Snyk REPORT

Infrastructure as Code Security Insights

93% of people in a recent Snyk IaC survey said they’re still early in the IaC journey, but for the highest performers, the impact on reduced risk is significant. See the results and how you stack up below.

Snyk Banner

What does “best in class” IaC security look like?

We grouped respondents into three categories to see how their security results differ.

Mix and match
Mix and match: has a mix of pre and post- deployment checks but no consistent methodologies
Classic security checks
Classic security checks: focuses on testing deployed infrastructure, using classic tools like audits and pen testing
Automate everything
Automate everything: consistently automates IaC security in all release pipelines

Those able to find and fix configuration issues the fastest were respondents treating IaC like other forms of code, subjecting it to continuous security checks from creation to deployment.

How quickly can organizations find and fix configuration issues?

0%
0%
How often are issues fixed in less than 1day?How often do you go 1 week or longer before detecting an issue?
Mix and match
Classic security checks
Automate everything

How does your organization measure up?

Curious to see how your organization compares to these findings? Answer four short questions and we’ll show you! Your responses are anonymous – we won’t be shaming you!

01

How do you find out about security issues in your application and infrastructure?

45%
43%
35%
33%
32%
21%
Audit after deployment
Penetration testing
Manual code reviews
Incident reports
Automated testing pipeline
Cloud provider’s built-in tools
See your results
Survey respondents by role
Survey respondents by company size

A word about our survey

This vendor neutral research was independently conducted by Virtual Intelligence Briefing (ViB). ViB is an interactive on-line community focused on emerging through rapid growth stage technologies. ViB’s community is comprised of more than 2.2M IT practitioners and decision makers who share their opinions by engaging in sophisticated surveys across multiple IT domains. The survey methodology incorporated extensive quality control mechanisms at 3 levels: targeting, in-survey behavior, and post-survey analysis. The Calculated Margin of error at a 95% confidence level is 3.9%.

Architects
12%
Security & Compliance
16%
Developer and DecOps
30%
Infrastructure
31%
Cloud & Platform
11%
28%
23%
15%
14%
8%
8%
1 – 500
500 – 1000
2000 – 5000
1000 – 2000
5000 – 10,000
15,000+
01

How do you find out about security issues in your application and infrastructure?

02

Do you include IaC security and misconfiguration tests in your in your CI pipelines?

03

How long, on average, does it take your teams to find and fix security or misconfiguration issues?

32%
26%
24%
18%
Less than 1 week
1 – 2 weeks
More than 2 weeks
Less than 1 day
04

What is preventing you from always integrating security checks into the IaC testing process?