Global cybersecurity solutions vendor Palo Alto Networks has announced the release of Yor, an open-source tool that automatically tags cloud resources within infrastructure as code (IaC) frameworks Terraform, AWS CloudFormation, and Serverless Framework YAML. Yor would automate the tedious work of manually tagging cloud resources; help security teams trace security misconfigurations from code to cloud; while enabling effective GitOps across all major cloud providers.
Yor was built by Bridgecrew, the team behind the open-source IaC scanner Checkov which has been downloaded over 2 million times by developers. Bridgecrew was acquired by Palo Alto Networks for 156M in cash in March 2021 and together they continue to invest in new and existing open source projects.
Organizations may use Yor to retrospectively assign ownership and other meaningful tags based on IaC and git history data across all infrastructure resources. Yor can also be integrated into the CI/CD lifecycle to improve traceability as infrastructure is upgraded and created. Consistent labeling would enable tracing any misconfigurations back to the original code owners and editors much easier, cutting down on patching time.
“Effective infrastructure tagging is critical to tracking cost allocation, access control, operations, and of course security in the cloud,” said Barak Schoster, chief architect at Palo Alto Networks. “To date, this has been an all-too-manual process for developers, with each cloud provider and organization having different standards and naming conventions. By automating standardized tagging, Yor provides visibility and traceability from IaC configuration to cloud resources in production.”
Cloud Security Alliance
Misconfigurations were among the major causes of breaches and outages, according to the Cloud Security Alliance’s recent study The State of Cloud Security Concerns, Challenges, and Incidents, as public cloud adoption increased over the past two years. If a security team discovers a misconfiguration, having the tags for the developer owner would facilitate triaging, allowing the ticket to be sent to the correct developer automatically. Yor’s applications go beyond security, making it easier to tag resources and manage expenditures from a financial and budgeting standpoint.
“DevSecOps is about breaking down silos and improving productivity,” said Ismail Yenigul, open-source contributor and DevSecOps expert. “Imagine there is a SEV0 security incident – the last thing you want to do is spend hours identifying what caused a misconfiguration or track down the developer who wrote or modified the infrastructure code that is managed in Terraform, CloudFormation, or Serverless. Yor makes it possible to get answers to those questions immediately, for much more effective collaboration and faster mean time to resolution of incidents.”
