GitHub envisions a world with fewer software vulnerabilities

After five months in beta, the GitHub Code Scanning security feature has been made generally available to all users: for free for public repositories, as a paid option for private ones.

GitHub code scanning

“So much of the world’s development happens on GitHub that security is not just an opportunity for us, but our responsibility. To secure software at scale, we need to make a base-level impact that can drive the most change; and that starts with the code,” Grey Baker, GitHub’s Senior Director of Product Management, told Help Net Security.

“Everything we’ve built previously was about responding to security incidents (dependency scanning, secret scanning, Dependabot) — reacting in real time, quickly. Our future state is about fundamentally preventing vulnerabilities from ever happening, by moving security core into the developer workflow.”

GitHub Code Scanning

The Code Scanning feature is powered by CodeQL, a powerful static analysis engine built by Semmle, which was acquired by GitHub in September 2019.

The engine can analyze code written in C, C++, C#, Java, JavaScript, TypeScript, Python and Go, but since the Code Scanning feature built on the open SARIF standard, it can also work with third-party analysis engines available from the GitHub Marketplace.

“We want developers to be able to use their tools of choice, for any of their projects on GitHub, all within the native GitHub experience they love. We’ve partnered with more than a dozen open source and commercial security vendors to date and we’ll continue to integrate code scanning with other third-party vendors through GitHub Actions and Apps,” Baker noted.

GitHub Actions

Among the third parties that offer automated security scans via GitHub Actions are Checkmarx and DefenseCode.

GitHub code scanning

“The major value add here is that developers can work, and stay within, the code development ecosystem in which they’re most accustomed to while using their preferred scanning tools,” explained James Brotsos, Senior Solutions Engineer at Checkmarx.

“GitHub is an immensely popular resource for developers, so having something that ensures the security of code without hindering agility is critical. Our ability to automate SAST and SCA scans directly within GitHub repos simplifies workflows and removes tedious steps for the development cycle that can traditionally stand in the way of achieving DevSecOps.”

Checkmarx’s SCA (software composition analysis) help developers discover and remedy vulnerabilities within open source components that are being included into the application and prioritizing them accordingly based on severity. Checkmarx SAST (static application security testing) scans proprietary code bases – even uncompiled – to detect new and existing vulnerabilities.

“This is all done in an automated fashion, so as soon as a pull request takes place, a scan is triggered, and results are embedded directly into GitHub. Together, these integrations paint a holistic picture of the entire application’s security posture to ensure all potential gaps are accounted for,” Brotsos added.

Leon Juranic, CTO at DefenseCode, said that they are very excited by this initiative, as it provides access to security analysis to over 50+ million Github users.

“Having the security analysis results displayed as code scanning alerts in GitHub provides an convenient way to triage and prioritize fixes, a process that could be cumbersome usually requiring scrolling through many pages of exported reports, going back and forth between your code and the reported results, or reviewing them in dashboards provided by the security tool. The ease of use now means you can initiate scans, view, fix, and close alerts for potential vulnerabilities in your project’s code in an environment that is already familiar and where most of your other workflows are done,” he noted.

A week ago, GitHub also announced additional support for container scanning and standards and configuration scanning for infrastructure as code, with integration by 42Crunch, Accurics, Bridgecrew, Snyk, Aqua Security, and Anchore.

The benefits and future plans

“We expect code scanning to prevent thousands of vulnerabilities from ever existing, by catching them at code review time. We envisage a world with fewer software vulnerabilities because security review is an automated part of the developer workflow,” Baker explained.

“During the code scanning beta, developers fixed 72% of the security errors found by CodeQL and reported in the code scanning pull request experience. Achieving such a high fix rate is the result of years of research, as well as an integration that makes it easy to understand each result.”

Over 12,000 repositories tried code scanning during the beta, and another 7,000 have enabled it since it became generally available, he says, and the reception has been really positive, with many highlighting valuable security finds.

“We’ll continue to iterate and focus on feedback from the community, including around access control and permissions, which are of high priority to our users,” he concluded.

