CNCF project is waiting on a final count to confirm that it will be moving to a CNCF Graduated project at any point now; the votes are still trickling in.
- The OPA project also grew by adding the awesome project Conftest to their portfolio of CNCF policy as code offerings. Conftest can integrate directly into your CI/CD pipeline, bringing robust testing to your configuration as code.
- Why we like it: It’s plug-and-play, with a standard policy engine that integrates with your existing tools or ones you are building yourself.
- Checkov by Bridgecrew
- Checkov is a Python-based infrastructure as code scanning open source project announced by Bridgecrew in the before times of January 2020. From the beginning, Checkov was designed to run pre-commit and as part of your CI / CD pipeline.
- Checkov now supports 150+ out of the box scan configurations and can scan everything from Helm to Terraform to Cloudformation to even serverless and more.
- Why we like it: Out-of-the box templates for infrastructure scanning
- Hashicorp Sentinel
- Hashicorp’s Sentinel is the grand-daddy of tools listed here, having been first announced in 2017, about 6 months before OPA’s acceptance as a CNCF sandbox project. Sentinel provides policy as code so that anytime an organization deploys to the cloud, the deployment adheres to their security rules.
- Hashicorp Sentinel still exists as only an add-on for Hashicorp’s enterprise offering, but it’s a must if you’re already on the enterprise edition.
- Why we like it: They’ve had this for over 3 years and yet are still one of the few true frameworks in the security-as-code space.
- Led by Joni Klippert, Stackhawk offers a test-driven method of security for DevOps teams—tackling the problem of using antiqued methods of security testing that often leave modern day applications vulnerable and exposed to risk too late in the production cycle.
- Not to mention, this female-founded, Denver-based company closed a $10M Series A funding round in October.
- Why we like it: They’re now offering a free developer plan to get started.
- Semgrep by r2c
- For many, running static analysis has become expensive, CPU intensive and cumbersome to say the least. r2c recognized this and decided to offer an alternative: a lightweight, offline tool that allows you to squash classes of bugs with powerful, precise rules putting developers in control.
- r2c raised a Series A in late October and brought on Clint Gibler of tl;dr sec fame to raise awareness of their project. TL;DR, check out Semgrep today if you haven’t already.
- Why we like it: A lightweight static analysis tool that allows us to utilize the power of grep
- Following a ton of major product innovations and two massive fundraising rounds in 2020 into Series D, we don’t think Snyk is sneaking up on anyone anymore.
- With its ability to scan code, containers, and deployment frameworks for vulnerabilities, Snyk has established itself across the entire pipeline from open source to license management to infrastructure code scanning to containers and more. Their tools now empower 1.5 million developers to build and deploy code and infrastructure securely.
- Why we like it: With its infrastructure-as-code scanning feature this year, Snyk can now can be utilized across the pipeline
- GitHub’s Dependabot
- Dependabot began as a standalone project and joined GitHub at the beginning of 2019 and immediately helped thousands automatically keep their dependencies up to date.
- In June, GitHub announced the latest Dependabot features, enabling not just security updates, but complete package updates for both security and regular updates. Dependabot comes free with your usage of GitHub, so if you’re already there, turn it on and automate your dependency management in 2021, if you haven’t already.
- Why we like it: It’s GitHub – c’mon!
- Hashicorp Boundary
- Our bonus tool for 2021, Boundary was only announced in October this year. If ever there was a year to announce a VPN-free remote access solution, this year was the year to do it.
- 2020 brought us the double whammy of everyone working remote and multiple high profile VPN products being pwned. Remote, mobile workforces require exciting, innovative solutions and we expect nothing less than that from Hashicorp.
- Why we’re optimistic: This is a great step forward for zero trust architecture!
And of course, if you want to bring a Security as Code approach to your Data Cloud, don’t forget to check out our product! We hope that you have a great 2021, full of many terrific releases, fewer bugs, and no security incidents!