It’s always better to catch misconfigurations and vulnerabilities earlier in your pipeline rather than later. That’s especially true for cloud services where a simple configuration error can expose sensitive assets to the entire Internet.
On today’s Day Two Cloud podcast we discuss how to incorporate security checks early in your Infrastructure-as-Code (IaC) workflows to reduce risk. Our guest is Christophe Tafani-Dereeper, Cloud Security Engineer at Nexthink.
- What shift-left means in software development
- How DevSecOps fits into IaC practices
- Common cloud security risks
- Using static scans to spot misconfigurations
- Tools available to help
- Digging into Terraform examples
- Try to minimize the noise, focus on what matters to you
- Using IaC is a good opportunity to find misconfigurations before it gets to production
- Shift left, but also start left!
@christophetd – Christope on Twitter
Scanning Infrastructure As Code for Security Flaws – IaC Scanning DevSlop
NSA Releases Guidance on Mitigating Cloud Vulnerabilities – Cybersecurity & Infrastructure Security Agency
Starting Left rather than Shifting Left? – OWASP (PDF)
Shifting Cloud Security Left: Scanning Infrastructure as Code for Security Issues – OWASP DevSlop via YouTube