less risky business way to reduce cloud native provisioning issues

Sangam Biradar

Advocacy Manager Tenable

15367

national vulnerability database statistics

Provisioning Layer In Cloud Native

Source :- The Cloud Native Landscape: The Provisioning Layer Explained

cloud misconfiguration is still big security problem ...

OPA - Open Policy Agent

What is Policy ?

policy consist of rules . we may query this policies for making decisions
for programmer perspective its just decisions making statement ex: if-else

What Does OPA Bring on Table?

Source :- Introducing Policy As Code: The Open Policy Agent (OPA)

How Does OPA Work?

fix cloud misconfigurations & other security exposures

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

source :- Top Open Source Kubernetes Security Tools of 2021

Key features

500+ Policies for security best practices
Scanning of Terraform (HCL2)
Scanning of Kubernetes (JSON/YAML), Helm v3, and Kustomize
Scanning of Dockerfiles
Support for AWS, Azure, GCP, Kubernetes, Dockerfile, and GitHub
Integrates with docker image vulnerability scanning for AWS, Azure, GCP, Harbor container registries.

Demo1 - Secure Terraform Misconfiguration with terrascan

Demo2 - Secure kubernets app

Scan Summary -

        File/Folder         :   /Users/sangam/Documents/GitHub/alldaydevops2021/vul-k0s-helm-docker/kubeyaml
        IaC Type            :   k8s
        Scanned At          :   2021-10-18 08:08:30.920245 +0000 UTC
        Policies Validated  :   41
        Violated Policies   :   27
        Low                 :   9
        Medium              :   14
        High                :   4

Demo3 - Use Terrascan Rego Editor to Write Own Policies