Infrastructure as Code security is the practice of avoiding and/or remediating security mistakes in your IaC and configuration files, and includes the tools, processes, and people working toward that end. This can take the form of tools that detect issues directly, a predesigned process or nomenclature that DevOps adhere to in your company, and, of course, people who check security on Terraform, or even the DevOps themselves being more knowledgeable in security so as to avoid those issues.
Interestingly, conversation about infrastructure as code security is somewhat lacking within the industry - and much to its own peril.
Very large and well-known enterprises whose business is software, like Netflix or Microsoft, understandably have targets on them. Cybercriminals are highly motivated to target those enterprises and their software in particular because the potential payoff is huge. As such, they will invest the necessary time, resources, and effort to find vulnerabilities - not necessarily in their Infrastructure as Code, but directly in the code of their application. There are a number of reasons for this:
Companies that are less high-profile, like midsize fintech, healthtech, entertainment, etc., are less likely to be specifically targeted by cybercriminals investing so much time in finding vulnerabilities in their apps. However, it is very easy to scan the infrastructure of the apps at scale because scanning is generic and the infrastructure is all public - a cybercriminal can scan thousands of infrastructures for security mistakes automatically. They launch a scan, let it run for a while, and when they find one the hacker will be alerted and focus their efforts on exploiting that specific vulnerability.
There may not be as much reward for a hacker in going after a small-to-medium sized business (SMB), but since the effort is negligible, they might as well. As a result SMBs have an outsized chance of suffering an attack on their Infrastructure as Code rather than the application itself, so securing it is all the more important for SMBs.
As mentioned above, IaC security must be multifaceted and multilayered. At every stage of the software development lifecycle (SDLC), IaC security should involve:
Tools that can detect and remediate security vulnerabilities as left in the SDLC as possible are a necessity - specifically, tools that allow developers to spot and fix vulnerabilities in code they are currently writing (like spellcheck, but for vulnerabilities). This ensures no disruption of workflow or productivity, because it happens at the point of development where mistakes are part of the process - not after they’ve already been committed and signed off. In fact, tools that can even go beyond that and into training and education (also without disrupting workflow and productivity) are even better.
This is because, contrary to the popular saying, the strongest point of cybersecurity is between the chair and the screen - people. Developers knowing what the vulnerabilities are, how to spot them, how to fix them, and the risks and consequences brings all of that knowledge in house and keeps them, and developers they train, from making the same mistakes - and will help them in their careers.
The combined institutional knowledge and naturally security-aware teams create stronger, more robust processes for new and existing employees to follow, and solidifies the foundation and culture of security throughout the SDLC.
