Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 블로그

구독

Manage and Remediate Cloud Infrastructure Misconfiguration Vulnerabilities with Tenable.cs and HashiCorp Terraform Cloud

Tenable.cs 및 HashiCorp Terraform Cloud를 통해 클라우드 인프라 구성 오류 취약성 관리 및 수정

Cloud breaches are on the upswing due to preventable misconfigurations. Here’s how you can lower your risk with a new integration between Tenable.cs and Terraform Cloud.

Today’s cloud environments are highly dynamic with new updates continuously released into production and workloads scaling up and down based on customer demand. Within minutes cloud engineers can spin up and fully deploy resources to the cloud. But with increased speed many times comes increased risk. System vulnerabilities caused by misconfigurations are often overlooked and may remain undetected for months. As a result, cloud breaches are increasing in scale and velocity. Over 30 billion records were exposed in 200 breaches between 2018 and 2020 due to cloud infrastructure misconfigurations alone.

How can you reduce your chances of suffering breaches caused by cloud misconfigurations? In this post, we explain how Tenable and HashiCorp can help with this issue via a new integration between Tenable.cs and Terraform Cloud Run Tasks

Introduction to cloud provisioning and Terraform

Cloud resource provisioning is a key aspect of deploying cloud workloads. Although most cloud providers have their own provisioning utilities, best-of-breed tools like Hashicorp Terraform offer benefits that go beyond what cloud providers offer. Using Terraform, an open-source Infrastructure as Code (IaC) tool, to provision infrastructure provides many benefits to the management and operations of your environment. HashiCorp Configuration Language (HCL) provides the ability to standardize reusable modules of infrastructure that can be used across projects and environments. When standing up infrastructure, Terraform reads the current state of your environment and determines any changes needed to configure the environment to the state defined in your IaC. This simplifies the process of managing complex architectures which can be fragile if manually maintained. IaC allows for the code to be version controlled and provides better visibility into how the infrastructure has been provisioned and configured.

Terraform key security considerations 

Terraform also offers security benefits. The workflow around infrastructure provisioning can be used to protect your environment from security issues. When enforcing the use of IaC for any changes in your environment, code can be assessed to ensure that any security defects are detected and mitigated before infrastructure is provisioned. Security or operational guardrails can be codified and enforced through CI/CD pipelines, gates, or other automated means to ensure that your environment is compliant with your policies. 

While using tools such as Terraform simplify managing infrastructure, it’s still common for critical misconfigurations of cloud infrastructure to happen. Key areas of concerns for vulnerability management for Terraform environments include:

  • Secrets Management: Terraform requires credentials in order to authorize any API actions necessary to provision the infrastructure specified in your code. Since these credentials provide privileged access to create, manage, and destroy your environment, care should be taken to ensure that they are not exposed to unauthorized people or processes.
  • System State Management: Terraform uses a state file to track the state of provisioned infrastructure resources. By default, the state file is stored on the local file system of the system where Terraform is executed. Persisting state files with your source code is a bad idea as these could contain secrets or other sensitive information.
  • Dependency Management: Terraform uses plugins called “providers” to interact with remote APIs for the resources defined in your code. These are downloaded to the system where Terraform is executed when performing the “terraform init” command. As providers manage powerful operations in your infrastructure, it is important to download these from trusted sources and confirm that they have not been tampered with prior to using them.
  • Drift Management: In any complex enterprise environment, manual changes can occur in runtime through “break the glass” mechanisms or other means. These changes cause a deviation, referred to as “drift,” between your runtime environment and what has been defined in your Terraform code. If not corrected in the source code, build teams will continue to use the old version and/or systems will no longer meet security requirements. 

For more on Terraform security key considerations read the whitepaper “DevOps Guide to Terraform Security”. 

Preventing Terraform vulnerabilities with Tenable.cs

Tenable.cs is a developer-friendly, Cloud-Native Application Security Platform (CNASP) that enables your organization to secure cloud resources, container images and cloud assets, providing end-to-end security from code to cloud to workload. To enforce best practices, you can evaluate your code using a static code analysis tool such as Terrascan. Terrascan is an open source project that was created by Tenable and is the underpinning scanning engine for Tenable.cs. Terrascan includes hundreds of policies across multiple providers written in the Rego language, and assesses for misconfigurations using the Open Policy Agent (OPA) engine. These policies can be extended to include any standards specific to your environment. To enforce these as part of your workflow, you can include a job as part of your CI/CD pipeline that uses Terrascan to scan any changes to your HCL files for security issues. If any issues are detected, the job will fail with an error message indicating that a security issue has been found that needs to be addressed. 

