DEV Community


Discussion on: Infrastructure as Code in 3 minutes

n3wt0n profile image
Davide 'CoderDave' Benvegnù Author • Edited

I start from the idea that security is extremely important, and because of that it should be applied as soon as possible in the development process. (aka "Shift left on security")

And this applies also to infrastructure. In a "traditional" approach what you describe is the norm, but to me it is too late to apply security. Don't get me wrong, things like pen-test, red/blue teams, etc are still very important and should be applied continuously...

But with IaC teams have the change to ensure the environment is secure and secured even before it is created. Dev, Ops, and Security teams should collaborate from day 1 of the development on any and every aspect of the "application development", and that includes infrastructure.

They can use processes like Code Reviews in PRs for IaC, testing often, etc, and tools that can help you identify problem and issues in your IaC scripts and models (many tools nowadays can do that).

This is how REAL DevSecOps works. I know it sounds "too good to be true", but this is what I help the clients I work with achieve, so I know it is possbible and it works because I do it on daily basis :)