According to the company, the September 2019 breach at CenturyLink that exposed 2.8 million customer records; the August 2019 breach at Imperva that exposed a database snapshot containing emails, hashed, and salted passwords; and the July 2019 breach at Capital One that affected 100 million US residents were the result of attacks that exploited at least one of those issues.
"Policy as code should be implemented to ensure that obvious best practices are employed such as encrypting databases, rotating access keys, and implementing multi-factor authentication," Accurics said. "However, automated threat modeling is also necessary to determine if changes such as privilege increase and route changes create breach paths in a cloud deployment. As a result, organizations must augment policy as code with security as code when infrastructure is defined during development (infrastructure as code)."
According to Om Moolchandani, CTO of Accurics, a new practice called “remediation as code” is emerging where security tools don't just check for vulnerabilities in cloud configuration templates or in the running deployments themselves, but also generate the code necessary to automatically fix the issue and propose it to the developers. This could improve organizations' time to remediate, which is a major issue, because until now this process has largely been manual, leading to many issues being ignored.
Over the past several years, many application and infrastructure security vendors have been working on reengineering their products so they integrate well with development tools, since developers have different expectations and work differently than security teams. Many open-source tools are also available to test cloud deployments.
Penetration testing firm Bishop Fox released a tool called Smogcloud during the Black Hat USA conference that can help security engineers and cloud administrators find their exposed AWS cloud assets, including issues like internet-facing FQDNs and IPs, misconfigurations or vulnerabilities, assets that are no longer in use, services not currently monitored and other shadow IT problems. Accurics also has a collection of open-source tools and a free version of its cloud deployment testing platform.