joseph goksu
DevSecOps: Policy as Code
Published on

DevSecOps: Policy as Code

A guide to creating and enforcing security policies
Authors

Hello everyone,

I've been really busy with hashicorp vault recently, and I came across another product called "sentinel." It is a policy as a tool for coding. The idea behind policy as code is to write code in a high-level language to manage and automate policies.

Proven software development best practises such as version control, automated testing, and automated deployment may be implemented by encoding policy as code in text or code files.

It is a policy management technique in which policies are written, modified, shared, and enforced through the use of code.

It also offers several advantages. A policy-as-code approach enables policy formulation and management in manners that diverse sorts of stakeholders can comprehend. Such as developers, administrators, security engineers so go on.

As I mention above, I want to show some examples from hashicorp sentinel. Let's look at it.

Policy Language

The policy language was created to provide a simple, declarative language for defining and enforcing policies. Non-programmers can understand it. As a result, everyone in your company/team can quickly establish a policy.

However, the policy language contains developer-friendly features to allow robust policies.

Here's a very basic sample code block.

# Import the library
import "time"

# Validate time is between 8 AM and 4 PM
valid_time = rule { time.now.hour >= 8 and time.now.hour < 16 }

# Validate day is M - Th
valid_day = rule {
	time.now.weekday_name in ["Monday", "Tuesday", "Wednesday", "Thursday"]
}

main = rule { valid_time and valid_day }

We can easily define a policy for valid days and times. So, we can use this policy to validate if the time is between 8 AM and 4 PM and the day is Monday - Thursday. Awesome, right?

Benefits of Policy-as-Code

When compared to the option of manually managing rules, conditions, and processes, policy-as-code provides four significant advantages:

  • Efficiency: Once we have a policy, we can use it at the scale.

  • Visibility: Even non-programmers can understand the policy language.

  • Collaboration: By providing a uniform, policy-as-code simplifies collaboration.

  • Accuracy: Once the teams define the policy, they avoid the risk of making configuration mistakes when managing a system manually.

There are fantastic tools available to assist you in managing policies. In the immediate future, I'd like to concentrate on Hashicorp Sentinel.

You can also check the tools like Prisma Cloud, Bridgecrew, and Checkov. They can also automatically scan and audit policy files in order to detect misconfigurations or vulnerabilities prior to deployment.

In the following blog article, I'll show you how to apply policy-as-code in practise. I also want to use Terraform to deploy it to AWS.

See you in the upcoming blog articles. Thanks for reading! Reach out to me on Twitter if you have any questions or comments.

References:

  • Hashicorp Sentinel -> https://www.hashicorp.com/products/sentinel/
Discuss on Twitter