In previous chapters, I alluded to the importance of securing infrastructure as code and checking its conformance with your organization’s security and compliance requirements. Oftentimes, you don’t address these requirements until later in your engineering process. By that point, you may have already deployed an insecure configuration or violated a compliance requirement about data privacy!
For example, imagine you work for a retail company called uDress. Your team has six months to build a new frontend application on GCP. The company needs it available by the holiday season. Your team works very hard and develops enough functionality to go live. However, a month before you deploy and test the new application, the compliance and security team performs an audit—and you fail.
Now, you have new items in your backlog to fix the security and compliance issues and adhere to company policy. Unfortunately, these fixes delay your delivery timeline or, at worst, break functionality. You might wish that you knew about these from the very beginning, at least so you could plan for them!