This document discusses a webinar about integrating infrastructure as code (IaC) security into the development lifecycle using Checkov. It notes that nearly half of open source Terraform and CloudFormation templates contain security issues. Checkov is introduced as an open source IaC scanning tool that supports multiple frameworks and cloud providers. The benefits of Checkov include lower remediation times, reduced security incidents, and simplifying compliance. Integrations with DevOps tools and the Cloud Native Application Platform Approach (CNAPP) are also discussed. A demo of Checkov is then shown including using it with VS Code and Azure DevOps.

1. CNCF Live
Webinar:
Cloud native
DevOps
security
Sebastian Straube
Cloud Solutions Architect | ALPS Lead Prisma Cloud
sstraube@paloaltonetworks.com
Prisma Cloud
Cloud Native
Application Protection
Simon Melotte
Cloud Solutions Architect
smelotte@paloaltonetworks.com

2. Nearly 1 in 2 open-source Terraform
modules contain misconfigurations
Security check is enabled by default?
Nearly half of open-source
CloudFormation templates were insecure
Source: Bridgecrew research scanning Terraform Registry and Unit 42 scanning GitHub
Open source allows for great scalability, but we question the default security. Half of scanned OS templates we found
in public*1
are not secure, based on our research.
*1
incl. Terraform Registry and Github Open Source code.

3. What is Checkov?
● Checkov by Bridgecrew is an open-source static analysis tool and policy-as-code
engine for infrastructure as code (IaC).
● Pre-built with hundreds of policies that cover security and compliance best practices
across AWS, Azure, Google Cloud, and Kubernetes.
● With over 2M downloads to date, Checkov is the most popular IaC scanner on the
market,
● Native scanning support for Terraform, CloudFormation, Kubernetes manifests, Azure
Resource Manager, and more.
● Checkov is written in Python and is fully extensible to fit into any developer workflow
● provide a simple and flexible tool for enforcing codified, version-controlled policies.

4. Wait for it….
Demo
https://github.com/bridgecrewio/checkov

5. Have you checked every corner in your SDLifecycle?
Find cloud infrastructure
Misconfigurations and security errors
● Powered by open source & community
● Both build-time and run-time
Fix issues in code, with code in Dev and
Prod
● Merge-ready pull requests
● Transform cloud misconfigs into secure
code and detect drift
Prevent Vulnerabilities and Compliance
issues from being deployed in Prod and
any Stage
● Enforce policy-as-code across all config
● Streamlined into developer workflows

6. The next big challenge: “Shift-Left” DevSecOps security
1
Misconfigured or
vulnerable code
Security
Run-Time
100s
of deployments
Developers DevOps
Build Deploy
Issues To Fix
1,000s
of security alerts
Turns
Into
Turns
Into
1x
Cost to fix a bug
found during coding
5x
Cost to fix a bug
found during testing
20x
Cost to fix a bug
found in production
Uncaught Uncaught

7. How it works
Fix & Prevent
IDE extension, block PRs and builds
Configuration assurance
AWS, Azure, Google Cloud, Kubernetes
IaC scanning
Terraform, CloudFormation, Azure Resource Manager, etc.
Monitor & Remediate
Automated remediations
Bridgecrew
platform
Dashboards Compliance reports Policy engine Notifications
Code & Commit Build & Test Deploy & Operate

8. How do we integrate?
Integrations
Infrastructure as
code frameworks
Cloud providers

9. Benefits of automated IaC security
Lower time to
remediation
Decrease high severity
events
Simplify compliance
Minimize the attack
surface
Reduced Nr. groups and roles by
xx%
Reduced non-compliant
resources by xx%
Reduced high severity incidents
in production by xx%
Reduced time to fix
misconfigurations by xx%

10. What requirements IaC security should include?
Infrastructure as code (IaC) security
Integrate IaC scanning with actionable feedback, PR fixes, and
CI/CD guardrails for improved posture before deployment
Drift detection
Automate finding and fixing drift between code and cloud
to benefit from GitOps best practices
Secrets scanning
Prevent exposing passwords, API keys, and other secrets
from ever making it into public repositories
Least privilege IAM
Reduce the attack surface with cloud IAM converted to
code and audited for least privilege

11. Box Ticker Upstream vs. Downstream
IaC scanning ✓ ✓
Cloud and workload scanning - ✓
Security-as-code fixes - ✓
Runtime remediations - ✓
CI/CD integration
Requires
customization
✓
Notifications
Requires
customization
✓
Custom policies
Requires
customization
✓
Graph queries ✓ ✓
Dashboards - ✓
Compliance reporting - ✓
Drift Detection - ✓

12. Cloud Native Application Platform Approach
(CNAPP)
Source: https://www.esecurityplanet.com/networks/cybersecurity-mesh-decentralized-identity-emerging-security-technology/

13. Cloud Native Application Platform Approach
(CNAPP)
CNAPP enables IT leader:
1. Laser Focus on Shift-Left
2. Optimizing App Deployment time by integrating Security in
DevOps processes (DevSecOps)
3. Reduce Application Down-Time for Break-Fix procedure
4. Reduce security alerts and false-positives in SOC
5. Increase DevSecOps Team agility and App resilience.
6. Enables integrated and centralized management interfaces
and dashboards
7. Consolidate Tool Landscape and Licensing Model

14. Demo
Let’s DO IT

15. $ pip3 install checkov
$ checkov -l
$ checkov -f Dockerfile
$ checkov -d .
$ checkov -f Dockerfile --skip-check
CKV_DOCKER_*

16. ● Checkov: VS Code Extension
● Azure Devops
○ Validation
■ Scan external modules
■ Scan Terraform templates
■ Publish JUnit tests results
○ Plan
■ Verify terraform plan with Checkov
○ Approve
○ Apply
● Bonus
○ Github Actions

17. Thank you for joining our Webinar
and your attention.
Do you have any Questions?

18. Thank you
paloaltonetworks.com