Misconfiguration and Alert Fatigue Require a Modern AppSec Approach

Businesses are adopting development and operations (DevOps) to tap into new business opportunities. These DevOps initiatives are the engine driving digital transformation. But as DevOps takes hold and organizations focus more and more of their time and energy on building new applications and enhancing existing ones, the attack surface grows. As much of DevOps happens in private or public clouds or a hybrid combination, the attack exposure increases further.

Speed and DevOps

Speed is the name of the game when it comes to DevOps. C-suite and even board of directors push for greater speed and agility, often at the risk of security. A McKinsey report that surveyed CEOs around the globe places revenue acceleration, improved agility, and faster time to market at the top of the list of CEO priorities. Indeed, over half of organizations admit that they sacrifice cybersecurity for speed.

Conferences like RSA help drive awareness around the disconnect between business agility and security. When DevOps and security are distinct functions without integration, developers and security professionals are frustrated alike. Static application security testing (SAST) incurs lengthy and ineffective outcomes—elongating development cycles while pinpointing false positives that require painstakingly time-consuming remediation time. Dynamic application security testing (DAST) isn’t much better.

NEW REPORT ON DEVOPS

In advance of RSA, Palo Alto Networks released its “Spring 2020 Cloud Threat Report: Putting Sec in DevOps.” The report contains a number of interesting findings from the security company’s threat intelligence lab Unit 42. Let’s take a look at a few of them.

Misconfigurations Create Coding Delays

Misconfiguration remains a huge challenge for developers. The report finds that 65% of public cloud security incidents are the result of misconfigurations. With the push from CEOs for greater DevOps speed and agility, development teams are looking for ways to move quicker and push applications out faster.

Research findings in the report pinpoint some specific areas of misconfiguration that are impacting software development life cycles (SDLCs). First, 42% of CloudFormation configuration files contain at least one insecure configuration. Some of the most egregious examples include failure to enable server-side encryption (48%) and activation of encryption for Relational Database Service (RDS) (41%). In other instances, cloud user-configured S3 buckets are active without logging enabled.

Second, Terraform configuration files are another area of concern, with 22% of them containing at least one insecure configuration. Examples Unit 42 cites include cloud user-configured S3 buckets without logging enabled (66%), user-configured AWS EC2 instances with SSH (port 22) exposed to the internet (26%), and cloud-user AWS Security Groups that allow all inbound traffic (17%).

Finally, a smaller number, 9% of Google Kubernetes YAML files also contain one insecure configuration. Given the importance that Kubernetes Containers play for many development teams, the vulnerabilities these misconfigurations expose can be serious. Examples Unit 42 lists include sharing the network host (32%), running as root or with privileged accounts (26%), and running containers with dangerous capabilities activated (20%).

Alert Fatigue Creates Inefficiencies and Risk

Alert fatigue is a serious challenge for security and development teams. Unit 42 identifies five alerts and events that are the most severe:
Allowing public access to port 22 (SSH) (76%)
Allowing public access to port 3389 (RDP) (69%)
Failing to enable logging for data storage (64%)
Not enabling encryption for data storage (62%)
Not using tracking functionality for serverless functions (47%)

Read more…