© 2023 Prancer, Inc.


The Evolution of IaC – Part 1

October 7, 2020

Historically, in the software development life cycle (SDLC), once code was written, it had to be manually deployed to physical servers. As you can imagine, this process was both time consuming and fraught with complications. Oftentimes, a single script was used to establish dependency libraries, setup load balancers and complete other necessary tasks. Also preparing the server to host the code was a daunting task. As a result, only a few people would be capable of understanding all the moving parts and be able to make changes, launch updates and problem solve. A server could be down for hours while a single operations engineer tried to sort through all the different variables to find the source of the problem.

The SDLC Waterfall Approach

Beginning in the 1990s, software development experts tried to improve the SDLC process by relying on a waterfall approach. With this strategy, developers, QA engineers and system administrators each had a specific role to play in the development process. If a problem arose with the code, the admin would have to assign the task to the developers. The fix would then have to be tested by the QA team before finally being sent back to the system admin for deployment.

At that time, the Software Development Life cycle (SDLC) was focused on the application layer code. Preparing the servers and deploying the applications to the server was another skill. This added another separate area of expertise that also had the potential to introduce bottlenecks.

In theory, this approach provided logical steps for troubleshooting. However, development doesn’t occur in a linear pattern and it didn’t take long for new releases to throw significant wrenches in the process. In addition, it was all too easy for different teams to blame problems on each other, further complicating communication and collaboration. Now add security concerns to the mix and you have a truly inefficient and static software development approach.

By the early 2000s, companies had developed a more agile approach to software development. They recognized the importance of employees with cross functionalities and collaboration among teams. However, it still wasn’t a perfect system and it was easy for projects to be delayed if communication fell apart. Clearly, there was still significant room for improvement.

Cloud Computing

The introduction of cloud computing with the emergence of Amazon Web Services and the beta version of the Google App Engine significantly changed the software development life cycle. Cloud computing allowed users to experience on demand tools and resources that didn’t have to be actively managed or stored on site. Virtualization also paved the way for further automation. Suddenly, more users were able to take full advantage of technologies without having to rely on an expert or become one themselves. This new level of accessibility allowed for collaboration and innovation.

When cloud providers became more mature and provided API access to their backend services, companies also started releasing infrastructure as code tools. These helped to further support virtual machines and app services and move away from physical hardware that would have to be manually configured and maintained. This not only helped business cut costs, but also accelerated the software development life cycle while also working to eliminate errors and identify security vulnerabilities.
Static Code Analysis
At the same time, it became clear that microservices were necessary in order to effectively organize software development. Essentially, this means that an application and its services are split into smaller components that can then be deployed independently. Instead of bundling services, microservices provide a more agile approach that can better handle many different moving parts. This new mode of organization and deployment also required a full stack team approach where the task boundaries are more fluid and team members can contribute along the entire SDLC pipeline. A full stack team is able to work to avoid clogs in the pipeline that can result when different people are solely responsible for specific tasks.

Eventually, the idea of DevOps emerged as a new way to significantly accelerate efficiency while also prioritizing security. In this new model, Software Development Life Cycle (SDLC) is not just about the application layer. With the advancement of cloud provider companies, infrastructure is part of the SDLC as part of one unified pipeline; both the infrastructure and application can be deployed to the cloud.

Collaboration is at the heart of DevOps. Instead of having each team tightly bound within a certain role, everyone is involved in all aspects of the DevOps process. System admins have the ability to write scripts, QA engineers can move beyond simply testing and so forth. This fosters better understanding among teams while increasing productivity.

DevOps also allows enterprises to move security to the forefront. It is no longer simply tacked onto the end of the process after loopholes have already been created and written into the software. Integrating security into DevOps also helps support the CI/CD pipeline. Enterprises don’t have to deal with the same bottlenecks that previously slowed innovation.

Static Code Analysis

Static code analysis is another key aspect that has contributed to the security of the DevOps model. In the past, developers would have to design and run a program before they could manually go through the debugging process. With static code analysis, code can be automatically checked against a set of rules during the creation process. This significantly accelerates the debugging process and catches problems early on when they are easier and less expensive to fix. Static code analysis is also able to provide a more in-depth look at the code and accurately pinpoint problems.

In addition, static code analysis allows security to “shift to the left.” Essentially, this means that security and compliance issues are addressed as early in the development process as possible. This translates into a better and more agile approach to security that is capable of identifying emerging threats, making automatic fixes and sending alerts when suspicious activity is detected.

Static code analysis for the application layer is here to stay and there are lots of vendors providing automated tools to conduct static code analysis on application layer codes. But since Infrastructure and Application are being deployed to the target cloud environment with one pipeline, it is crucial to have the static code analysis for the IaC pipeline as well. This ensures the infrastructure, which is being deployed to the cloud, will be secure and provide early feedback to the infrastructure developer concerning any potential security problems.

While static code analysis on IaC has proven to be an effective tool, it is still a new concept to many companies. Most businesses still rely on the Pull Request (PR) approval process to catch a security misconfiguration. However, this is prone to the errors and the unsecure infrastructure could be deployed to the cloud, which makes a huge risk for companies who are after zero touch deployments.

Prancer cloud validation framework is a pre-deployment validation engine that can conduct static code analysis on your IaC. It can easily be integrated to your current pipeline and toolset. Prancer supports native Azure ARM templates, Amazon AWS CloudFormation templates and Google Deployment templates. Prancer also supports Terraform for all major cloud providers for static code analysis.

IaC development teams leverage the power of git to contribute to the code. Usually the process is to create a feature branch out of the master branch, make the changes, check the code and raise the Pull Request. Prancer validation framework can be integrated to any CI tool to evaluate the code at this stage and make sure it is compliant. All the predefined policies are available in a centralized git repository. With just a few clicks you can make sure the malicious code does not find its way into your environment. You don’t need to have an active credential to the target environment to conduct the static code analysis on your IaC templates. For example, consider a scenario where an IaC developer is writing code for the production environment and they want to get early feedback on the code before starting the CI process. They can utilize the power of prancer validation framework to make sure the IaC is secure and solid before starting the deployment process.

As you can see, IaC has gone through tremendous changes in just the past few decades. Virtualization and automation are making the SDLC more agile and accessible to all parties involved while also making security a part of the development process and not just an afterthought. This has allowed companies to innovate at an unprecedented pace and makes the future of IaC and SDLC look brighter than ever.

To learn more about IaC, cloud computing and security and compliance, contact the experts at prancer.