Chapter 3

Chapter 3: Declarative and Immutable Security-as-Code

Declarative rules tell the machine what should be done. Learn how to use declarative Security-as-Code rules to immutably remediate CWEs.

In declarative approaches, you specify the desired final state of the security you want to apply without dictating how to get it.

This behavior is ideal for CWEs, which refer to software weaknesses rather than specific instances of vulnerabilities within products or systems.

Declarative programming minimizes the factors that could affect the behavior of a piece of code to ensure that only a function’s input should affect the output, not what’s happening elsewhere in the program.

This approach enables Security-as-Code’s immutability and makes it possible to prevent vulnerability regressions.

For example, if SQLi vulnerabilities are rampant in your applications, it’s possible through SaC platforms to declaratively tell your applications that you never want to see another SQLi again.

From the time you deploy your SQLi rule, there’s no code that developers can add to the codebase that will override your rule.

Due to the nature of these rules, they inherently remediate zero-days in some instances. This inherent protection is the case for CVE-2022-42889, in which the process forking rule is more than sufficient for payloads supplied as Javascript code, as seen below:

app("nashorn CVE-2022-42889"):
    requires(version: ARMR/2.2)
    process("Deny any process execution"):
        protect(message: "", severity: 7)

Security-as-Code solutions also provide imperative rules for more involved vulnerabilities like Log4shell (CVE-2021-45105), where conditionality and context are needed.

The Beginner's Guide to Security-as-Code

These four chapters are all you need to build a strong foundation of Security-as-Code knowledge & wave goodbye to false positives & regressions. If you want to dig deeper, some chapters have links to more advanced learning materials.

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.