Terrascan open source software helps developers build secure cloud infrastructure

Accurics unveiled a major upgrade to Terrascan, the open source static code analyzer that enables developers to build secure infrastructure as code (IaC).

Terrascan

The new release ensures Terraform templates avoid common security pitfalls in popular cloud providers such as AWS, Azure, and Google Cloud Platform. Built-in extensibility will enable support for other popular technologies such as AWS CloudFormation, Kubernetes, service mesh and serverless.

The new Terrascan architecture leverages the Open Policy Agent (OPA) engine from CNCF, which dramatically simplifies policy definition for developers that want to create custom policies as well as provides over 500 out-of-the-box policies for the CIS Benchmark.

“The rapid adoption of Infrastructure as Code is clearly meeting its intended goal: to help organizations achieve more reliability by programmatically embedding policy checks earlier in the development lifecycle,” said Cesar Rodriguez, head of Developer Advocacy at Accurics.

“This is vital in an environment where the scale and velocity of cloud breaches is constantly increasing, and organizations are required to implement policy guardrails to ensure that cloud native infrastructure is securely defined and managed.

“Terrascan is already playing a key role in this process within many organizations, and the newest iteration takes these important capabilities much further.”

Terrascan is now available as a GitHub Action and is included in the popular Super-Linter GitHub Action. It can be installed as a pre-commit hook to help detect issues before code is pushed into your repository, and also integrated into the CI/CD pipeline.

Terrascan enhances the value of IaC used by organizations to define and manage cloud infrastructure. It emerged from a search for a scalable way to ensure that cloud infrastructure was configured in adherence with security best practices.

Terrascan has already been downloaded by hundreds of developers to programmatically scan Terraform code (IaC) during development in order to track policy violations. It helps identify issues such as:

  • Missing or misconfigured encryption on resources and communication
  • Security Groups left open to the internet
  • Inadvertent exposure of cloud services
  • Insufficient logging for audit and compliance

Misconfigured cloud storage services are commonplace in 93% of deployments

Cloud breaches will likely increase in velocity and scale, and highlights steps that can be taken to mitigate them, according to Accurics.

misconfigured cloud storage services

“While the adoption of cloud native infrastructure such as containers, serverless, and servicemesh is fueling innovation, misconfigurations are becoming commonplace and creating serious risk exposure for organizations,” said Om Moolchandani, CTO, Accurics. “As cloud infrastructure becomes increasingly programmable, we believe that the most effective defense is to codify security into development pipelines and enforce it throughout the lifecycle of the infrastructure. The receptiveness of the developer community toward assuming more security responsibility has been encouraging and a step in the right direction.”

Key report findings

Misconfigured cloud storage services are commonplace in a stunning 93% of the cloud deployments analyzed, and most also have at least one network exposure where a security group is left wide open. These issues will likely increase in both velocity and scale—and they’ve already contributed to more than 200 breaches over the past two years.

One emerging problem area is that despite the broad availability of tools like HashiCorp Vault and AWS Key Management Service (KMS), hardcoded private keys turned up in 72% of the deployments analyzed. Specifically, unprotected credentials stored in container configuration files were found in half of these deployments, which is an issue given that 84% of organizations use containers.

Going one level deeper, 41% of the organizations had high privileges associated with the hardcoded keys and were used to provision compute resources; any breach involving these would expose all associated resources. Hardcoded keys have contributed to a number of cloud breaches.

Network exposures resulting from misconfigured routing rules posed the greatest risk to all organizations. In 100% of deployments, an altered routing rule exposed a private subnet containing sensitive resources, such as databases, to the Internet.

Automated detection of risks paired with a manual approach to resolution is creating alert fatigue, and only 6% of issues are being addressed. An emerging practice known as Remediation as Code, in which the code to resolve the issue is automatically generated, is enabling organizations to address 80% of risks.

