TNS
SUBSCRIBE
Join our community of software engineering leaders and aspirational developers. Always stay in-the-know by getting the most important news and exclusive content delivered fresh to your inbox to learn more about at-scale software development.
REQUIRED
 
It seems that you've previously unsubscribed from our newsletter in the past. Click the button below to open the re-subscribe form in a new tab. When you're done, simply close that tab and continue with this form to complete your subscription.
Welcome and thank you for joining The New Stack community!
Please answer a few simple questions to help us deliver the news and resources you are interested in.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
Great to meet you!
Tell us a bit about your job so we can cover the topics you find most relevant.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
 
Welcome!

We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.

What’s next?

Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.

Become a TNS follower on LinkedIn.

Check out the latest featured and trending stories while you wait for your first TNS newsletter.

PREV
of
NEXT
VOXPOP
As a JavaScript developer, what non-React tools do you use most often?
Angular
0%
Astro
0%
Svelte
0%
Vue.js
0%
Other
0%
I only use React
0%
I don't use JavaScript
0%
 
NEW! Try Stackie AI
Cloud Native Ecosystem Containers Databases Edge Computing Infrastructure as Code Linux Microservices Open Source Networking Storage
3 Factors Many Platform Engineers Still Get Wrong
May 27th 2025 8:00am, by Doug Sillars
Cloud Realities Are Slowing AI Ambitions
May 23rd 2025 4:18pm, by Mike Hicks
Red Hat's AI Platform Now Has an AI Inference Server
May 21st 2025 12:00pm, by Steven J. Vaughan-Nichols
6 IaC Tips for Cloud Practitioners
May 21st 2025 9:00am, by Ido Neeman
How To Accelerate Edge Application Deployment at Scale
May 20th 2025 1:30pm, by Alexsander Petrenko
Future-Proofing AI: Repeating Mistakes or Learning From the Past?
Jun 3rd 2025 7:00am, by Alex Zenla
How To Fill the Open Source Cracks in Your Container Foundation
Jun 2nd 2025 9:00am, by Vicki Walker
WizOS: A New Enterprise Linux Built on Alpine’s Secure Foundation
Jun 2nd 2025 6:00am, by Steven J. Vaughan-Nichols
Docker’s Best-Kept Secret: How Observability Saves Developers’ Sanity
May 31st 2025 10:00am, by Aditya Gupta
Build GenAI Applications Locally With Docker Model Runner
May 23rd 2025 6:00am, by Janakiram MSV
The Power of TIG Stack: Mastering Time Series Data Management
Jun 3rd 2025 9:00am, by Anais Dotis-Georgiou
Enterprise AI Success Demands Real-Time Data Platforms
Jun 2nd 2025 7:00am, by Tim Rottach
TanStack Adds Database, WordPress Creates AI Team
May 31st 2025 5:00am, by Loraine Lawson
Top 4 Observability Risks
May 30th 2025 9:10am, by Abby Ross
PostgreSQL 18 Delivers Significant Performance Gains for OLTP and Analytics
May 28th 2025 6:00am, by Jelani Harper
Why Devs Must Rethink Their Role in Modern CDNs and the Edge
Jun 4th 2025 7:02am, by Richard MacManus
How To Accelerate Edge Application Deployment at Scale
May 20th 2025 1:30pm, by Alexsander Petrenko
How to Use AI to Detect PPE Compliance in Edge Environments
May 13th 2025 7:00am, by Sathiyadev Thangaswamy
Remote MCP Servers: Inevitable, Not Easy
May 12th 2025 12:00pm, by Michael Field
Q&A: Nutanix CEO Rajiv Ramaswami on the Cloud Native Enterprise
May 12th 2025 7:00am, by Joab Jackson
Why CI/CD Alone Won’t Cut It for Infrastructure as Code
May 29th 2025 10:00am, by Marcin Wyszynski
The AI Code Generation Problem Nobody's Talking About
May 29th 2025 8:00am, by Michelle Gienow
Red Hat Ansible and HashiCorp Terraform Will Be Coming Together
May 28th 2025 7:00am, by Steven J. Vaughan-Nichols
