The new feature identifies configuration errors before deployment of cloud resources, bringing security controls forward during the development phase
Qualys, Inc. (NASDAQ: QLYS), a pioneer and leading provider of highly innovative cloud-based IT security and compliance solutions, announced the addition of Infrastructure as Code (IaC) scanning functionality to its CloudView app to identify and correct configuration errors early in software development and prevent them from spreading to the production environment.
As highlighted in the 2021 Cloud Security Report di (ISC)2, the main threat that security managers dealing with public clouds must combat is resource misconfiguration. Because such errors often emerge only after implementation, companies find themselves with an expanded attack surface and greater vulnerability to exploits. Increasingly, companies are choosing the IaC approach for deploying cloud applications and provisioning cloud infrastructure because it allows security controls to be brought forward to the development phase and configuration errors to be identified and corrected by applying the IaC model. Detecting security issues early in the development cycle means you can accelerate and secure application delivery and promote collaboration between DevOps and security teams. But even more, it means applying more effective security policies in the production environment.
“Security and risk managers who manage cloud infrastructures must make it easier for developers by designing fail-safe environments by integrating intelligent protection tools with controlled provisioning procedures (such as IaC scanning) that allow early identification of risks and flag insecure workloads before their deployment.” Gartner®, Cool Vendors™ in Cloud Security Posture Management, Tom Croll, Neil MacDonald, Mark Wah, Prateek Bhajanka, 9 giugno 2021.
Qualys CloudView provides complete visibility and control over public cloud workloads, and now also analyzes IaC models for configuration errors. IaC assessments integrated into the software development cycle allow you to deploy only code that complies with your company's security standards. The Qualys Cloud Platform ensures complete visibility by comparing runtime and build-time configurations and highlighting any differences or changes in a single dashboard.
The new features allow companies to:
Evaluate the safety posture along the entire CI / CD pipeline
Companies can assess security posture early in the development cycle, dramatically reducing post-implementation vulnerabilities. Through the command line interface of CloudView IaC Security it is possible to evaluate security at a local level. There are also gate deployment control capabilities in case configuration errors are detected, repository plugins used for source code check-in, and CI/CD platforms.
Adhere to security best practices
With CloudView IaC Security, companies can more easily adopt security best practices promoted by cloud platform providers. CloudView IaC Security supports popular IaC languages such as Terraform, CloudFormation (CF) and Azure Resource Manager (ARM) and controls configurations by reference thousands of security best practices suggested by Amazon Web Services, Azure, Google Cloud Platform and regulatory bodies such as the Center for Internet Security. Additionally, CloudView automatically suggests remediation options if non-compliant configurations are detected.
Ensure compliance with industry regulations
With CloudView IaC Security, companies can ensure compliance with more than 20 industry regulations such as PCI, HIPAA and NIST 800-53, reducing the burden on DevOps and security teams and streamlining mandatory compliance checks.
“By adding IaC assessment to CloudView, Qualys enriches its cloud security management (CSPM) solution making it suitable also for cases where it is necessary to advance security controls to the development phase,” he said Sumedh Thakar, President and CEO of Qualys. “With the Qualys Cloud Platform and integrated apps, customers can integrate security automation throughout the various phases of the application lifecycle by gaining complete visibility into their run-time and build-time configuration and viewing the results in a centralized dashboard.”
Availability
Qualys CloudView with IaC Security functionality is in beta and will be available later this year. For those interested in participating in the beta program, you need to register on qualys.com/iac-security-beta. For information, read the blog IaC Security.