Codifying security

Automated threat modeling is also needed to determine whether changes such as privilege increases, and route changes introduce breach paths in a cloud deployment. As organizations embrace Infrastructure as Code (IaC) to define and manage cloud-native infrastructure, codifying security into development pipelines becomes possible and can significantly reduce the attack surface before cloud infrastructure is provisioned.

The new report makes the case for establishing the IaC as a baseline to maintain risk posture after cloud infrastructure is provisioned. Continuous assessment of new cloud resources and configuration changes against the baseline will surface new risks. If a change is legitimate, update the IaC to reflect the change; if it’s not, redeploy the cloud from the baseline.

Attackers exploit Twilio’s misconfigured cloud storage, inject malicious code into SDK

Twilio has confirmed that, for 8 or so hours on July 19, a malicious version of their TaskRouter JS SDK was being served from their one of their AWS S3 buckets.

Twilio malicious SDK

“Due to a misconfiguration in the S3 bucket that was hosting the library, a bad actor was able to inject code that made the user’s browser load an extraneous URL that has been associated with the Magecart group of attacks,” the company shared.

Who’s behind the attack?

Twilio is a cloud communications platform as a service (CPaaS) company, which provides web service APIs developers can use to add messaging, voice, and video in their web and mobile applications.

“The TaskRouter JS SDK is a library that allows customers to easily interact with Twilio TaskRouter, which provides an attribute-based routing engine that routes tasks to agents or processes,” Twilio explained.

The misconfigured AWS S3 bucket, which is used to serve public content from the domain twiliocdn.com, hosts copies of other SDKs, but only the TaskRouter SDK had been modified.

The misconfiguration allowed anybody on the Internet to read and write to the S3 bucket, and the opportunity was seized by the attacker(s).

“We do not believe this was an attack targeted at Twilio or any of our customers,” the company opined.

“Our investigation of the javascript that was added by the attacker leads us to believe that this attack was opportunistic because of the misconfiguration of the S3 bucket. We believe that the attack was designed to serve malicious advertising to users on mobile devices.”

Jordan Herman, Threat Researcher at RiskIQ, which detailed previous threat campaigns that used the same malicious traffic redirector, told Help Net Security that because of how easy misconfigured Amazon S3 buckets are to find and the level of access they grant attackers, they are seeing attacks like this happening at an alarming rate.

Om Moolchandani, co-founder and CTO at code to cloud security company Accurics, noted that there are many similarities between waterhole attacks and the Twilio incident.

“Taking over a cloud hosted SDK allows attackers to ‘cloud waterhole’ into the victim environments by landing directly into the operation space of victims,” he said.

The outcome

Due to this incident, Twillio checked the permissions on all of their AWS S3 buckets and found others that were misconfigured, but they stored no production or customer data and haven’t been tampered with.

“During our incident review, we identified a number of systemic improvements that we can make to prevent similar issues from occurring in the future. Specifically, our teams will be engaging in efforts to restrict direct access to S3 buckets and deliver content only via our known CDNs, improve our monitoring of S3 bucket policy changes to quickly detect unsafe access policies, and determine the best way for us to provide integrity checking so customers can validate that they are using known good versions of our SDKs,” the company shared.

They say it’s difficult to gauge the impact on the attack on individual users, since the “links used in these attacks are deprecated and rotated and since the script itself doesn’t execute on all platforms.”

The company urges those who have downloaded a copy of the TaskRouter JS SDK between July 19th, 2020 1:12 PM and July 20th, 10:30 PM PDT (UTC-07:00) to re-download it, check its integrity and replace it.

“If your application loads v1.20 of the TaskRouter JS SDK dynamically from our CDN, that software has already been updated and you do not need to do anything,” they pointed out.

Technologies in all layers of the cloud stack are at risk

As breaches and hacks continue, and new vulnerabilities are uncovered, secure coding is being recognized as an increasingly important security concept — and not just for back-room techies anymore, Accurics reveals.

cloud stack risk

Cloud stack risk

“Our report clearly describes how current security practices are grossly inadequate for protecting transient cloud infrastructures, and why more than 30 billion records have been exposed through cloud breaches in just the past two years,” said Sachin Aggarwal, CEO at Accurics.

