DEV Community


Discussion on: Infrastructure as Code in 3 minutes

coadaflorin profile image

What are your thoughts on IaC security?
Traditionally security teams were in charge of hardening the environment where the application runs. With IaC should some of those items be considered by developers when they start building the app? If they're too relaxed they could find that security puts restrictions in place and the application will need some refactoring to reduce the attack surface.

n3wt0n profile image
Davide 'CoderDave' Benvegnù Author • Edited

I start from the idea that security is extremely important, and because of that it should be applied as soon as possible in the development process. (aka "Shift left on security")

And this applies also to infrastructure. In a "traditional" approach what you describe is the norm, but to me it is too late to apply security. Don't get me wrong, things like pen-test, red/blue teams, etc are still very important and should be applied continuously...

But with IaC teams have the change to ensure the environment is secure and secured even before it is created. Dev, Ops, and Security teams should collaborate from day 1 of the development on any and every aspect of the "application development", and that includes infrastructure.

They can use processes like Code Reviews in PRs for IaC, testing often, etc, and tools that can help you identify problem and issues in your IaC scripts and models (many tools nowadays can do that).

This is how REAL DevSecOps works. I know it sounds "too good to be true", but this is what I help the clients I work with achieve, so I know it is possbible and it works because I do it on daily basis :)