Most teams treat security as something you bolt onto infrastructure after it's built. This talk makes the case from research and production experience, that security validation belongs inside the IaC pipeline from day one. Drawing from doctoral research on automating security integration in the SDLC and from deploying infrastructure across AWS environments in healthcare and financial services under HIPAA, SOX, and FDIC requirements simultaneously, this session walks through the architectural patterns that make security-as-code practical rather than aspirational. Real lessons, real failures, and what actually works in regulated AWS environments.
Key takeaways:
Why security-as-code fails when treated as a checklist rather than an architectural input. The IaC patterns that survive compliance audits in regulated industries. What automating compliance validation taught me that no certification course covers.