Snyk Report

Infrastructure as Code Security Insights

93% of people in a recent Snyk IaC survey said they’re still early in the IaC journey, but for the highest performers, the impact on reduced risk is significant. See the results and how you stack up below.

What does “best in class” IaC security look like?

We grouped respondents into three categories to see how their security results differ.

Mix and match: has a mix of pre- and post-deployment checks, but no consistent methodologies.

Classic security checks: focuses on testing deployed infrastructure, using classic tools like audits and pen testing.

Automate everything: consistently automates IaC security in all release pipelines.

Those able to find and fix configuration issues the fastest were respondents treating IaC like other forms of code, subjecting it to continuous security checks from creation to deployment.

How do you find out about security issues in your application and infrastructure?

Do you include IaC security and misconfiguration tests in your CI pipelines?

How long, on average, does it take your teams to find and fix security or misconfiguration issues?

What is preventing you from always integrating security checks into the IaC testing process?

A word about our survey

This vendor-neutral research was independently conducted by Virtual Intelligence Briefing (ViB). ViB is an interactive online community focused on emerging through rapid growth stage technologies. ViB’s community is comprised of more than 2.2M IT practitioners and decision makers who share their opinions by engaging in sophisticated surveys across multiple IT domains.

The survey methodology incorporated extensive quality control mechanisms at three levels: targeting, in-survey behavior, and post-survey analysis. The Calculated Margin of error at a 95% confidence level is 3.9%.