Mark Twain once said, “It’s not what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.” In cybersecurity, few assumptions are more dangerous than believing infrastructure is secure simply because it was deployed successfully. The reality is that many breaches don’t stem from sophisticated zero-day exploits. They often result from misconfigurations, exposed secrets, and human errors introduced through code.
This post explores how code review, especially Infrastructure as Code (IaC), has become a practical and impactful way to strengthen security posture. It helps identify vulnerabilities before they escalate, supports a culture of accountability, and contributes to reducing standing human access to production systems.
The $4.88 Million Question
Let's start with a number: $4.88 million. That is the average global cost of a data breach, according to IBM's Cost of a Data Breach Report 2024, a 10 percent increase from the prior year and the largest single-year jump since the pandemic. Notably, misconfigurations and exposed credentials remain among the most common root causes of breaches.
Now consider how many of those issues might have been identified with a second set of eyes.
Code review is not limited to catching typos or enforcing style guides. It plays a critical role in identifying the types of mistakes that attackers exploit—hard-coded secrets, overly permissive IAM roles, and logic flaws that introduce risk. It also reinforces a shared responsibility for security across teams, not just security leadership.
The Security Economics of Code Review
Fixing a bug in production is like trying to patch a leaky boat in the middle of a storm. It is expensive, disruptive, and often too late. Fixing that same bug during code review? That is like plugging the hole while the boat is still in dry dock.
Research from NIST has found that catching vulnerabilities early, during code review or testing, is up to 30 times more cost-effective than addressing them after deployment, with security-specific defects potentially costing even more to remediate once they reach production. The benefits extend beyond cost, influencing time-to-resolution, organizational trust, and reputational resilience.
A well-structured code review process can help identify:
Code review also creates a valuable audit trail. Each change is documented, each decision is traceable, and each deployment is supported by a record of who approved what and why.
Building a Security-Focused Code Review Process for Infrastructure as Code
Infrastructure as Code is powerful, but it is also unforgiving. A single line of Terraform or Bicep can expose a subnet to the internet or grant administrative access to a service principal. For this reason, code review for IaC is a critical safeguard.
Start with automation. Microsoft offers a robust suite of tools to help secure Infrastructure as Code from the first line of configuration. Defender for DevOps integrates directly with Azure DevOps and GitHub to provide security insights during the development lifecycle, including scanning Infrastructure as Code templates for misconfigurations and policy violations. For teams working primarily in GitHub, GitHub Advanced Security extends this further with code scanning, secret scanning, and dependency review built directly into the pull request workflow, with findings surfacing in Defender for Cloud alongside your Azure DevOps results. Complement this with tools like Bicep linter and ARM template analyzer to enforce syntax and best practices and use Azure Policy to validate deployments against organizational standards. For Terraform-based workflows, Microsoft Defender for Cloud can assess resource configurations against security baselines. These tools can be embedded into CI/CD pipelines to provide immediate feedback during pull requests, helping teams identify issues such as overly permissive IAM roles, unencrypted storage, or missing tags before deployment.
Automation is important, but human reviewers bring context and judgment. They can ask questions like, “Why does this resource need to be public?” or “Is this role scoped too broadly?” They can spot architectural issues, validate naming conventions, and help confirm that changes align with organizational policy.
To support this process:
This approach does not need slow development. With the right tooling and culture, code review can be a fast, collaborative process. For urgent fixes, establish a “break-glass” workflow that allows for expedited review and deployment, followed by a post-incident review.
Expected Impact
Adopting structured code review for Infrastructure as Code may lead to improvements such as:
Code review can evolve into more than a gate. It can serve as a teaching tool, a compliance mechanism, and a cultural norm.
Laying the Foundation for Zero Standing Access
This post is the first in a series exploring how Azure DevOps and Terraform can support the reduction of standing human access to production. Code review is foundational. It helps confirm that each infrastructure change is reviewed, tested, and documented before deployment.
In the next post, we will explore how automated pipelines enforce these reviews and become the primary method for deploying infrastructure. In the final post, we will examine how Terraform’s state file provides evidence that unauthorized changes can be detected and addressed.
Key Takeaways
As Twain might say, “Do the right thing. It will gratify some people and astonish the rest.” In cybersecurity, the right thing often starts with reading the code carefully, critically, and together.