It’s wedding season, and you need to shop for a suit. Pretty simple right? You head over to the local mall, and you find one off the rack. It’s not a perfect fit, as the pants are a little long and the jacket is baggy, but it gets you most of the way there. It works. But then you realize, “Hey! I can just tailor the suit, so it fits me better!” So, you head to the tailor, and they hem your pants and bring in your jacket a bit. Voila! It fits perfectly. That is Security as Code.
Most security tools are like a suit off the rack. It’s a great starting point and works well but is not an exact fit to your body type. Security as Code on the other hand is like taking your suit to the tailor and getting an exact fit to your body type.
Why is this important?
Well, let’s start with a brief technical explanation of Security as Code.
Security as Code allows end users to create blueprints in whatever language they want. By allowing users to create their own blueprints, they can meet their needs in a very granular manner to secure their cloud resources.
The importance of “as-code”
oak9 is a big believer in “bringing your own language”. It not only enables a wider adoption of IaC, it allows developers to have more control in a language they already know. It brings security to developers in a simple, straightforward way so they are not consumed with building and managing security is a game changer.
How does Infrastructure as Code play into Security as Code?
Infrastructure-as-Code (IaC) has become essential to development team processes by enabling the automation of cloud deployment. The benefit of IaC is that security teams can detect potential attacks, quickly remove compromised infrastructure and redeploy a new, uncompromised version. This allows the business to maintain services while the security team undertakes parallel investigations into the nature of the infrastructure compromise. oak9 translates IaC (Terraform) which can then be fed into Security as Code. Security as Code can then analyze IaC for security design gaps.
What does that mean?
Let’s say you are a maturing born on the cloud healthcare technology organization. You just raised your SERIES B and are growing rapidly. Your engineers can no longer manage all your cloud resources via your management console efficiently and you are relying on your security tool (off the rack suit) to detect vulnerabilities within your environment. However, you have a unique case and the off the rack security tool might miss that. Implementing Security as Code (tailored suite) and creating your own specific blueprint for your unique case, allows detections of these misconfigurations as early as possible.
Since you are creating your own blueprint using Security as Code, you will know exactly what is insecure in your environment.
Security as Code vs Policy as Code
Policy as Code is another popular “as-code” you may hear often. While both are implemented to catch issues early on, there are main key differences.
Security as Code allows engineering teams to understand and fix issues early in the development cycle vs right before the product is ready to deploy. The outcome of properly implemented Security as Code is shorter release cycles, improved collaboration and better security of the product.
Policy as Code allows IT & security teams automate workflows such as onboarding/offboarding, providing role-based access and gaining real-time audit logs for compliance. This helps reduce uncertainty and improves the approval process by taking away the manual legwork usually done by IT teams.
To sum up, Security as Code is product focused, while Policy as Code is IT focused.
When should you begin to use Security as Code?
When a cloud-based organization begins using Infrastructure as code for and the architecture is finalized, it is a great time to implement Security as Code. Incorporating it during your build and test phase before you deploy will allow you to detect the security design gaps earlier.

How oak9 uses Security as Code to create a blueprint
Currently, oak9 treats a cloud resource as an object in a programming language. In this language we create various rules that check the properties of this object for insecure values. Oak9 describes what the structure of this object will be, so end users can create rules and checks that fit their own environment.
This is important, because it gives the end user more control than ever before.
Want to test out oak9’s Security as Code? Click below for free access to the community edition.