ESG shares takeaways on IaC security trends
By: Ginnie Goodman, Product Marketing Manager
September 22, 2022
Infrastructure as Code (IaC) templates are popular because they are known for their speed and consistency in deploying infrastructure in the cloud. As businesses continue their migration to the cloud, understanding how to scale and do it safely has become more important than ever. To better understand how IaC security has impacted 350 cybersecurity, IT, and application development professionals, we partnered with ESG on a developer security study which we’ll explore in more detail below.
Let’s take a look at some of the key findings.
Seventy-seven percent of respondents indicated that today up to 50% of their cloud-native applications use IaC templatesEighty-three percent of respondents believe that up to 75% of their cloud-native applications will use IaC templates 12-24 months from now.
But shouldn’t this be good news? Well, it is and it isn’t..
A notable uptick in IaC misconfigurations
With the scale of IaC, misconfigurations can easily propagate across multiple production environments and manifest into a bigger problem. The survey revealed that 83% of organizations are experiencing an increase in IaC template misconfigurations. When compliance and security issues are not addressed in the code, it’s common to spend ten times (or more!) the amount of cost and effort to remediate an issue in production.
The consequences: organizations have experienced a range of security incidents from the IaC misconfigurations
The top three impacts respondents experienced from the increase in IaC template misconfigurations were: unauthorized access to applications and data, the introduction of crypto-jacking malware to mine cryptocurrency, and the impact of remediation steps on service-level agreements.
Finally, some good news: time-savings
But it’s not all doom and gloom. Respondents cited many tangible benefits from IaC scanning tools. In fact, 59% of organizations indicated that the top benefit of using an IaC scanning tool is the ability to fix code issues before applications are deployed into production. This is important given what we know about the time, toil, and cost of remediating problems down the road. Time-savings was the next most cited benefit that both security teams (58%) and development teams (52%) achieved.
Organizations that foster shared responsibilities and ownership across teams will be best positioned to successfully interlace security practices throughout their development processes. You need developer security solutions that make data accessible for everyone.
At Lacework, we believe in creating value for developers by providing guardrails around existing workflows and a fast feedback loop that empowers developers to fix issues at the source autonomously. By taking a platform approach, Lacework IaC Security alleviates friction between teams and bridges the gap between security and developers. Developers appreciate the ease of the IaC scanner integration with their Git provider and the ability to consume findings where they live. Many of our customers have realized quick time to value on the first day, and are able to cut remediation costs and time.
“Previously if an issue came up during deployment, it added another week of time just to remediate it. We now get a pull request right away for critical issues. With Lacework IaC scanning, we can fix these issues in about an hour so we can keep working faster.”
– Nic Parfait, Head of Engineering, Digital Business Bank
Want to learn how you can shift left and benefit as well? Read more or contact us to schedule a demo or speak with our sales team. Check out the full ESG Research report here and tune in to our webinar with ESG on October 12th.