DEVOPSdigest

Ermetic announced new capabilities that enable customers to detect, prevent and remediate security risks in Infrastructure as Code (IaC) deployments both pre- and post-deployment.

As part of Ermetic’s comprehensive Cloud Native Application Protection Platform (CNAPP), IaC scanning enables organizations to discover and fix misconfigurations, compliance violations and risky or excessive privileges at runtime by generating code snippets that can be integrated with CI/CD workflows.

IaC has revolutionized cloud infrastructure provisioning with tools that allow developers to generate reusable code that automates initial set-up/configuration, deployment and ongoing maintenance of servers, networking, software and applications. While IaC provides major scalability advancements in how organizations deploy cloud infrastructure, it can inadvertently introduce security risks stemming from human error and/or security policy and best practices violations.

Managing security for IaC also poses unique challenges since the complexity of detecting misconfigurations dramatically increases in multicloud environments. Meanwhile, performing manual reviews of IaC configurations is expensive, error-prone and time-consuming for large scale projects. Finally, security and DevOps teams often rely on different tools which creates visibility gaps and blindspots.

“It’s critical to eliminate security flaws as early as possible - ideally, before deployment. But finding and fixing misconfigurations in Infrastructure as Code is extremely complicated and time consuming,” said Sivan Krigsman, CPO at Ermetic. “Ermetic enables security and DevOps to check for and detect security errors at every stage of the development cycle and provides clear information on how to fix them.”

To automate the management of security across the full lifecycle of IaC environments, the Ermetic CNAPP provides the following capabilities:

- Misconfiguration & Compliance Violations: Ermetic enables developers to scan and detect misconfigurations and other risks in IaC to harden cloud infrastructure environments as part of the CI/CD pipeline. By embedding comprehensive cloud security checks and surfacing findings directly in native development tools including Jenkins, BitBucket, CircleCI, GitHub and GitLab, developers can deliver code efficiently and securely.

- Shift Security Left: Ermetic streamlines security throughout the software development lifecycle by embedding security into DevOps workflow tools such as Terraform and CloudFormation. By combining context and risk prioritization, developers can quickly evaluate critical security and compliance risk against industry standard benchmarks or custom policies and course correct as needed.

- Built-In Remediation: Ermetic integrates fixes into existing workflows via guided remediation-as-code, auto-assigns alerts delivered through ticketing systems including Jira and ServiceNow. It also supports source code repositories for adding comments and suggested fixes to pull requests.

- Compliance Benchmarks: With its agentless approach, the Ermetic platform allows teams to maintain automated compliance against industry standard regulations and benchmarks like PCI-DSS, CIS Benchmarks, SOC 2, PSD2, GDPR, NIST, HIPAA, and more, as well as custom frameworks. Ermetic enables audit and compliance teams to detect gaps in policy guardrails, minimizing the risk of compliance failures.

- Full Lifecycle Security: The Ermetic CNAPP provides continuous discovery across infrastructure, workloads, data and applications, from development to deployment, surfacing, visualizing and prioritizing security and compliance risks at scale, and providing actionable remediation integrated into CI/CD pipelines.