The document discusses the evolution of the software development life cycle (SDLC) and infrastructure as code (IaC). Historically, deploying code required manually configuring physical servers, which was time-consuming and error-prone. While waterfall and agile approaches improved collaboration, cloud computing and infrastructure as code further accelerated development. DevOps emerged to integrate development and operations teams, promoting security throughout the process. Static code analysis now automatically checks IaC templates for security issues early in development.

1. IAC Evolutions
Historically, in the software development life cycle (SDLC), once code was written, it had
to be manually deployed to physical servers. As you can imagine, this process was both time
consuming and fraught with complications. Oftentimes, a single script was used to establish
dependency libraries, setup load balancers and complete other necessary tasks. Also
preparing the server to host the code was a daunting task. As a result, only a few people
would be capable of understanding all the moving parts and be able to make changes, launch
updates and problem solve. A server could be down for hours while a single operations
engineer tried to sort through all the different variables to find the source of the problem.
The SDLC Waterfall Approach
Beginning in the 1990s, software development experts tried to improve the SDLC process by
relying on a waterfall approach. With this strategy, developers, QA engineers and system
administrators each had a specific role to play in the development process. If a problem
arose with the code, the admin would have to assign the task to the developers. The fix
would then have to be tested by the QA team before finally being sent back to the system
admin for deployment.
At that time, the Software Development Life cycle (SDLC) was focused on the application
layer code. Preparing the servers and deploying the applications to the server was another
skill. This added another separate area of expertise that also had the potential to introduce
bottlenecks.
In theory, this approach provided logical steps for troubleshooting. However, development
doesn’t occur in a linear pattern and it didn’t take long for new releases to throw significant
wrenches in the process. In addition, it was all too easy for different teams to blame
problems on each other, further complicating communication and collaboration. Now add

2. security concerns to the mix and you have a truly inefficient and static software
development approach.
By the early 2000s, companies had developed a more agile approach to software
development. They recognized the importance of employees with cross functionalities and
collaboration among teams. However, it still wasn’t a perfect system and it was easy for
projects to be delayed if communication fell apart. Clearly, there was still significant room
for improvement.
Cloud Computing
The introduction of cloud computing with the emergence of Amazon Web Services and the
beta version of the Google App Engine significantly changed the software development life
cycle. Cloud computing allowed users to experience on demand tools and resources that
didn’t have to be actively managed or stored on site. Virtualization also paved the way for
further automation. Suddenly, more users were able to take full advantage of technologies
without having to rely on an expert or become one themselves. This new level of
accessibility allowed for collaboration and innovation.
When cloud providers became more mature and provided API access to their backend
services, companies also started releasing infrastructure as code tools. These helped to
further support virtual machines and app services and move away from physical hardware
that would have to be manually configured and maintained. This not only helped business
cut costs, but also accelerated the software development life cycle while also working to
eliminate errors and identify security vulnerabilities.
At the same time, it became clear that microservices were necessary in order to effectively
organize software development. Essentially, this means that an application and its services
are split into smaller components that can then be deployed independently. Instead of
bundling services, microservices provide a more agile approach that can better handle many
different moving parts. This new mode of organization and deployment also required a full
stack team approach where the task boundaries are more fluid and team members can

3. contribute along the entire SDLC pipeline. A full stack team is able to work to avoid clogs
in the pipeline that can result when different people are solely responsible for specific tasks.
Eventually, the idea of DevOps emerged as a new way to significantly accelerate efficiency
while also prioritizing security. In this new model, Software Development Life Cycle (SDLC)
is not just about the application layer. With the advancement of cloud provider companies,
infrastructure is part of the SDLC as part of one unified pipeline; both the infrastructure
and application can be deployed to the cloud.
Collaboration is at the heart of DevOps. Instead of having each team tightly bound within a
certain role, everyone is involved in all aspects of the DevOps process. System admins have
the ability to write scripts, QA engineers can move beyond simply testing and so forth. This
fosters better understanding among teams while increasing productivity.
DevOps also allows enterprises to move security to the forefront. It is no longer simply
tacked onto the end of the process after loopholes have already been created and written
into the software. Integrating security into DevOps also helps support the CI/CD pipeline.
Enterprises don’t have to deal with the same bottlenecks that previously slowed innovation.
Static Code Analysis
Static code analysis is another key aspect that has contributed to the security of the DevOps
model. In the past, developers would have to design and run a program before they could
manually go through the debugging process. With static code analysis, code can be
automatically checked against a set of rules during the creation process. This significantly
accelerates the debugging process and catches problems early on when they are easier and
less expensive to fix. Static code analysis is also able to provide a more in-depth look at the
code and accurately pinpoint problems.

4. In addition, static code analysis allows security to “shift to the left.” Essentially, this means
that security and compliance issues are addressed as early in the development process as
possible. This translates into a better and more agile approach to security that is capable
of identifying emerging threats, making automatic fixes and sending alerts when suspicious
activity is detected.
Static code analysis for the application layer is here to stay and there are lots of vendors
providing automated tools to conduct static code analysis on application layer codes. But
since Infrastructure and Application are being deployed to the target cloud environment
with one pipeline, it is crucial to have the static code analysis for the IaC pipeline as well.
This ensures the infrastructure, which is being deployed to the cloud, will be secure and
provide early feedback to the infrastructure developer concerning any potential security
problems.
While static code analysis on IaC has proven to be an effective tool, it is still a new concept
to many companies. Most businesses still rely on the Pull Request (PR) approval process to
catch a security misconfiguration. However, this is prone to the errors and the unsecure
infrastructure could be deployed to the cloud, which makes a huge risk for companies who
are after zero touch deployments.
Prancer cloud validation framework is a pre-deployment validation engine that can conduct
static code analysis on your IaC. It can easily be integrated to your current pipeline and
toolset. Prancer supports native Azure ARM templates, Amazon AWS CloudFormation
templates and Google Deployment templates. Prancer also supports Terraform for all major
cloud providers for static code analysis.
IaC development teams leverage the power of git to contribute to the code. Usually the
process is to create a feature branch out of the master branch, make the changes, check
the code and raise the Pull Request. Prancer validation framework can be integrated to any
CI tool to evaluate the code at this stage and make sure it is compliant. All the predefined
policies are available in a centralized git repository. With just a few clicks you can make
sure the malicious code does not find its way into your environment. You don’t need to have
an active credential to the target environment to conduct the static code analysis on your

5. IaC templates. For example, consider a scenario where an IaC developer is writing code for
the production environment and they want to get early feedback on the code before starting
the CI process. They can utilize the power of prancer validation framework to make sure
the IaC is secure and solid before starting the deployment process.
As you can see, IaC has gone through tremendous changes in just the past few decades.
Virtualization and automation are making the SDLC more agile and accessible to all parties
involved while also making security a part of the development process and not just an
afterthought. This has allowed companies to innovate at an unprecedented pace and makes
the future of IaC and SDLC look brighter than ever.
To learn more about IaC, cloud computing and security and compliance, contact the experts
at prancer.