Palo Alto Networks today is officially making the code for its open-source project, Yor, available on GitHub.
Yor, which went live Monday, is an open-source project that automatically tags cloud resources in Infrastructure as Code frameworks such as Terraform, Kubernetes, Cloudformation and the Serverless Framework, according to the company’s announcement.
“DevSecOps is about breaking down silos and improving productivity,” Ismail Yenigul, open source contributor and DevSecOps expert, said in the announcement. “Imagine there is a SEV0 security incident — the last thing you want to do is spend hours identifying what caused a misconfiguration or track down the developer who wrote or modified the infrastructure code… Yor makes it possible to get answers to those questions immediately, for much more effective collaboration and faster mean time to resolution of incidents.”
In a presentation to SD Times, Palo Alto Networks listed a number of personas and the Yor use cases that show the benefits to them.
First, for developers, the tags help in tracing a security misconfiguration from the code base to the cloud. Further, Yor’s automated tagging frees up developers from having to tag those cloud resources manually — or even remember the tags and then to use them.
For managers, Yor’s tags show which developer committed what code, down to the line item, so alerts can be sent right to the developer who committed the change, and even assign Jira tickets to the proper person.
The same holds true for security teams, who can use Yor to discover through tagging which developer committed code that opened a vulnerability and then can collaborate on remediation.
For operations and SREs, tags can help identify which engineer deployed infrastructure, since all deployments are identified as Terraform, for example.
“Effective infrastructure tagging is critical to tracking cost allocation, access control, operations and of course security in the cloud,” Barak Schoster, chief architect at Palo Alto Networks, said in the news announcement. “To date, this has been an all-too manual process for developers, with each cloud provider and organization having different standards and naming conventions. By automating standardized tagging, Yor provides visibility and traceability from IaC configuration to cloud resources in production.”
Yor was built by Bridgecrew, which was acquired by Palo Alto Networks in March.