Puppet gives cracking another silo a go, steps into the security realm

Puppet Logo DevOps
Puppet Logo

Infrastructure automation company Puppet has released its newest product into the DevOps space: Puppet Remediate.

Judging by the first look, the new offering combines the infrastructure data accessible to ops teams with vulnerability data from a number of assessment tools by security companies Tenable, Qualys, and Rapid7, who are the initial partners for Remediate.

However, if you’re familiar with the company’s quasi mission statement of getting rid of “repetitive, soul-crushing work” you might suspect that Remediate is about more than just offering a way for Security and Ops to work together, and breaking another silo.

Nigel Kersten, the company’s VP of ecosystem engineering, is happy to offer some context. “The manual process results in inconsistencies, where vulnerabilities still exist. It causes people to quite frankly not keep up with the bread and butter work of IT, which is patching infrastructure, keeping software updates running, and making sure that services are restarted when an update happens.”

“All of this sort of work is actually where most vulnerabilities come from. You’re not having to deal with advanced persistent threats from nation states hacking into you, your biggest problem is simply out of date software or software that has been deployed inconsistently.” In fact, most of the top 10 CVEs reported last year could be remediated with a package update.

Insight into vulnerability reports was previously mainly reserved for security teams, which isn’t ideal given that operations might need a little context from time to time in order to prioritise remediation steps. So instead of letting ops wait for a report from the security department, which is often created by hand and therefore again time-consuming, Remediate gives them access to a dashboard listing most critical vulnerabilities and where in the infrastructure to find them. 

The only real requirement to make use of this feature is that you have credentials for Rapid7 Nexpose, Rapid7 InsightVM, Tenable.io, or the Qualys Vulnerability Management module. If that doesn’t sound like you, you could always try Remediate as a way of discovering infrastructure for now.

The automation component in the initial release comes into play in the form of pre-built tasks for actions such as updating packages, to make the process less error-prone and quicker overall. Using tasks means there is no need to look into any kind of agent technology which would make bigger changes necessary.

“At a base level you can just go and use some of the built-in tasks,” Kersten explains “that solves 80% of the remediation problems out there. You get your list of vulnerabilities and just start immediately remediating those from the console, without installing an agent or learning any Puppet code. Just by knowing enough context around the vulnerability to fix it immediately.”

And if the helpers already integrated won’t do, teams can always try their luck and search for a fitting Bolt Task in Puppet Forge or upload own scripts for fixing a problem. Which might be exactly the thing Puppet veterans would want to do, Kersten reckons. “If someone already is a Puppet Enterprise user, they can start building modules to do ongoing management for parts of their infrastructure. That includes declarative ongoing config management as well as imperative ‘go execute this task now’ – this may be a normal maintenance process, or a specific remediation process for getting over a vulnerability.” 

To help you get going, Puppet offers 30-day trial license for Remediate. Once you have registered for that and downloaded one, you’ll have to install Docker on your server if you haven’t already, download the Remediate Docker Compose file into the folder with your license, run a command, and sign in.