6 IaC Tips for Cloud Practitioners
May 21st 2025 9:00am, by Ido Neeman
IaC Is Too Complicated. Where’s That ‘Easy Button’?
May 19th 2025 6:06am, by Vicki Walker
WizOS: A New Enterprise Linux Built on Alpine’s Secure Foundation
Jun 2nd 2025 6:00am, by Steven J. Vaughan-Nichols
OpenSUSE Tumbleweed: A Powerhouse, Rock-Solid Linux Desktop Distro
May 31st 2025 6:00am, by Jack Wallen
Red Hat Goes All in on AI-Powered Lightspeed System Admin Tools 
May 30th 2025 6:00am, by Steven J. Vaughan-Nichols
Linux Kernel 6.15 Boosts Virtualization, GPU, and CPU Performance
May 29th 2025 5:00am, by Damon M. Garn
Ubuntu Budgie 25.04: One of the Best Desktops on the Market
May 24th 2025 8:00am, by Jack Wallen
Reimagining Environments for Cloud Native Architectures
May 19th 2025 11:00am, by Arjun Iyer
Why Microservice Environments Break: Lack of Unification
May 12th 2025 6:07am, by Anirudh Ramanathan
Why Coordinating Microservice Changes Is Still a Mess
Apr 24th 2025 10:00am, by Anirudh Ramanathan
How to Implement the Saga Architectural Pattern in Microservices
Apr 21st 2025 6:28am, by Zziwa Raymond Ian
Scale Microservices Testing Without Duplicating Environments
Apr 15th 2025 9:00am, by Arjun Iyer
AI Agents Let Developers Kiss These 4 Chores Goodbye
May 30th 2025 7:40am, by Loraine Lawson
PostgreSQL 18 Delivers Significant Performance Gains for OLTP and Analytics
May 28th 2025 6:00am, by Jelani Harper
How Java Sparked an Open Source Revolution 30 Years Ago
May 27th 2025 4:00pm, by Darryl K. Taft
Open Source KubeVirt: VM Management With Kubernetes Is a Work in Progress
May 27th 2025 12:16pm, by B. Cameron Gain
Traceloop Launches an Observability Platform for LLM-Based Apps
May 27th 2025 8:30am, by Frederic Lardinois
Why Devs Must Rethink Their Role in Modern CDNs and the Edge
Jun 4th 2025 7:02am, by Richard MacManus
Companies Must Embrace Bespoke AI Designed for IT Workflows
May 23rd 2025 10:00am, by Ramprakash Ramamoorthy
CNCF and Synadia Reach an Agreement on NATS
May 5th 2025 7:33am, by Steven J. Vaughan-Nichols
Gateway API or Ingress: A Developer’s Guide to Kubernetes Routing
May 2nd 2025 6:00am, by Janakiram MSV
Synadia Attempts To Reclaim NATS Trademark Back From CNCF
Apr 29th 2025 8:00am, by Steven J. Vaughan-Nichols
Why Streaming Is the Power Grid for AI-Native Data Platforms
Jun 2nd 2025 11:00am, by Tyler Rockwood
Modernization: Storage Strategies for the Cloud Era
May 28th 2025 1:00pm, by Carol Platz
Nutanix Unveils Major Platform Expansions at .NEXT 2025
May 8th 2025 12:00pm, by Chris J. Preimesberger
Eliminate Application Timeouts With Software-Defined Storage
May 8th 2025 9:00am, by Carol Platz
Kafka Tiered Storage: Store More, But Pay Less
May 7th 2025 2:00pm, by Anil Inamdar
AI AI Engineering API Management Backend development Data Frontend Development Large Language Models Security Software Development WebAssembly
FinOps Foundation Launches New FinOps for AI Certification
Jun 4th 2025 6:13am, by
A Chief AI Officer Won't Fix Your AI Problems
Jun 3rd 2025 1:00pm, by
Dream 7B: A Powerful and Open Diffusion Language Model
Jun 3rd 2025 10:00am, by
OpenAI’s Sam Altman: AI Is Now Ready for the Enterprise
Jun 3rd 2025 8:25am, by
Future-Proofing AI: Repeating Mistakes or Learning From the Past?
Jun 3rd 2025 7:00am, by
Future-Proofing AI: Repeating Mistakes or Learning From the Past?
Jun 3rd 2025 7:00am, by
Snowflake Streamlines Data Analysis for Enterprise AI
Jun 3rd 2025 6:00am, by
Microsoft Targets AI 'Holy Grail' With Windows ML 2.0
May 31st 2025 9:00am, by
Claude Opus 4 With Claude Code: A Developer Walkthrough
May 31st 2025 8:00am, by
AI Agents Let Developers Kiss These 4 Chores Goodbye
May 30th 2025 7:40am, by
