Leveraging networkx in-memory graphs for securing your cloud infrastructure

Securing Infrastructure-as-code configurations is a key requirement in a cloud production system. We will cover how the networkx library is leveraged to represent cloud resources as a DAG, and how it enhances the misconfigurations scanning process.

We at Bridgecrew by Palo Alto Networks have published checkov, a Python open source tool which is the industry-standard for Infrastructure-as-code (aka: IaC) scanning, and is used by thousands of users and with an active community. Checkov scans for misconfigurations and reports the security implications and risks that such misconfiguration has induced. In this talk, I will show how we leveraged the networkx python library to empower checkov’s scanning capabilities.

IaC is the practice of codifying the provisioning and management of IT resources. As IaC frameworks have become more advanced, dependencies between IaC configurations were incorporated, just as physical IT resources are most likely to be dependent on each other.

Checkov utilizes the networkx graph library to build a DAG (directed acyclic graph) to enable blazing fast graph analysis queries relevant for the IaC security domain. It uses the graph to render configuration settings which stem from other configurations that are linked to it. This allows the testing of more complex scenarios, in which a combination of dependent resources creates an unsecure misconfiguration, whereas scanning each resource independently would not unveil such misconfiguration.

After this lecture you’ll know what a DAG is, how to traverse it and the benefits of in-memory analysis over utilizing a persistent graph DB. You’ll also get to know the concept of IaC, and what benefits it brings to the development lifecycle, and why using checkov ensures your IaC remains continuously secure.