Why all speed and no security makes Infrastructure-as-Code a risky business

Over the last 5 years software delivery has completely transformed. Infrastructure today is designed and delivered as-code in languages such as Terraform, CloudFromation, ARM templates, Kubernetes Manifests and more. Increasingly this ownership of this code is now falling under the umbrella of software development. This code today represents the entire application architecture and enables development teams to deliver infrastructure capabilities in an agile manner where foundational architectural changes are made from release to release. This has enabled development teams to achieve incredible velocity and agility. However, every security design & engineering team that I have worked with has unfortunately struggled to keep up with the velocity and unprecedented rate of change that infrastructure-as-code (IaC) adoption brings.

In this talk we will provide a practical guide to how security teams can adapt to IaC. We will outline the typical challenges security teams face when their development team embraces IaC. We will also present the opportunity that this presents to security design & engineering teams. We will discuss how security design & engineering teams can transform their practices to drive improved standardization and adoption of security design patterns to ensure that applications are secure and compliant by design.



Aakash Shah


At oak9, Aakash currently helps security organizations adapt to modern development practices and build cloud-native applications that are secure and compliant by-design.

Aakash has been in the