How to Use Docusign APIs to Embed Custom Document Signing in an App
May 28th 2025 2:00pm, by
Boomi Delivers Agentstudio for AI Agent Development
May 22nd 2025 4:00pm, by
Beyond API Uptime: Modern Metrics That Matter
May 22nd 2025 6:17am, by
5 'Cheat Codes' for Building Better APIs
May 21st 2025 8:00am, by
Why APIs Are Essential and MCP Is Optional (for Now)
May 8th 2025 8:00am, by
Next.js Deployment Spec Simplifies Frontend Hosting
May 6th 2025 12:00pm, by
A Practical Guide To Building a RAG-Powered Chatbot
May 5th 2025 12:00pm, by
JavaScript's Missing Link: Wasp Offers Full Stack Solution
Mar 26th 2025 2:00pm, by
Pagoda: A Web Development Starter Kit for Go Programmers
Mar 19th 2025 6:10am, by
Apollo: GraphQL Now Connects to REST APIs With Little Fuss
Mar 11th 2025 7:30am, by
The Power of TIG Stack: Mastering Time Series Data Management
Jun 3rd 2025 9:00am, by
Snowflake Streamlines Data Analysis for Enterprise AI
Jun 3rd 2025 6:00am, by
Why Streaming Is the Power Grid for AI-Native Data Platforms
Jun 2nd 2025 11:00am, by
Can OpenSearch Shut Down Those Bad Vector Search Results? 
May 30th 2025 10:56am, by
Top 4 Observability Risks
May 30th 2025 9:10am, by
Why Devs Must Rethink Their Role in Modern CDNs and the Edge
Jun 4th 2025 7:02am, by
TanStack Adds Database, WordPress Creates AI Team
May 31st 2025 5:00am, by
When To Use Progressive Web Apps and When To Go Native
May 29th 2025 2:00pm, by
Empowering IT Teams Through Seamless UI and AI Agents
May 27th 2025 6:00am, by
How to Build Multistep Forms in React
May 22nd 2025 12:00pm, by
Dream 7B: A Powerful and Open Diffusion Language Model
Jun 3rd 2025 10:00am, by
Claude Opus 4 With Claude Code: A Developer Walkthrough
May 31st 2025 8:00am, by
TanStack Adds Database, WordPress Creates AI Team
May 31st 2025 5:00am, by
New Tools Help LLM Developers Choose Better Pre-Training Data
May 29th 2025 9:00am, by
Self-Aware AI: Building Adaptive LLM Decision Agents
May 29th 2025 7:00am, by
How To Fill the Open Source Cracks in Your Container Foundation
Jun 2nd 2025 9:00am, by
WizOS: A New Enterprise Linux Built on Alpine’s Secure Foundation
Jun 2nd 2025 6:00am, by
What HAL 9000 Teaches Us About AI-Driven Authorization
May 30th 2025 12:00pm, by
Linux Kernel 6.15 Boosts Virtualization, GPU, and CPU Performance
May 29th 2025 5:00am, by
Security Firm Snyk Tackles AI Coding's Perfect Storm
May 28th 2025 10:06am, by
What Is Output Formatting in Python and How Do You Do It?
Jun 2nd 2025 3:00pm, by
Scratch That Itch for Young Developers
Jun 1st 2025 6:01am, by
Microsoft Targets AI 'Holy Grail' With Windows ML 2.0
May 31st 2025 9:00am, by
Claude Opus 4 With Claude Code: A Developer Walkthrough
May 31st 2025 8:00am, by
Google Study: 65% of Developer Time Wasted Without Platforms
May 30th 2025 3:00pm, by
The State of JavaScript Debugging in WebAssembly
May 19th 2025 1:30pm, by
Build Edge Native Apps With WebAssembly
May 7th 2025 8:00am, by
GraalVM (Finally) Gets Java for WebAssembly
Apr 22nd 2025 4:00pm, by
Hyperlight Wasm: Azure Goes the Final Wasi Mile
Apr 3rd 2025 9:00am, by
Endor: WebAssembly-Based Server in the Browser
Mar 29th 2025 1:00pm, by
AI Operations CI/CD Cloud Services DevOps Kubernetes Observability Operations Platform Engineering
Why Streaming Is the Power Grid for AI-Native Data Platforms
Jun 2nd 2025 11:00am, by Tyler Rockwood
Time Series Forecasting: An Open Source, No-Code Solution
May 27th 2025 8:00am, by Anais Dotis Georgiou
AI Is Quickly Making IT Teams and Developers From Invisible to Indispensable
May 23rd 2025 11:00am, by Neil McRae
Developers Can Now ‘Uber’ GPUs With NVIDIA’s Lepton Platform
May 20th 2025 11:30am, by Agam Shah
SAP Unveils New AI Tools for Developers
May 20th 2025 7:20am, by Loraine Lawson
