Morioh
Login
Tyrique Littel

Tyrique Littel

3 years ago

Bridgecrew, a developer-first platform that codifies cloud security, recently published the State of Open Source Terraform Security report. To scan around 2,600 Terraform modules within public and open source Terraform Registry, the company utilized open-source Infrastructure-as-Code (IaC) static analysis tool Checkov. One of the key findings reveals that modules used to provision AWS resources are most likely misconfigured.

Emphasizing that Terraform is thriving, the report states that there has been a dramatic rise in module contributions within Terraform Registry in Q2 2020. However, as IaC security may not be a top priority for the community, 48% of these modules are misconfigured. Guy Eisenkot, co-founder and VP of product, Bridgecrew, said, “At a time when organizations are embracing DevSecOps principles more and more, we were surprised by the gaps in security coverage and awareness at the IaC level.”

The report highlighted that the majority of Checkov checks failed because the engineering teams did not define modules’ optional arguments for enhancing data security and traceability. The checks were categorized according to the classifications defined by Center of Internet Security (CIS), applicable across cloud providers.

Pointing out the lack of awareness about defining logging at the IaC level, the report has shown that the backup and recovery category was the most common failing check category with 81% of failing checks. Logging and encryption took the 2nd and 3rd place, respectively. With the AWS modules, more than half of checks in these categories failed.

When looking at the Registry module downloads, over 15 million downloads contained misconfigured resources. Clarifying that these misconfigurations do not represent a risk, the report explained that the impact is on organizations’ overall compliance posture. The report further concluded that out of the top ten most downloaded modules, eight contain misconfigurations. The most downloaded misconfigured modules include top-rated and widely used services such as AWS RDS, AWS EKS, AWS ELB, and AWS IAM.

#survey #cloud security #terraform #devops #news

Bridgecrew Releases State of Open Source Terraform Security Report

infoq.com

Bridgecrew Releases State of Open Source Terraform Security Report

Bridgecrew, a developer-first platform that codifies cloud security, recently published the State of Open Source Terraform Security report. The company utilized open-source Infrastructure-as-Code (IaC) static analysis tool Checkov. One of the key findings reveals that modules used to provision AWS resources are most likely misconfigured.

1.35 GEEK