Removing AWS Policy Review Fatigue with Automated Terraform Resource Analysis - Muhammad Ahmed

Injecting static analysis at an early stage of your Infra-as-Code IaC pipeline brings many benefits.
We show you how to do it for AWS policy control.
Yelp performs automated Terraform resource analysis as a natural highly ergonomic step in our GitHub workflow.
It reduces reviewer fatigue within security and it improves developer productivity across the company. Previously Yelps security team was a required reviewer on all IaC PRs creating AWS resources.
Worst case scenario a security engineer misses a vulnerability during PR review leading to insecure resources being deployed.
Now we use a static analysis tool Regula and Terraform PR automation Atlantis.
When developers create an IaC PR the Terraform resource changes are scanned and any security misconfigurations found in the PR are reported back to the developer without manual security review.
This shifts security left as we catch vulnerabilities during code review and the security team is no longer the bottleneck. Muhammad Ahmed - Software Engineer - Infrastructure Security at Yelp Hello my name is Muhammad and I have been working at Yelp in the Infrastructure Security department for a little over a year. Before Yelp I had an internship at the Department of National Defence Canada where I worked on software related to network security. My professional experience is entirely in information security. The project proposed for this talk relates to cloud security which is the main domain that I have worked on during my time at Yelp. _____________________________ Join the DevSecOps Community on our Discord channel to discuss this talk with other security-focused practitioners! DevSecCon ___________________________ Twitter: Facebook: LinkedIn: Website: ---------------------------------------------------------------------- DevSecCon is brought to you by Snyk - snyk.iocsp

Источник: rutube.ru