Why 90% of Microservices Still Ship Like Monoliths
Jun 3rd 2025 8:00am, by Arjun Iyer
Why CI/CD Alone Won’t Cut It for Infrastructure as Code
May 29th 2025 10:00am, by Marcin Wyszynski
Why Mobile App Reliability Is So Complicated
May 28th 2025 8:00am, by Virna Sekuj
Build an AI Chat Assistant With Stream and OpenAI
May 23rd 2025 12:00pm, by Danny Adams
CodeRabbit's AI Code Reviews Now Live Free in VS Code, Cursor
May 22nd 2025 1:00pm, by Darryl K. Taft
SAP Simplifies ERP Data Access for Developers
May 28th 2025 5:00pm, by Loraine Lawson
AWS Revives and Updates Its Customer Carbon Footprint Tool
May 28th 2025 11:00am, by Charles Humble
Cloud Realities Are Slowing AI Ambitions
May 23rd 2025 4:18pm, by Mike Hicks
Clouds, Code, and Control: The New Open Source Power Struggle
May 22nd 2025 10:10am, by Dawn Foster
Running AI Workloads Responsibly in the Cloud
May 14th 2025 11:00am, by Sam Prakash Bheri
A Chief AI Officer Won't Fix Your AI Problems
Jun 3rd 2025 1:00pm, by Rohit Choudhary
Red Hat Ansible and HashiCorp Terraform Will Be Coming Together
May 28th 2025 7:00am, by Steven J. Vaughan-Nichols
AI Is Quickly Making IT Teams and Developers From Invisible to Indispensable
May 23rd 2025 11:00am, by Neil McRae
IaC Is Too Complicated. Where’s That ‘Easy Button’?
May 19th 2025 6:06am, by Vicki Walker
Keeping Up With AI: The Painful New Mandate for Software Engineers
May 16th 2025 11:15am, by Manjunath Bhat
Kubernetes vs. Docker Compose: Which Orchestration Tool Should You Choose?
Jun 3rd 2025 4:00am, by Sunny Yadav
From YAML to Platforms: The Kubernetes Deployment Journey
May 29th 2025 11:00am, by Bhushan Nemade
Open Source KubeVirt: VM Management With Kubernetes Is a Work in Progress
May 27th 2025 12:16pm, by B. Cameron Gain
How To Remove a Deployment in Kubernetes: Methods, Steps and Tools
May 22nd 2025 5:00am, by Sunny Yadav
OrbStack: A Deep Dive for Container and Kubernetes Development
May 16th 2025 6:00am, by Janakiram MSV
Zymtrace Launches End-to-End GPU and CPU Observability
Jun 3rd 2025 11:00am, by Charles Humble
Bridging the Gap Between Monitoring and Incident Resolution
Jun 2nd 2025 8:00am, by Cristina Dias
Docker’s Best-Kept Secret: How Observability Saves Developers’ Sanity
May 31st 2025 10:00am, by Aditya Gupta
Can OpenSearch Shut Down Those Bad Vector Search Results? 
May 30th 2025 10:56am, by B. Cameron Gain
Fluent Bit, a Specialized Event Capture and Distribution Tool
May 30th 2025 10:00am, by Phil Wilkins
Aptori Is Building an Agentic AI Security Engineer
Jun 3rd 2025 12:00pm, by Frederic Lardinois
Zymtrace Launches End-to-End GPU and CPU Observability
Jun 3rd 2025 11:00am, by Charles Humble
Bridging the Gap Between Monitoring and Incident Resolution
Jun 2nd 2025 8:00am, by Cristina Dias
Fluent Bit, a Specialized Event Capture and Distribution Tool
May 30th 2025 10:00am, by Phil Wilkins
Red Hat Goes All in on AI-Powered Lightspeed System Admin Tools 
May 30th 2025 6:00am, by Steven J. Vaughan-Nichols
Google Study: 65% of Developer Time Wasted Without Platforms
May 30th 2025 3:00pm, by Todd R. Weiss
Fluent Bit, a Specialized Event Capture and Distribution Tool
May 30th 2025 10:00am, by Phil Wilkins
3 Factors Many Platform Engineers Still Get Wrong
May 27th 2025 8:00am, by Doug Sillars
To Fix Platform Engineering, Build What Users Actually Want
May 18th 2025 10:00am, by Shweta Vohra
Building Trust in AI-Driven QA: Ensuring Transparency and Explainability With GenAI
May 16th 2025 5:00am, by Saqib Jan
C++ Developer tools Go Java JavaScript Programming Languages Python Rust TypeScript
How to Build Multistep Forms in React
May 22nd 2025 12:00pm, by Vinod Pal
EngFlow Makes C++ Builds 21x Faster and Software a Lot Safer