“As cloud stacks become increasingly complex, with new technologies regularly added to the mix, what’s needed is a holistic approach with consistent protection across the full cloud stack, as well as the ability to identify risks from configuration changes to deployed cloud infrastructure from a baseline established during development.

“The shift to infrastructure as code enables this; organizations now have an opportunity to redesign their cloud security strategy and move away from a point solution approach.”

Key takeaways from the research

  • Misconfigurations of cloud native technologies across the full cloud native stack are a clear risk, increasing the attack surface, and being exploited by malicious actors.
  • There is a significant shift towards provisioning and managing cloud infrastructure through code. This offers an opportunity for organizations to embed security earlier in the DevOps lifecycle. However, infrastructure as code is not being adequately secured, thanks in part to the lack of tools that can provide holistic protection.
  • Even in scenarios where infrastructure as code actually is being governed, there are continuing problems from privileged users making changes directly to the cloud once infrastructure is provisioned. This creates posture drift from the secure baseline established through code.

Infrastructure as code

The research shows that securing cloud infrastructure in production isn’t enough. Researchers determined that only 4% of issues reported in production are actually being addressed. This is unsurprising since issue investigation and resolution at this late stage in the development lifecycle is challenging and costly.

A positive trend identified by the research is that there is a significant shift towards provisioning and managing cloud infrastructure through code to achieve agility and reliability.

Popular technologies include Terraform, Kubernetes, Docker, and OpenFaaS. Accurics’ research shows that 24% of configuration changes are made via code, which is encouraging given the fact that many of these technologies are relatively new.

Infrastructure as code provides organizations with an opportunity to embed security earlier in the development lifecycle. However, research revealed that organizations are not ensuring basic security and compliance hygiene across code.

The dangers are undeniable: high severity risks such as open security groups, overly permissive IAM roles, and exposed cloud storage services constituted 67% of the issues. This is particularly worrisome since these types of risks have been at the core of numerous high-profile cloud breaches.

The study also shows that even if organizations implement policy guardrails and security assessments across infrastructure as code, 90% of organizations allow privileged users to make configuration changes directly to cloud infrastructure after it is deployed. This unfortunately results in cloud posture drifting from the secure baseline established during development.

cloud stack risk

Recommended best practices

  • The importance of protecting the full cloud native stack, including serverless, containers, platform, and infrastructure
  • Embedding security earlier in the development lifecycle in order to reduce the attack surface before cloud infrastructure is provisioned, as well as monitor for incremental risks throughout its lifecycle
  • Most importantly, preventing cloud posture drift from the secure baseline established during development once infrastructure is provisioned

Accurics launches to protect cloud native infrastructure throughout the DevOps lifecycle

Accurics, the ‘code-to-cloud’ security specialist, came out of stealth mode to announce the formal launch of the company. It introduced technology that protects the cloud native infrastructure throughout the DevOps lifecycle, and reconciles risk posture drift between infrastructure defined through code and infrastructure running in the cloud.

These advances are critical as organizations rapidly embrace new technologies such as serverless, containers, and service mesh. The company has received $5mm in financial backing from blue-chip investors such as ClearSky, WestWave Capital, Firebolt Ventures and Secure Octane.

“While the rapid adoption of cloud native technologies is fueling innovation, organizations are grappling with the challenges of securing more complex cloud stacks,” said Accurics Co-founder & CEO Sachin Aggarwal.

“Risks in cloud deployments often go ignored due to the fact that detecting and fixing issues in production is costly. Organizations need a broader approach, in effect, ‘code-to-cloud’ security. That means seamless governance of infrastructure during development and in production, protection across the full cloud stack, monitoring for any posture ‘drift’ and swift return to a clean posture. Accurics is proud to introduce a dynamic platform that takes on all of these challenges with ease, speed and cost-effectiveness.”

