Securing Infrastructure as Code (IaC) through DevSecOps:A Comprehensive Risk Management Framework

Despite the evident advantages of Infrastructure as Code (IaC) in software development, the nature of bugs and potential threats arising from its implementation remains subject to ongoing investigation. The formulation of a list, enumerating potential threats during the IaC process remains an unattained goal. However, it is not enough to recounting IaC threats only, it is imperative for Development (Dev), Security (Sec), and Operations (Ops) teams to synergistically collaborate from early developmental stages to conduct thorough risks' analysis, estimation, and mitigation procedures concerning IaC-related risks. Moreover, adhering to security standards and risk management framework throughout the IaC lifecycle will enhance the overall security of the deployment process. A risk management framework for IaC is essential. The extant risk management and threat modeling methodologies may necessitate tailoring to effectively protect the Software Development Lifecycle (SDLC) from IaC misuse. This research aims to identify threats that threaten IaC lifecycle or arise from the utilization of IaC. In addition, it tries to integrate IaC practices with the DevSecOps culture to devise a robust risk management framework and prescribe pertinent practices conducive to fostering secure IaC implementation.