1. Forum
  2. TQWNet
  3. TQW GENTECH

  • Infrastructure-as-code security issues could put cloud platforms

    From TechnologyDaily@1337:1/100 to All on Wednesday, November 27, 2024 16:00:05
    Infrastructure-as-code security issues could put cloud platforms everywhere
    at risk

    Date:
    Wed, 27 Nov 2024 15:56:00 +0000

    Description:
    Simplified code is safer, but not bulletproof, experts say.

    FULL STORY ======================================================================Security
    researchers discussed vulnerabilities in Infrastructure-as-code (IaC) There are a number of different ways crooks could abuse the systems Issues also share defense mechanisms and workarounds

    Security issues with infrastructure-as-code (IaC) and policy-as-code (PaC) specialized tools could put entire platforms, everywhere, at risk, experts have warned.

    A report from cybersecurity researchers at Tenable have revealed how certain tools used to help manage cloud infrastructure and policies, such as
    Terraform and Open Policy Agent (OPA), could be hijacked and put to malicious use.

    These tools use simplified coding languages which should make them safer than regular programming languages, but theyre still not without their flaws. How to defend

    Since these are hardened languages with limited capabilities, theyre supposed to be more secure than standard programming languages and indeed they are. However, more secure does not mean bulletproof, the researchers said.

    Discussing OPA, Tenable explained that it is a product that allows organizations to enforce rules, or policies, for managing cloud resources. It uses a language called Rego for these rules. Should a threat actor steal an access key, they would be able to add a fake Rego policy, approving malicious activity such as stealing sensitive data.

    Terraform, on the other hand, helps companies define and manage cloud setups through code. Since it processes commands during workflows, it allows hackers to inject malicious code into the processes, which the tool then runs before anyone could notice. In theory, crooks could add a fake data source that results in malicious activity.

    To protect against these attacks, researchers suggest teams use role-based access control (RBAC) to give people the minimum permissions they need, log actions at the application and cloud level for easier detection of suspicious behavior, and limit what apps and machines can access in terms of data and networks.

    Furthermore, they suggest preventing unreviewed code or changes to run automatically in workflows, and using tools like Terrascan and Checkov to
    scan for issues in the infrastructure code before its deployed. You might
    also like How Infrastructure as Code can automate and scale security Here's a list of the best firewalls today These are the best endpoint protection tools right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/infrastructure-as-code-security-issues- could-put-cloud-platforms-everywhere-at-risk


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)