Apr 3rd 2025 3:00pm, by Darryl K. Taft
Memory-Safe C: TrapC's Pitch to the C ISO Working Group
Mar 12th 2025 7:00am, by David Cassel
Bjarne Stroustrup on How He Sees C++ Evolving
Mar 7th 2025 6:00am, by David Cassel
Curl's Daniel Stenberg on Securing 180,000 Lines of C Code
Feb 23rd 2025 6:00am, by David Cassel
The AI Code Generation Problem Nobody's Talking About
May 29th 2025 8:00am, by Michelle Gienow
How to Use Docusign APIs to Embed Custom Document Signing in an App
May 28th 2025 2:00pm, by Karissa Jacobsen
The New Bottleneck: AI That Codes Faster Than Humans Can Review
May 27th 2025 11:00am, by Michelle Gienow
Exploring the JetBrains AI Assistant for Visual Studio Code
May 24th 2025 7:00am, by David Eastman
CodeRabbit's AI Code Reviews Now Live Free in VS Code, Cursor
May 22nd 2025 1:00pm, by Darryl K. Taft
Prepare Your Mac for Go Development
Apr 12th 2025 7:00am, by Damon M. Garn
Pagoda: A Web Development Starter Kit for Go Programmers
Mar 19th 2025 6:10am, by Loraine Lawson
Microsoft TypeScript Devs Explain Why They Chose Go Over Rust, C#
Mar 18th 2025 7:00am, by David Cassel
Go Power: Microsoft's Bold Bet on Faster TypeScript Tools
Mar 12th 2025 1:00pm, by Darryl K. Taft and Loraine Lawson
Introduction to Go Programming Language
Jan 17th 2025 9:00am, by TNS Staff
How Java Sparked an Open Source Revolution 30 Years Ago
May 27th 2025 4:00pm, by Darryl K. Taft
Azul CTO: Java at 30 Still Rules Enterprise Dev
May 23rd 2025 1:00pm, by Darryl K. Taft
Dead Code Detection Just Got Easier for Java Developers
May 15th 2025 5:00pm, by Darryl K. Taft
Java at 30: The Genius Behind the Code That Changed Tech
May 15th 2025 9:00am, by Darryl K. Taft
GraalVM (Finally) Gets Java for WebAssembly
Apr 22nd 2025 4:00pm, by B. Cameron Gain
How to Use Docusign APIs to Embed Custom Document Signing in an App
May 28th 2025 2:00pm, by Karissa Jacobsen
The State of JavaScript Debugging in WebAssembly
May 19th 2025 1:30pm, by B. Cameron Gain
Does LLM Write Performant Code? Study Says No
May 17th 2025 5:00am, by Loraine Lawson
Build a Real-Time Voting App With Stream Chat and Next.js
May 14th 2025 7:00am, by Ankur Tyagi
Svelte Adds Asynchronous Sync Inside Components
May 10th 2025 7:00am, by Loraine Lawson
What Is Output Formatting in Python and How Do You Do It?
Jun 2nd 2025 3:00pm, by Jack Wallen
How Java Sparked an Open Source Revolution 30 Years Ago
May 27th 2025 4:00pm, by Darryl K. Taft
Azul CTO: Java at 30 Still Rules Enterprise Dev
May 23rd 2025 1:00pm, by Darryl K. Taft
How to Build Multistep Forms in React
May 22nd 2025 12:00pm, by Vinod Pal
Java at 30: The Genius Behind the Code That Changed Tech
May 15th 2025 9:00am, by Darryl K. Taft
What Is Output Formatting in Python and How Do You Do It?
Jun 2nd 2025 3:00pm, by Jack Wallen
Time Series Forecasting: An Open Source, No-Code Solution
May 27th 2025 8:00am, by Anais Dotis Georgiou
Python Pandas Ditches NumPy for Speedier PyArrow
May 27th 2025 7:00am, by Joab Jackson
Python's Security Savior: Chainguard Battles Supply Chain Risk
May 14th 2025 9:00am, by Darryl K. Taft
Python's Open Source DNA Powers Anaconda's New AI Platform
May 13th 2025 4:00pm, by Jeffrey Burt
Microsoft TypeScript Devs Explain Why They Chose Go Over Rust, C#
Mar 18th 2025 7:00am, by David Cassel
Go Power: Microsoft's Bold Bet on Faster TypeScript Tools
Mar 12th 2025 1:00pm, by Darryl K. Taft and Loraine Lawson
Oracle Won’t Release ‘JavaScript’ Without a Fight
Jan 11th 2025 5:00am, by Loraine Lawson
The Year in JavaScript: Top JS News Stories of 2024
Dec 27th 2024 6:30am, by Loraine Lawson
How OOP Developers Can Get To Know TypeScript Through Deno
Oct 19th 2024 8:00am, by David Eastman
Cloud Services / Operations / Security

