Chapter 4

Chapter 4: Imperative and Instant Security-as-Code

Imperative rules tell the machine how security should be done. Learn how to use imperative Security-as-Code rules to instantly remediate CVEs.

In the imperative approach, the SaC solution helps you prepare automation scripts that apply your security one specific step at a time.

Imperative rules require a higher level of domain experience with your applications. Still, the reward is more control over how you accomplish vulnerability remediation, which is ideal when you need to make small changes, optimize for a specific purpose, or account for software quirks.

Log4shell is an excellent example where following the recommended patching of removing the JNDI Lookup class can break some applications. 

Rather than completely removing the class, it’s possible with imperative rules to specify specific conditions in your applications where you want the JNDI Lookup class to function but place constraints around what you expect from the outputs.

Below is an example imperative rule for CVE-2021-44228:

app("APACHE LOG4J - CVE-2021-44228 - v1.2, b2"):
    requires(version: ARMR/2.2)
    patch("CVE-2021-44228 :01"):
        checksums: ["da55340ac1",
        code(language: java):
            public void patch(JavaFrame frame) {
                String payload = frame.loadStringVariable(1);
                log("Forcing JndiManager.lookup() to return 'null' due to CVE-2021-44228", payload);
            private static void log(String msg, String payload) {
                ArmrEvent event = ArmrEvent.load("ALERT", "HIGH");
                event.addExtension("msg", msg);
                event.addExtension("payload", payload);

The Beginner's Guide to Security-as-Code

These four chapters are all you need to build a strong foundation of Security-as-Code knowledge & wave goodbye to false positives & regressions. If you want to dig deeper, some chapters have links to more advanced learning materials.

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.