Skip to main content
Snyk Report

Infrastructure as Code Security Insights

93% of people in a recent Snyk IaC survey said they’re still early in the IaC journey, but for the highest performers, the impact on reduced risk is significant. See the results and how you stack up below.

What does “best in class” IaC security look like?

We grouped respondents into three categories to see how their security results differ.

Mix and match: has a mix of pre and post-deployment checks but no consistent methodologies

Classic security checks: focuses on testing deployed infrastructure, using classic tools like audits and pen testing

Automate everything: consistently automates IaC security in all release pipelines

Those able to find and fix configuration issues the fastest were respondents treating IaC like other forms of code, subjecting it to continuous security checks from creation to deployment.

How quickly can organizations find and fix configuration issues?

How often are issues fixed in less than 1day?

How often do you go 1 week or longer before detecting an issue?

100%

80%

60%

40%

20%

0%

0%

20%

40%

60%

80%

100%

Mix and match

Classic security checks

Automate everything

How does your organization measure up?

Curious to see how your organization compares to these findings? Answer four short questions and we’ll show you! Your responses are anonymous – we won’t be shaming you!

How do you find out about security issues in your application and infrastructure?

Security issues awareness

60%

40%

20%

0%

0%

20%

40%

60%

Audit after deployment

Penetration testing

Manual code reviews

Incident reports

Automated testing pipeline

Cloud provider’s built-in tools

Audit after deployment

Penetration testing

Manual code reviews

Incident reports

Automated testing pipeline

Cloud provider’s built-in tools

Do you include IaC security and misconfiguration tests in your CI pipelines?

Is security included in your pipeline?

60%

40%

20%

0%

0%

20%

40%

60%

Always

Usually

Sometimes

No CI testing for IaC right now

Always

Usually

Sometimes

No CI testing for IaC right now

How long, on average, does it take your teams to find and fix security or misconfiguration issues?

Time to fix issues

60%

40%

20%

0%

0%

20%

40%

60%

Less than 1 week

1 – 2 weeks

More than 2 weeks

Less than 1 day

Less than 1 week

1 – 2 weeks

More than 2 weeks

Less than 1 day

What is preventing you from always integrating security checks into the IaC testing process?

What is preventing security

80%

60%

40%

20%

0%

0%

20%

40%

60%

80%

Every team makes their own separate decisions about what and how to test

No clear set of benchmarks on what to test

Lacking the right tools for IaC testing

Concerned it would slow us down too much

No clear owners to address issues when they are discovered

Every team makes their own separate decisions about what and how to test

No clear set of benchmarks on what to test

Lacking the right tools for IaC testing

Concerned it would slow us down too much

No clear owners to address issues when they are discovered

A word about our survey

This vendor neutral research was independently conducted by Virtual Intelligence Briefing (ViB). ViB is an interactive on-line community focused on emerging through rapid growth stage technologies. ViB’s community is comprised of more than 2.2M IT practitioners and decision makers who share their opinions by engaging in sophisticated surveys across multiple IT domains. The survey methodology incorporated extensive quality control mechanisms at 3 levels: targeting, in-survey behavior, and post-survey analysis. The Calculated Margin of error at a 95% confidence level is 3.9%.

Survey respondents by role

Architects

12%

Security & Compliance

16%

Developer and DecOps

30%

Infrastructure

31%

Cloud & Platform

11%

Survey respondents by company size

40%

30%

20%

10%

0%

0%

10%

20%

30%

40%

1 – 500

500 – 1000

2000 – 5000

1000 – 2000

5000 – 10,000

15,000+

1 – 500

500 – 1000

2000 – 5000

1000 – 2000

5000 – 10,000

15,000+