IaC – A Potential Source of Vulnerabilities, or an Opportunity for More Secure Infrastructure?

Last month, ICIT sponsored an online panel discussion featuring a number of application development and cybersecurity experts from across industry, the federal government, and the Department of Defense. This panel discussion focused on two new security vectors that have arisen as application development practices and technologies have evolved – infrastructure as code (IaC) and APIs.

During that discussion, panelists painted IaC as a technology that could either improve or hinder security – depending on how securely IaC modules are built. They discussed how – when untested and not secure – IaC can effectively spawn new vulnerabilities across the entire enterprise. However, they also stated that hardened IaC modules, built deliberately with security in mind, could make agencies more secure.

To learn more about the ways IaC can be helpful, or harmful, to an agency, we spoke with Ben Stokes, a professional services manager at Checkmarx.

During our discussion, we explored why agencies sometimes build insecure or vulnerable IaC, and the steps necessary to create a hardened IaC module. We discussed the organizational changes and technologies that can help agencies build secure infrastructure. Finally, we were introduced to KICS, a new tool from Checkmarx, that can scan IaC source code to ensure that it’s secure.

Click here to read the exclusive interview on the GovDevSecOpsHub.