BSides Toronto 2023

The Current State of Infrastructure as Code (IaC) from a Security Standpoint
2023-10-21 , ENG 103

We will review common IaC and container scanners in the context of a modern build pipeline. Using examples, we will show examples how different IaC tools may hide some complexity, but also make security relevant settings inaccessible. Furthermore, we will review how modern projects have evolved, and how infrastructure as code has changed the landscape. Using real-world open-source examples, we will examine untracked infrastructure configurations in projects and the potential consequences. We will finish by discussing how the whitebox security assessment fuelled by IaC may change risk and compliance assessments like SOC2 and HIPAA in the future.


This talk will review the evolution of IaC and technologies that have enabled it, i.e., how did we get here. This includes different approaches by different groups and vendors. We will evaluate the pros and cons of different approaches from a security and risk assessment perspective. The future direction of IaC is influenced by the evolving cloud and hybrid infrastructures. This has led to an explosion of emerging tools including cloud-native (CloudFormation, Azure Resource Manager,) and third-party tools (Ansible, Terraform, Kubernetes, Pulumi) that enable a more predictable and auditable configuration environment. The talk will examine the security controls and identify pitfalls in each one. And a review of the tools to automate security review, manage risk and avoid the gray areas that can lead to security headaches and downtime.

Dr. Albert Heinle is driven by a mission to combat the global surge of data breaches and misconfigurations. Albert co-founded CoGuard in 2020 and serves as Chief Technology Officer. Prior to CoGuard, Albert held development positions at FLIR Systems, Inc., Aeryon Labs and Sortable. He completed a Ph.D. in Computer Science at the University of Waterloo.