infrastructure, uncaught mistakes can result in sneaky security vulnerabilities. A single misconfiguration
            in an IaC manifest can impact runtime or network security: for instance, traffic can be left unrestricted to
            a resource or data mistakenly exposed to the exterior.

            Not only that, but static vulnerabilities need to be specifically addressed as well: hard-coded credentials
            are the most critical. No matter the level of awareness about the importance of  not storing plaintext
            credentials in configuration files, mistakes still happen on a frequent basis.

            In fact, misconfigurations are one of the top ten vulnerabilities identified by OWASP. Therefore, it is logical
            to anticipate potential vulnerabilities by setting up the right guardrails to ship clean code from the start.
            This responsibility, part quality, part security, should be shared to implement a genuine DevSecOps
            philosophy. Failing to do so could mean a potentially costly security failure is around the corner.

            Infrastructure-as-Code  responsibility  is  at  the  crossroads  between  DevOps,  AppSec,  and  CloudOps
            engineers. Enabling their collaboration from source to deployment is the only way for an organization to
            shield itself from future threats. Tools are starting to emerge to cater to this new paradigm.

            Since IaC has reached new heights in the realm of automation, it is evident that automation is part of the
            answer. Bringing automated scanning for misconfigured vulnerabilities and hard-coded credentials will
            strengthen  organizations’  overall  security  posture.  More  than  that,  it  will  also  participate  in  raising
            awareness about IaC security best practices and common mistakes.



            Conclusion

            Infrastructure-as-code  is  here  to  stay.  The  benefits  it  brings  are  entirely  transforming  the  software
            development cycle and opening new doors for automation and innovation. While its advantages have
            been praised for some time, its associated threats are becoming more apparent. Security needs to fully
            embrace this new paradigm centered around the dynamism and ephemerality of the underlying resources
            offered  by  the  cloud.  Bridging  the  gap  between  security,  operations,  and  development  activities,
            leveraging automation to build efficient security solutions, will be essential for organizations to raise the
            bar of their security posture. The first step in that direction must be to protect their cloud infrastructure at
            the source code level as early in the SDLC as possible.



            About the Author

            Thomas has worked both as an analyst and as a software engineer
            consultant for various big French companies. His passion for tech
            and open source led him to join GitGuardian as technical content

            writer. He focuses now on clarifying the transformative changes that
            cybersecurity and software are going through.

            Thomas can be reached online at LinkedIn, TWITTER, and at our
            company website https://www.gitguardian.com/






            Cyber Defense eMagazine – December 2022 Edition                                                                                                                                                                                                         89
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.