SecurityBrief India - Technology news for CISOs & cybersecurity decision-makers
India
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Malware
#
Endpoint Protection
#
Cloud Security

Tenable discovers vulnerabilities in IaC & PaC platforms

Today
Author image
By Imee Dequito, Editor

Tenable's Cloud Security Research team has identified new attack techniques in Domain-Specific Languages of widely-used policy-as-code and infrastructure-as-code platforms, potentially leading to security breaches and data exfiltration.

The research highlights vulnerabilities in systems that utilise Domain-Specific Languages (DSLs), which are often perceived as secure due to their limited capabilities compared to general programming languages. However, assumptions of default security in these frameworks can render systems susceptible to exploitation.

The discovery comes after a known SMB force-authentication vulnerability was found in Open Policy Agent (OPA). These revelations underscore the need to re-evaluate security measures for policy-as-code (PaC) and infrastructure-as-code (IaC) deployments.

In the context of OPA, the Tenable team discovered how attackers could exploit the policy supply chain by inserting harmful Rego policies during policy evaluations, facilitating actions such as credential exfiltration or data leaks. OPA, a popular policy engine, is employed across diverse applications, including microservice authorization and infrastructure policies, with policies written in the Rego DSL.

Furthermore, the research delved into Terraform, another prominent IaC tool renowned for its platform-agnostic and declarative nature. Terraform configurations use HashiCorp Configuration Language (HCL), another DSL. Tenable found that unreviewed code execution could occur when Terraform is configured to run on a pull request trigger in CI/CD pipelines, posing a risk through potential exploitation by insider threats or external actors.

In response to these findings, Tenable Research has laid out comprehensive mitigation strategies. These include implementing granular role-based access control (RBAC) to adhere to the principle of least privilege, which involves separating user roles and securing cloud roles. RBAC should be applied to both local users operating the IaC or PaC framework and those accessing it via APIs.

Another key recommendation is to only utilise third-party components from credible sources. This pertains to Terraform's modules and providers, as well as OPA policies, ensuring these components maintain integrity before execution to prevent unauthorised modifications.

Tenable also advises setting up application-level and cloud-level logging for ongoing monitoring and analysis, alongside limiting the network and data access for applications and their underlying infrastructure.

Additionally, the advice extends to ensuring no automatic execution of unverified code within CI/CD pipelines. This step, referred to as "Scan before you plan", involves placing security scanners before the terraform plan stage to foreclose the deployment of potentially harmful code.

These insights and recommendations are available for further exploration and understanding on Tenable's blog, providing a detailed analysis of the attack techniques and corresponding mitigation strategies.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Trellix report reveals evolving ransomware ecosystem trends
IoT cybersecurity market set to hit USD $60 billion by 2029
Check Point unveils AI-powered Quantum Firewall Software
Rapid7 integrates AWS policies for enhanced cloud security
Experts warn businesses of escalating cyber security threats
Top stories
Snowflake unveils Hybrid Tables to unify data workloads
Cofense report: Sophisticated email threats on the rise
N-able acquires Adlumin to boost cybersecurity offerings
Microsoft integrates Endor Labs' solution into Defender
Dynatrace joins Microsoft security group to enhance cloud safety