There is a multitude of code scanners out there. They have seen great successes in the market, and largely are responsible for erasing the blue screen issue of the early 2000s. But what about configuration files?  These have been largely overlooked and even if they are touched upon, by companies like Snyk or Prisma, they stop at the IaC level. What about the application level configurations inside containers?  The misconfigurations at this level are responsible for many recent human error caused breaches (e.g. Capital One 2019) , and so, it is time to bring a tool to market that brings the same depth of code scanners to configuration scanning.

What we do differently

CoGuard scans configurations from all layers of your IT infrastructure, from your IaC down to your application level configurations. Thanks to researchers on our team with a background in SAT solving, we were able to create a model that can not only scan individual configuration files, but also their dependencies, predicting potential breach paths and downtimes in advance.

Defence in Depth with CoGuard

CoGuard  is an enterprise SaaS tool which you can use to upload configuration files from both your infrastructure, as well as your application layer. It keeps a model of your IT infrastructure, and finds deviations from security and other best practices in individual configuration files, as well as their interconnections (e.g. two dependent software pieces). It was created to provide the same depth for Infrastructure as Code as the top of the line code-scanners provide for code, and hence elevating the overall quality.

The number of different software pieces that make it into a cluster and do have networking capabilities or requirements is ever growing, and realistically no one can be an expert in all of them. Even the awareness as per which configuration files to consider for security purposes is often lacking. When we talk to teams, all configurations they are mainly aware of are their Terraform/Kubernetes files, if they use modern infrastructure as code principles. The rest of the configurations are not even in version control. We see this as one of the main reasons for data breach being on the rise. The consideration of configuration files at every layer is something crucial if one claims to perform “defence in depth” and zero trust.  This can now be achieved with CoGuard.

The missing puzzle piece

We want to change this lack of versioning and in depth knowledge of one's infrastructure. But enforcing familiarization with the different software pieces is not feasible for already overworked teams. They simply do not have the time to manually discover all their configuration files to get them organized in a versioning system.

So we asked ourselves: How can we build auto discovery into our tool?  Since Docker containers are everywhere, we decided that their associated images are a good starting point. By creating a free CLI tool to discover and scan configurations inside Docker images, we not only help users with a commonly misconfigured and overlooked area of their infrastructure, but we are able to gain invaluable input from our users that can help inform our journey forward towards achieving our mission of full auto discovery of all layers of IT infrastructure and their configuration files. From here, many great tools and new processes can be built together.

‍

Want to be a part of the journey and contribute to our community?  Check our our free CLI tool, coguard-cli, online here and leave your feedback-what did you like? What can we do better? We are excited to dive into this open source project and look forward to your contributions.

You can also read more about our coguard-cli project online here.

‍