Qualys, Inc. has announced it is adding Infrastructure as Code (IaC) scanning to its CloudView app. This will enable detection and remediation of misconfigurations early in the development cycle, removing risk in the production environment.
“Security and risk management leaders managing cloud infrastructure security should create safe-to-fail environments to facilitate developer innovation by integrating intelligent security tooling with delivery pipelines (such as infrastructure-as-code [IaC] scanning) to identify risks early and alert on unsafe workloads before they are deployed.” Gartner, Cool Vendor in Cloud Security Posture Management,Tom Croll, Neil MacDonald, Mark Wah, Prateek Bhajanka, June 9, 2021.
“With the addition of IaC assessment to CloudView, Qualys is extending its cloud security posture management (CSPM) solution to handle shift-left use cases,” said Sumedh Thakar, president and CEO of Qualys.
He added, “Leveraging the Qualys Cloud Platform and its integrated apps, customers can now insert security automation into all stages of their application lifecycle, ensuring complete visibility into both runtime and build-time posture via a unified dashboard.”
As noted in the (ISC) 2021 Cloud Security Report, security professionals’ biggest threat with public clouds is the misconfiguration of resources. Misconfigurations are often detected post-deployment, leaving companies with a much larger attack surface and more vulnerable to exploits. Increasingly, organizations are using IaCto deploy cloud-native applications and provision their cloud infrastructure. Thus, it’s important to shift security left to identify and remediate misconfigurations at the IaC template stage. Detecting security issues earlier in the development cycle accelerates secure application delivery and fosters greater collaboration between DevOps and security teams. More importantly, it enforces better security policies in the production environment.
Qualys CloudView now checks IaC templates for misconfigurations, allowing total visibility and security control of public cloud workloads. IaC evaluations are built into the software development process to ensure that only code that complies with the organization’s security criteria is released. The Qualys Cloud Platform method provides total visibility by combining runtime and build-time postures, as well as the drift between them, into a unified view.
The new capabilities enable organizations to:
Organizations may now examine their security posture early in the development cycle, significantly lowering post-deployment security risk. CloudView IaC Security provides a command-line interface for performing a security evaluation locally. Plug-ins for source code repositories at check-in and CI/CD platforms are also available to gate deployment if misconfigurations are identified.
CloudView IaC Security makes it simple for businesses to follow cloud platform provider-recommended security policies. Terraform, CloudFormation (CF), and Azure Resource Manager are just a few of the prominent IaC languages supported by CloudView IaC Security (ARM). It also compares configurations to tens of thousands of security best practices recommended by Amazon Web Services, Microsoft Azure, Google Cloud Platform, and other organizations such as the Center for Internet Security. When a non-compliant configuration is found, CloudView automatically presents remedy solutions.
Using CloudView IaC Security, organizations can assure compliance with more than 20industry mandates such as PCI, HIPAA, and NIST 800-53. This reduces the burden on the DevOps security teams and ensures a streamlined process during mandatory compliance audits.