Why You No Longer Need Cloud Security Posture Management

CSPMs are proving to be great for surfacing issues, but addressing them through Infrastructure as Code is where the real power lies.
Oct 29th, 2024 9:15am by
Featued image for: Why You No Longer Need Cloud Security Posture Management
Image from Aree_S on Shutterstock.

While cloud security posture management (CSPM) tools are everywhere, they are not the right solution for a secure cloud.

Getting your cloud infrastructure under control starts with Infrastructure as Code (IaC). Security best practices and cloud configuration management aren’t just about scanning for vulnerabilities or misconfigurations; they are about establishing a sustainable, scalable and secure cloud environment from the ground up.

Traditional tools like cloud native application protection platforms (CNAPP) and CSPM have played a significant role in optimizing cloud configurations and scanning for security best practices. The cloud security companies behind these platforms have been pioneers in this space, helping organizations identify issues like publicly accessible S3 buckets or identity and access management (IAM) roles without multifactor authentication (MFA), and other known cloud pitfalls and misconfigurations that expose your cloud and organization to unnecessary risk.

However, as cloud environments become more complex, CSPMs are proving to be great for surfacing these issues, but addressing them through IaC is where the real power lies. Eventually, scanning for vulnerabilities is not the goal — it’s the means to keeping our cloud secure and governed. Which means we need to make sure we don’t enslave the entire platform engineering team to chasing security tickets from the scanner’s output.

Imagine all your cloud configurations — from MFA-enforced IAM roles to automated key rotations — being managed through IaC. Not only are they configured securely today, but any changes made in the future will be validated against the same security best practices before deployment. This is what gives you true control over your cloud security. And this is just one example.

If you don’t fix security issues in IaC, the fixes won’t last. Your changes will create drifts, they will not be documented or immutable, and they will be out of scope for testing. The crux of the problem remains in security teams’ dependency on platform teams to generate the IaC, and that’s where automation tools like Firefly help achieve this automatically. The future of cloud security lies in IaC, which is the backbone to ensuring consistency, security and efficiency in dynamic cloud environments.

Why CSPMs Became Popular

In the early stages of cloud adoption, organizations faced a significant challenge: managing and securing a rapidly expanding and complex cloud environment. Traditional security tools weren’t designed to handle the dynamic nature of cloud infrastructure, leading to a gap that needed to be filled. This is where CSPM solutions came into play.

CSPMs became popular for several reasons:

  • Visibility into cloud assets: They provided organizations with much-needed visibility into their cloud resources, configurations and potential vulnerabilities.
  • Automated misconfiguration detection: CSPMs could automatically scan cloud environments to identify misconfigurations, such as publicly accessible S3 buckets or IAM roles without MFA.
  • Compliance assurance: They helped ensure that cloud configurations adhered to industry standards and regulatory requirements by continuously monitoring and reporting compliance status.
  • Risk mitigation: By identifying security gaps early, CSPMs allowed organizations to address issues before they could be exploited by malicious actors.

These tools were essential at a time when the rapid pace of cloud adoption outstripped the ability of organizations to manage security manually. CSPMs filled a critical need by providing automated scanning and reporting capabilities that were otherwise lacking.

