Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

The Role of Open Source in Cloud Security: A Case Study with Terrascan by Tenable

A use case for cloud security using Tenable by Terrascan

Open source software and cloud-native infrastructure are inextricably linked and can play a key role in helping to manage security. Open source security tools like Terrascan by Tenable are easy to scale, cost-effective and benefit from an agile community of contributors. Let’s take a look at how you can implement it today.

From Kubernetes to Argo to Docker to Terraform, the most influential cloud-native innovations are open source. The high velocity and mass adoption of projects like Kubernetes show that in order to keep pace with innovation, the cloud-native community must come together, share best practices, foster collaboration and contribute to next-generation technologies.

Open source and cloud native

The Cloud Native Computing Foundation (CNCF), the largest open-source community in the world and the host of international events like KubeCon + CloudNativeCon and CloudNativeSecurityCon, rallies around the idea that open source and democratizing innovation are the best ways to make cloud-native technologies widely available. As a subset of the Linux Foundation, the CNCF brings together thousands of developers and cloud architects around the world to create and maintain hundreds of cloud-native open source projects.

With cloud infrastructure becoming increasingly complex, open source tools like Terrascan by Tenable can help ensure the code developers write to provision cloud resources is secure and compliant with industry standards. By providing transparency and flexibility, open source software can help organizations customize their security solutions to meet their unique needs and adapt to changing cyberthreats.

Many companies are taking advantage of these benefits. According to Open UK’s “State of Open:The UK in 2021 Phase Three The Values of Open” report that surveyed over 273 respondents, the vast majority (89%) are using open source software.

Let’s look at how cloud security might play out using Terrascan by Tenable as an example.

What is Terrascan by Tenable?

Terrascan by Tenable is a static code analyzer that can detect compliance and security violations across infrastructure as code (IaC) to mitigate risks before provisioning cloud-native infrastructure. You can scan many IaC types, including Azure Resource Manager, Kubernetes, Docker and Terraform (hence the name, “Terrascan”).

Because it’s a code analyzer, Terrascan can be integrated into many tools in the development pipeline. When integrated, misconfiguration scanning is automated as part of the commit or build process. It can run on a developer’s laptop, a software configuration manager (SCM) (e.g. GitHub), and continuous integration/continuous development (CI/CD)servers (e.g. ArgoCD and Jenkins) or in your browser with the Terrascan sandbox. In addition, it also has a built-in admission controller for Kubernetes which helps control new resources created on a cluster. With integration into Kubernetes admission controllers, you can prevent insecure resources from entering your Kubernetes environment.

Terrascan provides the foundation for code-scanning and policy enforcement in Tenable Cloud Security, a unified solution for vulnerability management and misconfigurations (CSPM). Terrascan static-code scanning is also integrated into Tenable Nessus, providing comprehensive security across the build lifecycle.

Terrascan by Tenable in action: A case study

To illustrate the benefits of Terrascan, let's consider a hypothetical scenario, based on real-world customer experiences, in which a company is migrating its on-premises infrastructure to the cloud. The DevOps team is using Terraform to automate infrastructure provisioning, but the security team is concerned about potential security issues in the company’s code and the propagation of misconfigurations in runtime. Because of this they have to slow down developers and ensure that all IaC is secure through rigorous manual processes.

Terrascan scans the company’s Terraform code against a set of policies based on industry frameworks, such as the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST), and identifies weaknesses in the developers’ code that could allow unauthorized access to port 22 (SSH). By discovering the problem in the code, the security team can require the cloud resource to only allow secure shell (SSH) access from a specific subnet classless inter-domain routing (CIDR) that complies with their security policies.

As a result, developers are able to remediate the issue before it leaves a developer workstation, gets pushed to a git repository, or provisioned in the cloud. They’ve saved time and headaches, ensuring that their cloud environment is secure and compliant with industry – and their security team’s – standards.

Terrascan has more than 500 built-in policies. By integrating Terrascan into CI/CD pipelines, developers ensure their code is scanned for security issues at every stage of development. They’re making sure that only secure code makes it into production.

In summary, open source tools like Terrascan are an important part of ensuring security in cloud infrastructure. By standardizing security policies and democratizing access to them, the cloud native community can work together to identify and mitigate potential risks, ultimately creating a more secure cloud environment for everyone.

Help build the future of cloud native security

Want to try Terrascan? You can start by checking out Terrascan Sandbox — get unlimited scans and ensure your code isn’t introducing unnecessary risk into your cloud environments.

If you’re interested in contributing to Terrascan and making IaC security more accessible for people around the world, head to our GitHub page.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training