The need for this solution is undeniable: Even as cloud deployments gain in popularity and importance—it’s reported that the global market is set to top $623 billion by 2023, representing a compound annual growth rate (CAGR) of 18%—there are still multiple challenges related to security, including:

  • Complexity: Advances such as serverless, containers and service mesh involve multiple management interfaces, significantly increasing the risk of manual errors; the adoption of hybrid and multi-cloud deployments further amplify the problem.
  • Consistency: Technologies such as Terraform, Kubernetes, Docker and OpenFaaS provision and manage infrastructure through code and reduce manual errors, but make it difficult to maintain consistent governance across the full stack.
  • Drift: In dynamic cloud environments, very little is locked down—privileged users can make changes to the cloud infrastructure in production, and even legitimate changes can cause a drift from the intended compliance and security posture and introduce risks.

Meanwhile, most current options lack a comprehensive defense. For example, first generation Cloud Security Posture Management (CSPM) solutions focus primarily on assuring governance in production, which is far too late.

In contrast, there are disparate tools that can be embedded earlier in the DevOps lifecycle but they only protect parts of the cloud native stack and solve point problems such as infrastructure as code scanning and vulnerability management. More importantly, these solutions can’t reconcile any posture drifts in production from a baseline defined through code.

“Securing cloud infrastructure is highly complex because an increasing number of dependencies are involved, and different actors using different tools play a role in protecting it,” said Paula Musich, research director at Enterprise Management Associates, a leading industry analyst firm based in Boulder, CO that provides deep insight across the full spectrum of information technologies.

“While a number of startups and established security vendors are attempting to solve specific issues, such as scanning reusable code for vulnerabilities or managing access to applications and data, piecemeal approaches that require different consoles only increase the chaos.

“What’s needed is a single tool to manage risks and policy violations early in the DevOps lifecycle and ensure that the original configuration intended by the developer remains true (and secure) once it leaves their hand and goes into production. This is the broader problem Accurics is solving, and it should give IT executives greater confidence in their ability to properly secure cloud infrastructure.”

Talha Tariq, an advisor to Accurics who currently holds the position of chief security officer at HashiCorp, a leader in multi-cloud infrastructure automation software whose open source tools are downloaded tens of millions of times a year and are broadly adopted by the Global 2000 said: “While infrastructure as code enables agility and reliability, it also provides an opportunity to embed security earlier in the DevOps lifecycle. Accurics reduces the attack surface by detecting risks in code before infrastructure is provisioned and flags changes to production that may introduce security posture drift.”

Code-to-cloud security: The Accurics advantage

“Our goal in developing the Accurics platform was to protect the full cloud native stack throughout the DevOps lifecycle, from the moment it’s defined in code and throughout the lifecycle of infrastructure being employed in production,” said Accurics Co-founder & CTO, Piyush Sharrma.

“Perhaps most importantly, we prevent the risk posture in production drifting away from the baseline defined through code. That’s the only way to ensure consistently strong protection that enables organizations to innovate with confidence.”

Accurics meets the specific needs of both DevOps and security by addressing specific challenges. These encompass:

  • Breach path prediction: The platform develops threat models by analyzing vulnerability feeds, IAM privileges, and other data to detect and remediate potential exposure paths in infrastructure code, reducing the attack surface in production. It subsequently monitors production for changes that introduce risks, and responds immediately via integrations with existing remediation workflows.
  • Proactive compliance & governance: Accurics scans infrastructure as code for violations of common compliance and cybersecurity practices—such as SOC 2, GDPR, PCI, HIPAA, ISO, CIS Benchmark, AWS Best Practices and the AWS well-architected framework—and addresses violations through integrations with existing remediation workflows. This ensures a compliant posture before the infrastructure is provisioned. Production cloud deployments are then monitored against the same policies, and changes that cause violations are remediated. This enables organizations to demonstrate continuous compliance to auditors, management, and customers.
  • Cloud integrity assurance: Accurics generates a real-time topology across the full stack defined through code, which helps spot design issues early in the DevOps lifecycle. Once the issues are addressed, the code is established as a baseline. The platform then continuously assesses the production cloud deployment for changes in topology from the baseline and flags drifts. If the drift is due to a legitimate change, the code can be updated, and if it introduces risks, organizations can roll their code back to the last known secure posture.