This, however, raises a pertinent question. We’ve been using CSPMs for almost a decade now, yet we still have so many vulnerabilities, misconfigurations and alerts being thrown non-stop. Why is that? Because, we aren’t treating the root problem.

The cloud is so complex and built on so many moving parts that security simply can’t be treated only after the fact. We need to establish a secure baseline, with “golden images” of proper architecture and high security standards before deployment and as a shared responsibility of the entire engineering team. We also need to enforce changes to the cloud when it doesn’t meet those criteria. After a secure baseline is established, it’s then possible to closely monitor for drift, and then also quickly remediate it.

The Shift Toward IaC and Policy as Code

As cloud technology matured, so did the strategies for managing it. Organizations began to recognize the limitations of relying solely on CSPMs — particularly, the reactive nature of detecting and remediating issues after deployment. This realization sparked a shift toward infrastructure and policy as code.

By governing cloud infrastructure through code, organizations can prevent and mitigate misconfigurations, drift, ghost assets and more, rather than just detect them. This shift reduces the overhead associated with managing and remediating issues identified by CSPMs.

The Power of IaC

We speak about the power of everything-as-code tirelessly, as we truly believe the “*-as-code” revolution has affected and evolved every single engineering domain, from the systems themselves to how they are secured, scaled and governed.

Just to reiterate the benefits, IaC governs your entire cloud infrastructure through version control, deriving all the same benefits it has brought to other engineering domains.

In the context of security, this includes:

  • Consistent configurations: All deployments follow predefined security best practices.
  • Automated deployments: Changes are made through CI/CD pipelines, reducing the risk of human error.
  • Controlled changes: Unauthorized manual deployments or changes via CLI are minimized.
  • Drift detection: It’s easier to monitor and rectify configuration drift or unmanaged resources.

When you manage your cloud through code, every change is deliberate and traceable. Security checks become an integral part of your deployment pipeline, ensuring that only compliant configurations make it to production.

The Reality of Cloud Deployments

Even the most secure CI/CD pipelines can’t prevent all risks. Manual interventions, command-line changes, or actions by external contractors can introduce vulnerabilities. These changes often bypass standard security checks, leading to a contaminated cloud environment.

IaC addresses this by enforcing strict governance. Since all changes must go through code reviews and automated pipelines, the chances of unauthorized modifications diminish significantly. This not only enhances security but also improves overall operational efficiency.

Moving Beyond Scanning

Simply scanning for misconfigurations is an outdated approach. A decade ago, it was innovative, but today’s cloud environments require proactive measures. CSPM tools add layers of complexity — from having to manage the tool itself, to interpreting the findings, prioritizing the many issues they output, and then, hopefully, manually fixing them.

With IaC, you eliminate many of these steps. Security is baked into your infrastructure from the start. Instead of reacting to problems, you’re preventing them from occurring in the first place.

Injecting CSPM Functionality Into Cloud Asset Management 

As organizations strive for more efficient and integrated approaches to cloud security and governance, cloud asset management is emerging as a core solution. These platforms extend the capabilities of IaC by not only managing and provisioning resources but also by codifying existing assets, detecting drift and misconfigurations, and identifying ghost or unmanaged assets within the cloud environment.

Platforms like Firefly operate by scanning your cloud infrastructure to discover all assets, including those that may have been created outside of your standard IaC pipelines — often referred to as “shadow IT.” Once these assets are identified, the platform codifies them into your IaC framework, bringing them under the same governance and management processes as your existing codebase. This codification ensures that all resources, regardless of their origin, are now managed as code.

By integrating these unmanaged assets into your IaC practices, these platforms enable continuous detection of drift — the divergence between the desired state defined in your code and the actual state in the cloud. They alert you to any unauthorized changes or misconfigurations, allowing for prompt remediation through your established IaC pipelines. This continuous monitoring and enforcement help maintain compliance with security policies and regulatory standards.

TRENDING STORIES
Created with Sketch.
Ido Neeman is CEO and co-founder of Firefly, and the former CEO and co-founder of Nuweba, the fast and secure serverless platform. To the diversity of roles he has held, he brings more than a decade's experience in the elite...
Read more from Ido Neeman
SHARE THIS STORY
TRENDING STORIES
TNS owner Insight Partners is an investor in: Simply.
TRENDING STORIES
TNS DAILY NEWSLETTER Receive a free roundup of the most recent TNS articles in your inbox each day.