What drove our development of IaC scanning capabilities? The shift to the developer…
At its core, IaC continues to help simplify the provisioning and management of infrastructure for cloud environments. Infrastructure can be provisioned in scalable and reproducible methods across deployments, but while this helps improve overall usability and functionality, scalability demands have pushed infrastructure deployment “left,” to the developer.
This in itself is not a problem, but shifting responsibility to development teams does introduce complications when considering the implications to security.
IaC security used to be the job of IT and ops teams, who were at least semi-versed in security and best practices. As the development and release velocity of cloud-native applications increase, though, provisioning and configuration activities have naturally fallen upon developers. The security problem here is twofold: first, this shift increases the likelihood of the introduction of complex security weaknesses that developers are not equipped to handle, and second, developers are rarely security experts. Lack of experience and lack of bandwidth mean that security does not receive the attention and expertise it requires.