DEV Community


What's oak9?

・2 min read

Most of us have experienced how liberating it is to use a Cloud Service Provider (AWS, Azure, etc.) to carry the weight of managing infrastructure for us, and how they let us instead focus on just building our application.
oak9 wants to give you the same efficiency and ease of mind but for your cloud infrastructure's security, where you delegate the process of keeping up with the changes of your app's infrastructure to oak9 and it makes sure that you application is always meeting the security requirements it needs to.

Developing quicker vs. making sure security standards are met

The trend in the development world has always been building tools to make developing apps easier and faster, and those tools are always just gonna get better and more efficient.
The same trend however is not as aggressive in the security world.

There's this mismatch between the rate of changes the development teams are introducing, and the ability to continuously meet security requirements along with those newly-introduced changes.

There's a void in tools that allow automating the task of identifying design gaps in an IT infrastructure, and that's the void oak9 is trying to fill.

How oak9 works

The way oak9 works is that it lays out your infrastructure's architecture and how the services are connected to find any discrepancies in their configurations and connections that don't meet security requirements.
What the resource is, what it's connected to, and what the purpose of that resource is, are all factors that go into the issue-detection process.

oak9 interface

oak9 integrates with your development workflow using either API-based integration, or IaC-based integration.
In API-based integration it uses access keys to communicate with your CSP's account to read your deployed resources' configurations and create a representation of your infrastructure.
In IaC-based integration, you provide oak9 with IaC files (like Terraform or CloudFormation) that it parses to build the infrastructure's representation.
IaC-based integration actually opens up the possibility of providing a neat way of resolving detected issues because the fix can just be presented as a change in your IaC file. The Remediation Engine can automatically open up a pull request for your IaC file with the changes required to secure your app. A security fix would be automatically implemented by just approving a pull request!

Who is it for?

You don't need to be a professional security engineer to make use of oak9. It's meant to be used by developers and security engineers alike, where customizability is available but not required.

All you need is to give it something to scan, and you're on your way to having a more secure app.

Discussion (0)