Follow me:
Listen on:

Day Two Cloud 125: Scanning Infrastructure-as-Code For Security Issues

It’s always better to catch misconfigurations and vulnerabilities earlier in your pipeline rather than later. That’s especially true for cloud services where a simple configuration error can expose sensitive assets to the entire Internet.

On today’s Day Two Cloud podcast we discuss how to incorporate security checks early in your Infrastructure-as-Code (IaC) workflows to reduce risk. Our guest is Christophe Tafani-Dereeper, Cloud Security Engineer at Nexthink.

We discuss:

  • What shift-left means in software development
  • How DevSecOps fits into IaC practices
  • Common cloud security risks
  • Using static scans to spot misconfigurations
  • Tools available to help
  • Digging into Terraform examples
  • More


  1. Try to minimize the noise, focus on what matters to you
  2. Using IaC is a good opportunity to find misconfigurations before it gets to production
  3. Shift left, but also start left!

Show Links:

@christophetd – Christope on Twitter

Christophe on LinkedIn

Christophhe’s  Blog

Shifting Cloud Security Left — Scanning Infrastructure as Code for Security Issues – Christophe’s blog

Scanning Infrastructure As Code for Security Flaws – IaC Scanning DevSlop

NSA Releases Guidance on Mitigating Cloud Vulnerabilities – Cybersecurity & Infrastructure Security Agency

Starting Left rather than Shifting Left? – OWASP (PDF)

Introducing the State of Open Source Terraform Security Report – BridgeCrew

Infrastructure drifts aren’t like Pokemons, you can’t catch ’em all – driftctl

Shifting Cloud Security Left: Scanning Infrastructure as Code for Security Issues – OWASP DevSlop via YouTube

Episode 125