Do You Need To Know Coding In Cloud Security ??
My take on this commonly asked question
“Do you need to know coding in Cloud Security ?”
Newcomers to Cloud Security often ask me this question with a scared face when we do a coaching session.
Coding has always been something that separates the real “techies” from the casual “non-techies” in Cybersecurity.
Let me be clear right from the start.
Coding is NOT a mandatory skill for Cloud Security
It is entirely possible to have a great Cloud Security career without once touching code
BUT .. it is a massive advantage for the following reasons
1 — Understanding IAM becomes easy:
I have written about this multiple times, but Identity & Access Management (IAM) is at the very heart of Cloud Security
If you want to control what a user can do .. it is IAM.
Want to control what a cloud workload can do .. it is IAM
Want to control the blast radius of a developer with power user permission .. it is IAM
If you want to control third-party access into your environment, it is IAM !!
If you want to enforce a complex security model like Zero Trust, good luck without learning how IAM works!
Coding makes creating and fixing IAM policies much easier, as they are typically in JSON format.
Not knowing how to read JSON will make your life considerably more difficult in cloud security
The better you are at coding .., the more amazing IAM policies you can create!
2 — Infrastructure as Code (IaC)
No one creates infra in the cloud from the management console
Everything is captured in Infra as Code ( keyword here being “code” ! ) using tools like Terraform or CloudFormation
And that is where is where the security weaknesses also reside.
You might scoff and say you can buy scanners that check these IaC templates for security issues, but you will be disadvantaged if those findings are challenged.
Few things frustrate a cloud team more than a security professional not being able to understand WHY a vulnerability is being reported as a false positive
Knowing coding will help make finding issues easier and help you enforce security within the code itself
3 — You Can Automate With Serverless
Serverless is one of the most amazing parts of the cloud
Serverless is an execution model with full abstraction of the environment, and only code exists to run it (and be secure!).
Forget servers, patching, and agents .. you can just write code and run it without worrying about the boring parts.
Coding not only helps you understand serverless but also allows you to implement your own amazing serverless functions for security automation and incident response!
The Good News ??
The good news?
Learning coding is now massively easy thanks to AI-powered coding assistants like Q Developer, which makes learning coding a breeze !
You can even make them explain code to you simply and easily.
I hope this helped to demystify why coding is necessary for cloud security professionals.
There is no excuse not to know some coding in today’s AI-powered world.
Good luck on your coding journey!
Check out my video on this also below.