Soluble Fusion performs security assessments of Terraform and CloudFormation in development so that you can identify and fix cloud security issues prior to deployment.
Soluble Fusion integrates with your Git hosting provider (GitHub, GitLab, etc.) to automatically perfom these security assessments. As commits are pushed and pull requests are opened, Soluble Fusion receives webhooks from your Git provider and schedules security assessments.
The results of those assessments are posted back to your Git hosting provider's pull-request mechanism so that everyone commiting code has clear and actionable feeedback on the problems that are introduced.
The widespread adoption of declarative infrastructure with Terraform, CloudFormation, and Kubernetes has created a new opportunity for configuration issues to enter cloud environemnts.
Infrastructure-as-Code (IaC) has replaced "ClickOps" as the dominant method for infrastructure management. While this is a uniformly postiive step forward in modern software delivery, it has createed a few complications.
Console is Obvious, IaC Not So Much
Configuration choices are very obvious in the console. It is hard to miss encryption at rest settings in the AWS console.
By contrast, when authoriing Terraform or CloudFormation, you are often looking at a blank editor. There are no options that are obvious. As a result, it is very easy to miss critical configuration settings.
Automated checking and fast feedback is required.
Reviewing Terraform and Cloudformation manually is much more difficult than reviewing application code.
If code review is done at all, few people enjoy it.
The result is predicatble: LGTM, even if the proposed change is...not good.
Code review needs to be automated.
Other Assessment Capabilities
Although infrastructure-as-code is our primary focus, we are expanding our capabilities into related areas as well. If it can be assessessed in a CI environment, we are working on automating it.
Container Image Scanning
Using Trivy, Fusion enables you to scan container images and report the results to our SaaS platform.
Using a combination of expressions to look for common secret formats (AWS security keys, etc), contextual checks, and checks for shannon entropy, the platform will identify and report on secrets that may have been mistakenly committed to source control.
App Dependency Checks
We support application dependency checks for the following:
- Python - using Trivy
- Java - OWASP Dependency Check
We are in the process adding support for integrating commercial component analysis tools as well.
Enough Talk. Let's get started.