Infrastructure-as-Code​

Any person or organization that needs known-good computing environments for development, testing, deployment, or other purposes may use IaC. Additionally, any person or organization relying on cloud hosting is an ideal candidate for IaC thanks to the degree to which its techniques are well-suited to such environments.

• IaC makes it far simpler to create and manage known-good computing environments, whether working with on-premise resources, co-located resources, or cloud resources.
• IaC automates environment creation and management, making it much faster to stand up a single machine/VM/container or many such “nodes” at once.
• IaC technologies that “orchestrate” said processes manage the often-tricky details of standing up multiple nodes of different types that are essential to a working overall system, e.g., a load balancing node in front of a number of “web farm” nodes, all relying connected to a database node, etc.
• These and other factors make IaC an ideal technology for provisioning computing environments for developers, test labs, sales demonstrations, free trials, production systems, etc.

• Users must take care to ensure their scripts and images are from a trusted source. A single provisioning script or VM/container image from an unscrupulous source may expose all connected resources to attack.
• Users must be mindful of using sensitive data within IaC scripts and images as a single leak could have major consequences. For example, if a database containing sensitive customer data gets leaked, the company responsible will likely suffer substantial legal, financial, and brand damages. 

• Keep all resources on separate virtual networks to limit access.
• Follow typical best practices for compartmentalizing permissions and managing passwords and other access tokens.
• Perform real-time scans within the IDE as developers or cloud-ops code up the cloud infrastructure.
• Gate the cloud deployment in the last stage of the CI/CD pipeline.

Synopsys offers a tandem solution to IaC challenges: CodeSight™ SE, along with Coverity® SAST, both powered by our Rapid Scan Static for IaC scanning.

CodeSight SE helps developers write better code by alerting them to issues in source code, open source dependencies, API calls, cryptography, IaC, and more.

Rapid Scan is a fast, lightweight static analysis engine that can be used to scan web and mobile applications, microservices, and IaC configurations. Rapid Scan runs automatically, without additional configuration, with every Coverity scan and can also be run as part of full CI builds with conventional scan completion times. Rapid Scan can also be deployed as a standalone scan engine in Code Sight or via the command line interface, as well as in automated build pipelines.