Snyk today announced it has acquired Fugue as part of an effort to embed security within an infrastructure-as-code (IaC) provisioning tool.
The Fugue platform combines a unified policy engine with an implementation of the open source Open Policy Agent (OPA) software, dubbed Regula, to ensure security and compliance policies are consistently enforced. OPA provides IT teams with a tool for declaratively applying policies and is being advanced under the auspices of the Cloud Native Computing Foundation (CNCF).
The Fugue IaC tool also provides pre-deployment security checks for Terraform, AWS CloudFormation, Kubernetes manifests and Dockerfiles. It enables IT teams to create and test custom policies using Rego, the programming language created for OPA. In addition, there are interactive visual maps of IaC templates and the ability to export IaC diagrams that IT teams can use for planning and approval processes.
Josh Stella, the former CEO of Fugue who is now a chief architect for Snyk, said Regula is designed to make it possible to apply those policies to both cloud-native and legacy monolithic applications. Tighter integration with the cloud security posture management (CSPM) tools that Snyk provides will make it possible to provide developers with an instant feedback loop as they provision infrastructure, he added. Armed with that intelligence, it becomes less likely that mistakes will be made and that cybercriminals can take advantage of those, noted Stella.
DevOps teams should also expect to see Fugue integrated with the artificial intelligence capabilities Snyk gained with the acquisition of DeepCode, a provider of an interpretable machine learning semantic code analysis tool that scans code anywhere from 10 to 50 times faster than existing approaches. In total, Snyk has acquired five companies in the last 18 months, including CloudSkiff, FossID, Manifold and DeepCode.
Misconfigurations of IT infrastructure have emerged as a major issue in the cloud era. Developers often have little to no cybersecurity expertise, and using application programming interfaces (APIs) to provision IT infrastructure themselves increases the chance that mistakes will be made. The acquisition of Fugue creates an opportunity to address that issue at a time when the management of infrastructure and applications is converging, said Stella.
The amount of focus on cloud security also is increasing as part of a larger discussion involving software supply chains that increasingly becoming targets of attack. Cybercriminals are becoming more adept at scanning for vulnerabilities created when developers, for example, inadvertently leave open a port on a cloud service through which data can be exfiltrated.
It’s not clear just how far responsibility for cybersecurity will shift left toward developers in the months and years ahead. However, as more intelligence is incorporated into the tools that developers use, the easier it will become to automate DevSecOps best practices. In fact, the goal should be to make it easier to build more secure applications faster rather than forcing organizations to slow down to deal with security issues that should never happened in the first place.