Sonata Software launched IntellQA, a Harmoni.AI powered testing automation and acceleration platform designed to transform software delivery for global enterprises.
Report Unveils Common but Dangerous Breach Paths in Cloud Deployments
August 13, 2020
Cloud breaches will likely increase in velocity and scale, according to the Summer 2020 edition of the Accurics State of DevSecOps report.
"While the adoption of cloud native infrastructure such as containers, serverless, and servicemesh is fueling innovation, misconfigurations are becoming commonplace and creating serious risk exposure for organizations," said Accurics Co-founder & CTO, Om Moolchandani. "As cloud infrastructure becomes increasingly programmable, we believe that the most effective defense is to codify security into development pipelines and enforce it throughout the lifecycle of the infrastructure. The receptiveness of the developer community toward assuming more security responsibility has been encouraging and a step in the right direction."
The report also reveals:
■ Misconfigured cloud storage services are commonplace in a stunning 93% of the cloud deployments analyzed, and most also have at least one network exposure where a security group is left wide open. These issues will likely increase in both velocity and scale — and they've already contributed to more than 200 breaches over the past two years.
■ One emerging problem area is that despite the broad availability of key management, hardcoded private keys turned up in 72% of the deployments analyzed. Specifically, unprotected credentials stored in container configuration files were found in half of these deployments, which is an issue given that 84% of organizations use containers.
■ Going one level deeper, 41% of the organizations had high privileges associated with the hardcoded keys and were used to provision compute resources; any breach involving these would expose all associated resources. Hardcoded keys have contributed to a number of cloud breaches.
■ Network exposures resulting from misconfigured routing rules posed the greatest risk to all organizations. In 100% of deployments, an altered routing rule exposed a private subnet containing sensitive resources, such as databases, to the Internet.
■ Automated detection of risks paired with a manual approach to resolution is creating alert fatigue, and only 6% of issues are being addressed. An emerging practice known as Remediation as Code, in which the code to resolve the issue is automatically generated, is enabling organizations to address 80% of risks.
The solution to these issues is managing risk early in the development lifecycle.
Implementation of best practices such as encrypting databases, rotating access keys, and implementing multi-factor authentication ensures enhanced hygiene.
Automated threat modeling is also needed to determine whether changes such as privilege increases, and route changes introduce breach paths in a cloud deployment.
As organizations embrace Infrastructure as Code (IaC) to define and manage cloud-native infrastructure, codifying security into development pipelines becomes possible and can significantly reduce the attack surface before cloud infrastructure is provisioned.
Industry News
December 17, 2024
Sonar signed a definitive agreement to acquire Tidelift, a provider of software supply chain security solutions that help organizations manage the risk of open source software.
December 17, 2024
Kindo formally launched its channel partner program.
December 16, 2024
Red Hat announced the latest release of Red Hat Enterprise Linux AI (RHEL AI), Red Hat’s foundation model platform for more seamlessly developing, testing and running generative artificial intelligence (gen AI) models for enterprise applications.
December 16, 2024
Fastly announced the general availability of Fastly AI Accelerator.
December 12, 2024
Amazon Web Services (AWS) announced the launch and general availability of Amazon Q Developer plugins for Datadog and Wiz in the AWS Management Console.
December 12, 2024
vFunction released new capabilities that solve a major microservices headache for development teams – keeping documentation current as systems evolve – and make it simpler to manage and remediate tech debt.
December 11, 2024
Check Point® Software Technologies Ltd. announced that Infinity XDR/XPR achieved a 100% detection rate in the rigorous 2024 MITRE ATT&CK® Evaluations.
December 11, 2024
CyberArk announced the launch of FuzzyAI, an open-source framework that helps organizations identify and address AI model vulnerabilities, like guardrail bypassing and harmful output generation, in cloud-hosted and in-house AI models.
December 11, 2024
Grid Dynamics announced the launch of its developer portal.
December 10, 2024
LTIMindtree announced a strategic partnership with GitHub.
December 10, 2024
Solace announced the addition of micro-integrations to its event-driven integration and streaming platform, Solace PubSub+ Platform.
December 10, 2024
GitGuardian has unveiled its NHI Security strategy, a transformative approach to securing the explosive growth of NHIs and the secrets they depend on.
December 09, 2024
Linkerd announced the release of Linkerd 2.17, a new version of Linkerd that introduces several major new features to the project: egress traffic visibility and control; rate limiting; and federated services, a powerful new multicluster primitive that combines services running in multiple clusters into a single logical service.
December 05, 2024
Amazon Web Services (AWS) announced new capabilities for Amazon Q Developer, a generative AI assistant for software development, that take the undifferentiated heavy-lifting out of complex and time-consuming application migration and modernization projects, saving customers and partners time and money.