LendingClub’s Chief Data Officer and Head of Cyber Risk Management, Paolo Montini, commented, “When it comes to protecting data, either from an information security perspective or to comply with regulatory requirements such as PCI, GDPR, or HIPAA, the majority of key controls are managed through configuration.

“Accurics continuously monitors infrastructure code as well as production cloud deployments for changes that introduce misconfigurations and policy violations.” LendingClub is the world’s largest peer-to-peer lending platform.

Leaders and visionaries

The core management team at Accurics includes:

  • Sachin Aggarwal, Co-founder & CEO: He brings to his new venture a long history of launching successful startups – Accurics is the fifth company he’s founded. Among other milestones, he previously founded and led Layered Insight, which was subsequently acquired by Qualys; Jvion, which was acquired by JMI Equity; and Aqreva, which was acquired by Invision Capital. He has also served on the boards of Reventics, the provider engagement company, and other tech start-ups.
  • Piyush Sharrma, Co-founder & CTO: He has two decades’ experience in cloud, endpoint, and information security technologies, and has helped launch numerous enterprise products. He was most recently Head of Engineering at Symantec, where he led the release of seven new products with a combined revenue of more than $500 million. He is also an inventor with five patents filed and was a member of Symantec’s patent review committee.
  • Upa Campbell, Chief Strategy & Marketing Officer: She’s a seasoned executive with demonstrated success in marketing, product management, and engineering, and domain expertise in cloud, security, and network technologies. She was most recently VP of Marketing at Palo Alto Networks, and previously held similar roles at RedLock, which was acquired by Palo Alto Networks, and Palerra, acquired by Oracle Corp.

“There are many security technology startups, but the most successful of these feature a perfect blend of market need, strong management, strategic vision, innovation and ability to execute. That’s what we see in Accurics,” said Patrick Heim, Partner & CISO at ClearSky, a venture capital / growth equity firm with a philosophy of investing in enterprises that offer transformative security, privacy, and compliance solutions.

Heim continued: “Accurics comes to market with a sophisticated and distinctive approach that protects cloud infrastructure throughout the DevOps lifecycle. This boosts compliance, governance and security across the full cloud native stack in hybrid and multi-cloud environments. We believe the company has a great future, and we’re excited to offer our support and guidance.”

This team has led the development of an innovative platform that protects hybrid and multi-cloud environments with a wide range of capabilities, including:

  • Full stack visibility: Visualizes the real-time topology in code and cloud across a full stack, including serverless, container, platform and infrastructure technologies.
  • Infrastructure as code security: Continuously scans infrastructure code such as Terraform, Ansible, Kubernetes YAML, Dockerfile and OpenFaaS YAML for misconfigurations, vulnerabilities, policy violations, and potential breach paths before the cloud infrastructure is provisioned.
  • Cloud posture management: Continuously monitors production cloud deployments for changes that introduce misconfigurations, policy violations, and potential breach paths.
  • Drift detection: Continuously assesses the posture of a cloud deployment and flags any drifts from the posture defined through code.
  • Posture restoration: If a drift is due to a legitimate change, the code can be updated to reflect the change; if it introduces risks, the code can be restored to the last known secure posture.
  • Remediation: Resolves issues that are flagged via integrations with alert management mechanisms such as Slack, JIRA, Splunk, webhooks and email.

The market is clearly primed for these capabilities. As Al Ghous, Chief Security Officer at ServiceMax, the global market-leader in Service Execution Management that processes more than two million work orders each month and services over 200 million equipment units, stated, “We no longer provision a server, install an operating system or configure an application. It is all done through configuration scripts.”

He concludes, “Accurics helps organizations get visibility into these configuration scripts to make sure they are secure and compliant.”