Cloud Security and Coding

To code or not to code. that is the question” is a dilemma that has been faced by many cyber-security professionals in their careers. Coding has always been a skill that differentiates the real “techies” from the more casual ones in every field of technology and cyber-security is no different. Cloud security and coding go hand in hand and while for senior positions, it is entirely possible to never code throughout your cybersecurity career but if you are involved in more technical positions such as incident response, malware analysis, or penetration testing, then not knowing how to read/write a few lines of code is a huge weakness that will hamper your career growth.

When it comes to Cloud Security, however, I have always held the position that some basic knowledge of programming/coding is essential given the nature of the cloud. Below are my top three reasons you should invest in learning to code for your cloud security career.

REASON 1: Cloud Security is defined in Infrastructure as Code

Cloud infrastructures as a best practice are captured in Infrastructure as Code templates like Terraform or Cloud Formation and that is where the security weaknesses will reside also. It is entirely possible to plug in commercial or open-source tools to scan these templates for weaknesses without knowing the underlying language however cloud security professionals will be at a disadvantage if those findings are challenged. Few things frustrate a developer more than a security professional not being able to understand why a vulnerability is mistakenly identified and insisting on blindly following a report.

Knowing how to spin up a basic network or server in the cloud using Terraform or CloudFormation is an essential skill that greatly empowers Cloud security professionals and helps them identify security vulnerabilities missed by automated tools. Additionally, it helps to move the discussion towards security as code wherein the controls are embedded within these templates and not bolted on as an after-thought after a scan.

REASON 2: Cloud Security is API

The cloud can be looked at as a series of API calls that are manually or automatically called in response to events. It does not matter whether you are using a management console or running a script from a command line; there will be an API call behind it is calling a service.

To mature a cloud environment, cloud security pros must learn how to make cloud services integrate and talk to each in an automated manner. This is essential for scenarios such as incident response automation where speed is of the essence and some knowledge of coding is necessary to make these services integrate. Additionally, in a cloud environment, public APIs can be left insecure and open up a channel for attackers to take advantage of. There is a good reason why Gartner estimates that API will be the most used attack vector in 2022 and not understanding the underlying elements of APIs and how they work will leave Cloud Security pros at a disadvantage. Again, it is possible to plug in commercial solutions but knowledge of coding is a must to understanding the underlying security risks.

Cloud Security and Coding

REASON 3: Serverless code is the future for Cloud Security

Serverless can be considered the cloud reaching its full potential as CIOs can forget worrying about underlying operating systems or runtime environments and just focus on delivering applications. Serverless is an execution model where there is a full abstraction of the environment and only code exists to run (and secure!). Cloud Security professionals need to get to grips with how event-driven architectures work and how serverless functions are secured. Without a server or networking boundary to protect, the full security weight falls on the application code. If a cloud security professional cannot write a simple “Hello World” function in Serverless then this is something that needs to be addressed ASAP as they will find themselves lost when trying to understand this new unique operating model of the cloud

Where to start?

For those cloud security pros who want to start coding, the variety of programming languages can seem very intimidating. Below are just a few of my recommendations that can greatly help in a cloud environment.

🚀 Python: Easily the most popular language out there, one cannot go wrong with Python honestly in any technology environment. It is also the engine that powers most cyber-security tools behind the scenes and is used vastly in serverless environments. There are numerous amazing tutorials present for free to learn Python with my favorite one here

🚀 Terraform or CloudFormation: Already mentioned why this is necessary earlier and you do not need to do a deep dive to learn Infrastructure as Code. Simply try and spin up a network or database in the cloud and learn as you go along with more complex examples.

🚀 Structured Query Language (SQL) is no longer those weird commands that Database administrators used to run. It is essential to learn the basics of SQL commands to query cloud log stores during an incident or even to identify security trends such as SQL injections against your environment. Businesses are becoming more and more data-driven and SQL is one of the most foundational coding skills to have.

The way forward

I hope this helped to demystify why coding is such a necessary skill for cloud security professionals. Simply put there is no disadvantage to not knowing to code in cloud security and will only make you better at your job giving you a competitive advantage over others. Understanding the underlying code will help you to apply more mitigating techniques and identify risks that will be missed by others. With the vast array of learning material out there, it has never been easier to add coding to your skills library.

Good luck on your journey!