Security as Code is the methodology of codifying security and policy decisions. Security testing and scans are implemented into your CI/CD pipeline to automatically and continuously detect vulnerabilities and security bugs. Access policy decisions are codified into source code allowing everyone across the organization to see exactly who has access to what resources.
As businesses moved to the cloud, they adopted a microservices-centric architecture and began pushing the envelope on release frequency. Development and Operations teams began to work together in a DevOps model adopting an Infrastructure as Code (IaC) methodology. In this model, Infrastructure could now be completely created and managed using code, which meant resources could be automatically scaled up or down as needed without the friction and toil associated with manually provisioning and managing fleets of servers, databases, operating systems, containers and at this point, all infrastructure associated with software applications. Dev and Ops were no longer separate teams, but rather working together to build and scale applications together.
Security as Code builds off the gains seen from IaC, mediating a migration to security scanning, testing and policy as code to remove the toil and friction associated with securing software in an IaC mindset. Security and policy as code began with standard software testing of areas like permission boundaries. These unit and functional tests were Security as Code before being labeled as such. Security as Code also rose out of the desire for automation from internal and external red teams and pentesters to automate all of the things. Known as DevSecOps or DevOpsSec, this methodology has become the way organizations can enable collaboration, agility and security, early and often across their entire infrastructure.
Benefits of Security as Code
When moving to a Security as Code model, there are a number of key benefits that are realized across the organization. Security as Code tightly couples application development with security management, while simultaneously allowing your developers to focus on core features and functionality, and simplifying configuration and authorization management for security teams. This improves collaboration between Development and Security teams and helps nurtures a culture of security across the organization. Security as Code helps simplify and centralize user and data access reducing toil and further providing visibility.
Access and policy changes can now be tracked and requests for changes can be self service. Each test, scan or policy that is integrated results in problems getting uncovered sooner so they can be addressed before others find them. Dev and Security teams are no longer trying to address minor to complex to systemic issues after a new feature or functionality is “code complete”. With the advent of Security as Code libraries, application development can be decoupled from the fraught process of implementing custom authorization to reflect business policies.
Implementation of Security as Code
Security as Code generally comes in three different forms: security testing, vulnerability scanning and access policies.
Security testing expands on best in class coding practices to add to the standard suite of tests to not only include functional and integration testing but also security focused testing. Static analysis for security vulnerabilities can be implemented on each commit or pull request. Permission boundaries can be checked to verify they can not be crossed. APIs can be tested to ensure they’re meeting authentication and authorization requirements. Security testing meets your developers where they already are, providing them immediate feedback on each and every commit.
Vulnerability scanning at every level of your architecture across the CI/CD pipeline can verify that each section of application and deployment are secured against known vulnerabilities. Source code can be scanned for vulnerable libraries, containers can be scanned for vulnerabilities in individual packages and for adherence to best in class practices. Full scanning of test, staging and production environments can be done continuously and automatically.
User and data access policies codify governance decisions that can then be reviewed by anyone in the organization. These policies can be standardized, reducing the toil necessary to constantly monitor and maintain one off requests. Security teams work off a central repository, directly with developers to monitor and review authorization, allowing the entire company to move faster without breaking core security and compliance requirements.
Bringing it to your organization with Cyral
The principles of Security as Code and API-first have been at the core of design and development at Cyral. We have embraced cloud-first, everything as code and API-first design to meet our customers where they are. Our commitment to Security as Code starts first with building a security product that is developer friendly. We have designed our product to naturally fit into existing development workflows. Our application can be easily deployed as part of your testing, staging and production environments to enhance tracing and security at each step of the way. To learn how Cyral can help your organization make this critical transformation, sign up for a demo. You can also read our white paper.