Nitric today announced it has added support for the Go and Kotlin programming languages to its application framework. The framework automatically creates code to provision infrastructure based on the way the code used to write an application has been developed.
Rak Siva, vice president of engineering for Nitric, said that approach eliminates the need to rely on developers using infrastructure-as-code (IaC) tools to configure platforms.
Nitric previously supported JavaScript, Python and C# along with frameworks such as Express, Fastify and Nest.js to enable infrastructure to be automatically configured based on an intent expressed in the codebase enabled by a software development kit (SDK). In effect, Nitric infers how to optimally configure infrastructure. DevOps teams can then choose to either rely on the configurations created by the Nitric framework or customize it to add support for their own policies, said Siva.
While IaC tools have played a major role in streamlining the application development and deployment process, they are also the root cause of many cloud security incidents. Developers that use these tools typically have limited cybersecurity expertise, so the probability that cloud infrastructure will be misconfigured in a way that cybercriminals can exploit is high.
Nitric is attempting to take the concept of managing infrastructure-as-code to the next logical level by automating the process so it can be consistently applied and managed, said Siva. That approach provides the added benefit of improving the overall developer experience by eliminating a task that most developers view as a means to a larger end, he added.
It’s not clear how much of the cloud infrastructure that DevOps teams are relying on to build and deploy applications is misconfigured, but given the varying levels of skill among developers, there are very few organizations that have not encountered a cloud security issue. The challenge is not so much the security of the underlying platforms as it is the shared responsibility model relied on to secure these platforms. Cloud security platform providers assume that organizations that programmatically invoke infrastructure have the expertise required to securely provision it. However, very few organizations can achieve that goal 100% of the time, which results in organization having to make considerable investments in additional tools and platforms to monitor and enforce cloud security policies.
As more organizations focus their efforts on securing software supply chains, many of them will be revisiting how cloud infrastructure is provisioned. In fact, one of the reasons platform engineering is gaining traction as a DevOps methodology is to improve the developer experience and strengthen application security.
Cultural change, of course, is difficult. IaC tools such as Terraform are deeply embedded within many DevOps workflows, so any alternative approach to provisioning infrastructure will require time to take hold. However, as regulations that hold organizations more accountable for application security become increasingly more stringent, it’s now a question of when rather than if change will come to how cloud infrastructure is provisioned.