The Role of Open Source in Cloud Security: A Case Study with Terrascan by Tenable

Open source software and cloud-native infrastructure are inextricably linked and can play a key role in helping to manage security. Open source security tools like Terrascan by Tenable are easy to scale, cost-effective and benefit from an agile community of contributors. Let’s take a look at how you can implement it today.

From Kubernetes to Argo to Docker to Terraform, the most influential cloud-native innovations are open source. The high velocity and mass adoption of projects like Kubernetes show that in order to keep pace with innovation, the cloud-native community must come together, share best practices, foster collaboration and contribute to next-generation technologies.

Open source and cloud native

The Cloud Native Computing Foundation (CNCF), the largest open-source community in the world and the host of international events like KubeCon + CloudNativeCon and CloudNativeSecurityCon, rallies around the idea that open source and democratizing innovation are the best ways to make cloud-native technologies widely available. As a subset of the Linux Foundation, the CNCF brings together thousands of developers and cloud architects around the world to create and maintain hundreds of cloud-native open source projects.

With cloud infrastructure becoming increasingly complex, open source tools like Terrascan by Tenable can help ensure the code developers write to provision cloud resources is secure and compliant with industry standards. By providing transparency and flexibility, open source software can help organizations customize their security solutions to meet their unique needs and adapt to changing cyberthreats.

Many companies are taking advantage of these benefits. According to Open UK’s “State of Open:The UK in 2021 Phase Three The Values of Open” report that surveyed over 273 respondents, the vast majority (89%) are using open source software.

Let’s look at how cloud security might play out using Terrascan by Tenable as an example.

What is Terrascan by Tenable?

Terrascan by Tenable is a static code analyzer that can detect compliance and security violations across infrastructure as code (IaC) to mitigate risks before provisioning cloud-native infrastructure. You can scan many IaC types, including Azure Resource Manager, Kubernetes, Docker and Terraform (hence the name, “Terrascan”).

Because it’s a code analyzer, Terrascan can be integrated into many tools in the development pipeline. When integrated, misconfiguration scanning is automated as part of the commit or build process. It can run on a developer’s laptop, a software configuration manager (SCM) (e.g. GitHub), and continuous integration/continuous development (CI/CD)servers (e.g. ArgoCD and Jenkins) or in your browser with the Terrascan sandbox. In addition, it also has a built-in admission controller for Kubernetes which helps control new resources created on a cluster. With integration into Kubernetes admission controllers, you can prevent insecure resources from entering your Kubernetes environment.

Terrascan provides the foundation for code-scanning and policy enforcement in Tenable Cloud Security, a unified solution for vulnerability management and misconfigurations (CSPM). Terrascan static-code scanning is also integrated into Tenable Nessus, providing comprehensive security across the build lifecycle.

Terrascan by Tenable in action: A case study

To illustrate the benefits of Terrascan, let's consider a hypothetical scenario, based on real-world customer experiences, in which a company is migrating its on-premises infrastructure to the cloud. The DevOps team is using Terraform to automate infrastructure provisioning, but the security team is concerned about potential security issues in the company’s code and the propagation of misconfigurations in runtime. Because of this they have to slow down developers and ensure that all IaC is secure through rigorous manual processes.

Terrascan scans the company’s Terraform code against a set of policies based on industry frameworks, such as the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST), and identifies weaknesses in the developers’ code that could allow unauthorized access to port 22 (SSH). By discovering the problem in the code, the security team can require the cloud resource to only allow secure shell (SSH) access from a specific subnet classless inter-domain routing (CIDR) that complies with their security policies.

As a result, developers are able to remediate the issue before it leaves a developer workstation, gets pushed to a git repository, or provisioned in the cloud. They’ve saved time and headaches, ensuring that their cloud environment is secure and compliant with industry – and their security team’s – standards.

Terrascan has more than 500 built-in policies. By integrating Terrascan into CI/CD pipelines, developers ensure their code is scanned for security issues at every stage of development. They’re making sure that only secure code makes it into production.

In summary, open source tools like Terrascan are an important part of ensuring security in cloud infrastructure. By standardizing security policies and democratizing access to them, the cloud native community can work together to identify and mitigate potential risks, ultimately creating a more secure cloud environment for everyone.

Help build the future of cloud native security

Want to try Terrascan? You can start by checking out Terrascan Sandbox — get unlimited scans and ensure your code isn’t introducing unnecessary risk into your cloud environments.

If you’re interested in contributing to Terrascan and making IaC security more accessible for people around the world, head to our GitHub page.