Virtualization Technology News and Information
VMblog Expert Interview: Barak Schoster of Bridgecrew Talks Checkov 2.0

interview bridgecrew schoster 

The team at Bridgecrew is back at it again.  The company is announcing a new version of Checkov, its static code analysis tool for infrastructure-as-code (IaC) which has already been downloaded over 1.2 million times and has received over 2,000 stars on GitHub.

To find out more, VMblog spoke with Barak Schoster, CTO and Co-Founder of Bridgecrew.

VMblog:  Bridgecrew is announcing Checkov 2.0 -- the most significant update to the Checkov open source project.  Can you tell us more about the project in general and how it helps developers automate cloud security?

Barak Schoster:  Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure managed in Terraform, Cloudformation, Kubernetes, Docker, Helm charts, Arm templates or Serverless Framework manifests and detects misconfigurations before deploying those resources into production. To date, it's been downloaded over a million times and has a great community behind it.

VMblog:  What are the most significant updates in Checkov 2.0?

Schoster:  We've added 250 new policies, as well as support for Dockerfile scanning which makes it easier for developers to build more secure Kubernetes applications. But the biggest update is our new graph-based policy engine -- Checkov is the first open-source tool to do infrastructure as code (IaC) scanning at buildtime that has dependency awareness.


VMblog:  How do developers typically go about securing their cloud infrastructure if they aren't using a tool like Checkov? 

Schoster:  With engineers focused on features and DevOps allowing them to move rapidly and self-provision around their own hurdles, it's impossible for reactive, traditional security tools to keep up with an ever-changing production environment. Even with a security engineer within the team, the chance of catching every bad-default in Terraform, or hidden in a wide-open IAM policy, is next to impossible with the ever-growing suite of cloud services. Without a tool like checkov, you might find your sprint backlog inflated with security related tickets sourced from scanning a running production environment, instead of finding those issues early on while writing code in the IDE or as part of CI/CD pipeline.

VMblog:  Do you think all developers should be security experts?  Like in ops, where there's a trend for developers to be on-call for the services they build.  Or is this something different?

Schoster:  We believe a lot of the security knowledge can be crowdsourced, and that lowers the barrier of entry. With Checkov, we have a community of developers contributing best practices in the form of policies. So as a user of Checkov, you don't have to memorize 700+ best practices of infrastructure configuration -- you can use the power of the open source community to virtually advise you and automate security into your code.

VMblog:  The security space is certainly heating up.  But misconfigurations and vulnerabilities have always been a concern -- why do you think DevSecOps seems to be on the rise now?

Schoster:  DevSecOps and "Shift Left" is about testing your application early and often. At the end of the day it's about productivity; teams want the ability to be more independent in development, while keeping the software reliable and secure. In addition, automating security into the software development lifecycle (SDLC) gives teams the ability to respond fast to a change, and have continuous assurance that the code and cloud architecture are reviewed.


Published Thursday, April 08, 2021 10:01 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<April 2021>