Accurics released the Summer 2020 edition of its “Accurics State of DevSecOps” report, which highlights emerging security challenges as organizations adopt cloud native technologies. The new research from Accurics— the only company to establish a secure posture across infrastructure as code and ensure that the posture does not drift over time—reveals that cloud breaches will likely increase in velocity and scale, and highlights steps that can be taken to mitigate them.
While the adoption of cloud native infrastructure such as containers, serverless, and servicemesh is fueling innovation, misconfigurations are becoming commonplace and creating serious risk exposure for organizations. As cloud infrastructure becomes increasingly programmable, they believe that the most effective defense is to codify security into development pipelines and enforce it throughout the lifecycle of the infrastructure. The receptiveness of the developer community toward assuming more security responsibility has been encouraging and a step in the right direction.”
Among other findings, the new Accurics report reveals that:
· Misconfigured cloud storage services are commonplace in a stunning 93% of the cloud deployments analyzed, and most also have at least one network exposure where a security group is left wide open. These issues will likely increase in both velocity and scale—and they’ve already contributed to more than 200 breaches over the past two years.
· One emerging problem area is that despite the broad availability of tools like HashiCorp Vault and AWS Key Management Service (KMS), hardcoded private keys turned up in 72% of the deployments analyzed. Specifically, unprotected credentials stored in container configuration files were found in half of these deployments, which is an issue given that 84% of organizations use containers. Going one level deeper, 41% of the organizations had high privileges associated with the hardcoded keys and were used to provision compute resources; any breach involving these would expose all associated resources. Hardcoded keys have contributed to a number of cloud breaches.
· Network exposures resulting from misconfigured routing rules posed the greatest risk to all organizations. In 100% of deployments, an altered routing rule exposed a private subnet containing sensitive resources, such as databases, to the Internet.
· Automated detection of risks paired with a manual approach to resolution is creating alert fatigue, and only 6% of issues are being addressed. An emerging practice known as Remediation as Code, in which the code to resolve the issue is automatically generated, is enabling organizations to address 80% of risks.