Organizations are moving to cloud native application development to increase productivity and enable faster innovation. To do this, they are embracing infrastructure as code (IaC) – including Terraform and CloudFormation – to configure infrastructure deployed to the cloud. Soluble automates IaC security and compliance processes so organizations can safely and efficiently scale their use of IaC for faster development cycles.
What problem are you trying to solve?
As organizations scale their modern software development, they typically have multiple development teams using IaC. As more developers assume responsibility for defining cloud infrastructure, the risk of security misconfigurations being deployed to production has increased. Misconfigurations are difficult to detect in the code without specialized expertise. It is easy to miss omissions that could turn into serious issues – such as open S3 buckets and missing encryption-at-rest.
When you think about modern software development with continuous integration/continuous deployment (CI/CD), testing is an important part of the process to ensure quality and security of application code. Developers are religious about test automation in CI because the ROI on test automation is almost always positive. It’s common to lack the time or resources to actually implement the automated testing, but the ROI is rarely questionable.
But this testing isn’t happening for IaC, or if it is happening, it depends on the experience of team members, or it is done inconsistently across teams.
Organizations may use cloud configuration posture management (CSPM) tools to detect misconfigurations and violations once infrastructure has been provisioned. But those tools are typically run by cloud security teams who are quite a distance from the teams authoring the IaC and managing cloud resources. If the development teams don’t receive fast feedback on their changes, problems that are detected typically land in a security backlog that can take days, weeks or even months to resolve.
Configuration mistakes deployed to the cloud are also difficult to fix once they are in place. Services like databases, storage, network configuration can be extremely expensive to reconfigure after the fact. Even the simplest of settings, such as TLS or database encryption-at-rest, can take weeks or months to fix if they are allowed to be deployed before the problems are detected and fixed.
How are you solving that problem?
Soluble iacbot automates IaC testing and policy control in Cl, giving organizations the operational control to safely scale their use of IaC. This way, incorrect or out-of-policy IaC can’t be merged or deployed.
iacbot is simple to connect and use. It connects directly to GitHub and GitLab through their respective marketplaces, or from the “Get Started” button on our company homepage at https://get.soluble.cloud.
Users simply choose the repositories to connect, and iacbot analyzes Terraform, CloudFormation and Kubernetes manifest for security configuration problems.
Within minutes, iacbot provides a dashboard of prioritized findings. Findings are updated for each code commit and daily if there are no changes. iacbot provides repository-specific views aligned with the team making changes. iacbot also helps organizations define policies to test against to enforce industry best practices for IaC.
iacbot provides clear summaries for each finding, with guidelines on how to resolve issues, including links that take users directly to the line of source code that generated the finding so it can be fixed quickly.
Most importantly, iacbot delivers the findings directly to pull requests where they cannot be missed by the IaC authors. Developers want to see IaC violations just as they would expect to see CI test results. No development team wants to switch context from their normal workflow and use a separate tool for security testing.
How has the pandemic impacted your company?
Soluble is a seed stage startup, and even before the pandemic, our team was spread out geographically and across time zones. So remote work and the pandemic hasn’t greatly impacted our culture. But we do miss meeting face to face for team and customer meetings.
Where do you see your company going in 5 years?
We are excited about building out our company. Right now, we are a small team, so we have to prioritize our work to align with our limited resources. We are looking forward to scaling to automate more key processes for customers, and we believe we can also partner with security vendors whose customers need help safely scaling their IaC.
We firmly believe that customers – development teams in particular – don’t want or need another security tool. They want fast feedback delivered to them where they are. As customers use iacbot to automate security and compliance in CI, we believe it can augment other solutions already in use by our customers. For example, it can help CSPMs provide better visibility of security and compliance processes taking place in development, and help them shorten remediation cycles by providing more context for incidents detected.
What is the next big challenge in information security?
We believe it’s securing digital transformation and the move to cloud native application development for rapid release cycles – especially in highly regulated industries. My cofounder, Rich Seiersen, served as CISO for several large, global organizations, and we worked together at Lending Club, where I was VP of Operations. You must drive operational efficiency and collaboration across teams; otherwise, you have to slow things down to ensure security, reliability, and quality, and to meet compliance requirements.
Security and operations teams are outnumbered compared to developers, so more of the work needs to shift left so that security, risk, and operations teams aren’t bottlenecks. We believe that automating key security and compliance processes into CI/CD will provide the operational control and efficiency to help organizations safely scale their cloud native development.
How do people get involved/buy into your vision?
Visit our website at https://get.soluble.cloud/ to learn more, or you can visit https://app.soluble.cloud/get-started to connect iacbot. Please also check out and subscribe to our blog at https://get.soluble.cloud/posts/, for updates, demos, tips, and case studies.
