Infrastructure as Code Security Insights
93% of people in a recent Snyk IaC survey said they’re still early in the IaC journey, but for the highest performers, the impact on reduced risk is significant. See the results and how you stack up below.
What does “best in class” IaC security look like?
We grouped respondents into three categories to see how their security results differ.
Mix and match: has a mix of pre and post-deployment checks but no consistent methodologies
Classic security checks: focuses on testing deployed infrastructure, using classic tools like audits and pen testing
Automate everything: consistently automates IaC security in all release pipelines
Those able to find and fix configuration issues the fastest were respondents treating IaC like other forms of code, subjecting it to continuous security checks from creation to deployment.
How quickly can organizations find and fix configuration issues?
How often are issues fixed in less than 1day?
How often do you go 1 week or longer before detecting an issue?
100%
80%
60%
40%
20%
0%
0%
20%
40%
60%
80%
100%
Mix and match
Classic security checks
Automate everything
How does your organization measure up?
Curious to see how your organization compares to these findings? Answer four short questions and we’ll show you! Your responses are anonymous – we won’t be shaming you!
How do you find out about security issues in your application and infrastructure?
Security issues awareness
60%
40%
20%
0%
0%
20%
40%
60%
Audit after deployment
Penetration testing
Manual code reviews
Incident reports
Automated testing pipeline
Cloud provider’s built-in tools
Audit after deployment
Penetration testing
Manual code reviews
Incident reports
Automated testing pipeline
Cloud provider’s built-in tools
Do you include IaC security and misconfiguration tests in your CI pipelines?
Is security included in your pipeline?
60%
40%
20%
0%
0%
20%
40%
60%
Always
Usually
Sometimes
No CI testing for IaC right now
Always
Usually
Sometimes
No CI testing for IaC right now
How long, on average, does it take your teams to find and fix security or misconfiguration issues?
Time to fix issues
60%
40%
20%
0%
0%
20%
40%
60%
Less than 1 week
1 – 2 weeks
More than 2 weeks
Less than 1 day
Less than 1 week
1 – 2 weeks
More than 2 weeks
Less than 1 day
What is preventing you from always integrating security checks into the IaC testing process?
What is preventing security
80%
60%
40%
20%
0%
0%
20%
40%
60%
80%
Every team makes their own separate decisions about what and how to test
No clear set of benchmarks on what to test
Lacking the right tools for IaC testing
Concerned it would slow us down too much
No clear owners to address issues when they are discovered
Every team makes their own separate decisions about what and how to test
No clear set of benchmarks on what to test
Lacking the right tools for IaC testing
Concerned it would slow us down too much
No clear owners to address issues when they are discovered
A word about our survey
This vendor neutral research was independently conducted by Virtual Intelligence Briefing (ViB). ViB is an interactive on-line community focused on emerging through rapid growth stage technologies. ViB’s community is comprised of more than 2.2M IT practitioners and decision makers who share their opinions by engaging in sophisticated surveys across multiple IT domains. The survey methodology incorporated extensive quality control mechanisms at 3 levels: targeting, in-survey behavior, and post-survey analysis. The Calculated Margin of error at a 95% confidence level is 3.9%.
Survey respondents by role
Architects
12%
Security & Compliance
16%
Developer and DecOps
30%
Infrastructure
31%
Cloud & Platform
11%
Survey respondents by company size
40%
30%
20%
10%
0%
0%
10%
20%
30%
40%
1 – 500
500 – 1000
2000 – 5000
1000 – 2000
5000 – 10,000
15,000+
1 – 500
500 – 1000
2000 – 5000
1000 – 2000
5000 – 10,000
15,000+