Introducing graph theory to Policy-As-Code


Authors:   Barak Schoster


The presentation discusses the importance of infrastructure as code and automation in cloud security and DevOps. It highlights the challenges of manual security reviews and misconfigurations in open source repositories, and proposes solutions such as infrastructure linters and early feedback loops.
  • Infrastructure as code and automation are crucial for cloud security and DevOps
  • Manual security reviews and misconfigurations in open source repositories pose significant risks
  • Infrastructure linters and early feedback loops can help prevent misconfigurations and improve security
  • Collaboration between security and development teams is essential for a scalable and agile security process
The speaker shares how their organization struggled with manual security reviews and tedious policy implementation before adopting infrastructure as code and automation. They also highlight the risks of misconfigurations in open source repositories, such as lack of encryption and logging, and the challenges of keeping up with new cloud services and configurations. The speaker emphasizes the need for collaboration between security and development teams to ensure a scalable and agile security process.


Abstract:Graphs are a data structures used to model relationships between nodes. Modern cloud infrastructures can be thought of as graphs - compute resource depend on network resources, which in turn depend on access control resources, and so on.Infrastcture as code projects such as Terraform builds a directed acyclic graph to model the relationships between resources so operators can safely manage and change infrastructure resources across bare metal, IaaS, PasS, and SaaS.Can we utilize a similar graph to analyze and enforce a policy over infrastrcture as code?In this talk we will explore how to apply graph theory to Policy As Code using the open source tool Checkov.We will cover the internals of Checkov, Demonstrate usage and will write a costom policy that on the relationship that are between compute resources and acces control resources.