Fugue is open sourcing a new cloud security tool

Cloud makes the computing resources that are found in data centers available over the internet. That means all of the servers and databases that may have in the past been pictured in big rooms can be created and managed via software.

The development of the cloud also changed the approach to managing infrastructure from one that is manual to one that is dictated by sets of instructions that can be written by developers to tell the machines what to do. In other words, it’s more like code.

This has given way to a new area that, fittingly, is called infrastructure-as-code. While this technology allows ops teams to automatically launch new servers, it also presents some challenges for developers, according to Fugue CEO Josh Stella.

Frederick-based Fugue focuses on one of these areas: ensuring that the cloud environments developers create are secure, and in compliance with regulations.

On Thursday, the company is releasing an open source tool, available on Github, that hones in on the time before a new resource is deployed. Initially, Regula will be able to identify any risks that may arise from misconfiguration of scripts developed in Terraform, which is a popular infrastructure as code tool; specifically, it’s for Terraform scripts written for AWS infrastructure.

“What Regula will do is look at infrastructure-as-code files and tell you if you’re going to do something that is dangerous ahead of time,” Stella said.

One example: Maybe a developer forgot to turn on an encryption feature. Regula would flag that, and ensure that the resource wasn’t made available without encryption, avoiding a vulnerability.

“It’s an important part of baking security in from the beginning of the development cycle,” Stella said.

Fugue has a commercial SaaS product that offers a variety of cloud security features for businesses and government. But Regula will work independently from that. Stella said the company drew on its knowledge to create a tool that is designed for developers. Being open source — meaning users can freely distribute and change the tool — is part of that. After all, Stella said, developers are using lots of tools that are open source. For instance, Regula is written in Rego, which is an open source policy language.

“When you’re providing tools to developers,” Stella said, “those really should be open source generally speaking because that’s how the ecosystem works and that’s how it should work.”

Plus, it gives the community a chance to develop it.

“It’s not a one way street,” he said. “With Regula we are creating what we hope will be the standard place for the community to contribute to these security checks for infrastructure as code.”