Cloud 101CircleEventsBlog
CSA's Continuous Audit Metrics Working Group is expanding! Help shape the future of cloud assurance.

The Cloud Flaw Magnification Effect

The Cloud Flaw Magnification Effect

Blog Article Published: 09/29/2023

Originally published by Dazz.

Written by Barak Bercovitz, Director of Innovation, Dazz.

Cloud Development is Becoming More Automated

Companies are developing software in the cloud in a big way. Cloud tools and continuous integration processes help developers write, compile, and test their code, and deliver their services quickly. For all the efficiency gains, one drawback remains: they’re able to introduce vulnerabilities and misconfigurations easily. These include code flaws, vulnerable libraries, infrastructure misconfigurations, secrets in code, and more.


Cloud Magnifies the Problem

None of these problems are new. But the nature of cloud magnifies them and makes them worse for several reasons. First, cloud platforms are distributed (as are development teams!), making it hard to control quality centrally. Second, code sharing creates a runaway effect, causing errors to proliferate across codebases. And finally, cloud scaling technologies replicate and magnify issues everywhere your software runs, including across thousands of containers as you scale your application to meet demand. And because you have multiple cloud security detection tools alerting on the same issues in various places in your CI/CD pipeline (on top of detection errors and false positives), you end up with an untenable backlog of alerts.


How it Happens

The magnification of cloud issues is a phenomenon we’ve seen time and time again when we perform cloud security assessments for our customers. Because the starting point in our work is the findings themselves, which we deduplicate, reduce to root causes, and remediate, we thought it'd be interesting to show how the problem evolves from the other direction — how the root causes themselves get magnified into thousands (or millions!) of alerts in cloud detection tools such as CSPM, CNAPP, and vulnerability scanners.


One-to-Many Propagation

First, the developer might introduce a vulnerability or misconfiguration in their code (or introduces it by pulling in a third-party package containing flaws). It could be anything from poorly-written code to infrastructure misconfigurations to secrets in code.

Next, your code starts to move through your CI/CD pipeline, from one resource to the next. Each performs a unique task, from managing source code to compiling and testing software. In that automated, dynamic, fast-moving workstream, one mistake can quickly mushroom into multiple problems, prompting a deluge of findings. And that’s just in the creation of a single base image of your application.

From there, the process layers additional libraries and configuration files onto your base image, so you can run the software in your containerized cloud environment. It also involves the creation of cloud resources, generated from your infrastructure-as-code (IaC). As your software’s begins to run across your entire production environment, any issues you haven’t caught in the earlier build and test phases start to fan out in your scaling cloud environment. That’s when a handful of problems becomes an avalanche of alerts, which takes your security process from manageable to completely unsustainable.

Visualization of a full demo environment - a single developer (blue dot), authored 10s of code changes (purple dots), triggering the deployment of 100s of cloud resources (green dots) and containers (orange dots), with 1000s of alerts on them (red dots)


Multiple Security Tools Add to the Noise

Taking a “defense-in-depth” approach to security tools can give you the confidence that if you don’t catch a problem in one tool, you’ll catch it in another. But it also exacerbates your already-overburdened findings backlog. And because each tool has its own operational framework, field of view, and context, the same finding can look very different across tools, making it hard to deduplicate in a systematic way.

A single container (orange dot) gets alerted by several detection tools (Wiz, Snyk, Lacework, etc.), with many duplicated alerts between the different tools (red dots)


Summary

In this blog post, we delve into the topic of how the cloud can intensify security flaws and challenges within the development environment. By closely monitoring these issues and gaining a comprehensive understanding of the overall landscape, we address alerts at their root causes and uncover critical "hot pathways" in the deployment cycle. This approach enables us to fix vulnerabilities proactively, ultimately leading to enhanced security and smoother development processes in the cloud.

Share this content on your favorite social network today!