Tenable.cs enables cloud operations and security teams to assess Terraform templates for policy violations. You can integrate cloud infrastructure security into the DevOps pipeline to prevent security issues from reaching production. You can also quickly remediate IaC misconfigurations directly in development tools to enforce policies in both build-time and runtime.
 

Failing Tenable.cs Policy
Failing Tenable.cs Policy for a Terraform template (Storage encryption not enabled on RDS instance)

Tenable.cs recommended remediation action
Tenable.cs recommended remediation action to resolve failing policy. (Enable storage encryption in Terraform Template)

New! Enhanced automated remediation support with HashiCorp Terraform Cloud Run Tasks

Now Tenable is boosting its capabilities for securing Terraform with support for HashiCorp's new Terraform Cloud Run Tasks. Terraform Cloud provides a hosted solution to build and deploy Terraform Templates. Using the new Terraform Cloud Run Tasks, you can leverage Tenable.cs to scan your Terraform Templates during the Terraform cloud deploy step. The integration allows Terraform Cloud customers to detect any security issues within their IaC using Tenable.cs as part of the planning phase of the Terraform execution. By adding this support for Terraform Cloud Run Tasks in Tenable.cs, we’re helping developers detect and fix compliance and security risks in their IaC so they can mitigate issues before cloud infrastructure is provisioned. 

Additionally, knowing the exact remediation steps can be time intensive and challenging. That’s why remediation recommendations are provided as part of the integration, in the form of a pull request to the source code repository associated with the Terraform workspace, to help with fixing issues found in Terraform templates before they are provisioned. Customers can leverage over 1,500 policies in the Tenable.cs commercial offering to perform deep scans in Terraform Cloud. Users interested in viewing the setup guide on how to connect Tenable.cs with Terraform Cloud Workspace can find detailed documentation here.


To learn more about Tenable.cs view the data sheet or access the on-demand webinar “Introducing Tenable.cs: Secure Every Step From Code to Cloud”.

관련 기사

최신 익스플로잇에 대해 취약합니까?

이메일을 입력하여 최신 사이버 노출 알림을 받으십시오.

tenable.io

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오.

Tenable.io Vulnerability Management 평가판에는 Tenable Lumin, Tenable.io Web Application Scanning 및 Tenable.cs Cloud Security도 포함되어 있습니다.

tenable.io 구매

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구매하십시오.

65 자산

구독 옵션 선택:

지금 구매

Nessus Professional 무료로 사용해 보기

7일간 무료

Nessus®는 오늘날 시장에서 가장 포괄적인 취약성 스캐너입니다. Nessus Professional은 취약성 스캔 프로세스를 자동화하고 컴플라이언스 주기에서 시간을 절약하고 IT 팀이 참여할 수 있도록 합니다.

Nessus Professional 구매

Nessus®는 오늘날 시장에서 가장 포괄적인 취약성 스캐너입니다. Nessus Professional은 취약성 스캔 프로세스를 자동화하고 컴플라이언스 주기에서 시간을 절약하고 IT 팀이 참여할 수 있도록 합니다.

여러 해 라이선스를 구매하여 절감하십시오. 연중무휴 전화, 커뮤니티 및 채팅 지원에 액세스하려면 Advanced 지원을 추가하십시오.

라이선스 선택

여러 해 라이선스를 구매하여 절감하십시오.

지원 및 교육 추가

Tenable.io

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오.

Tenable.io Vulnerability Management 평가판에는 Tenable Lumin, Tenable.io Web Application Scanning 및 Tenable.cs Cloud Security도 포함되어 있습니다.

Tenable.io 구매

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구매하십시오.

65 자산

구독 옵션 선택:

지금 구매

Tenable.io Web Application Scanning 사용해 보기

Tenable.io 플랫폼의 일부로 최신 애플리케이션을 위해 설계된 최신 웹 애플리케이션 스캐닝 서비스에 대한 전체 액세스 권한을 누리십시오. 많은 수작업이나 중요한 웹 애플리케이션 중단 없이, 높은 정확도로 전체 온라인 포트폴리오의 취약성을 안전하게 스캔합니다. 지금 등록하십시오.

Tenable Web Application Scanning 평가판에는 Tenable.io Vulnerability Management, Tenable Lumin 및 Tenable.cs Cloud Security도 포함되어 있습니다.

Tenable.io Web Application Scanning 구매

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구매하십시오.

5 FQDN

$3,578

지금 구매

Tenable.io Container Security 사용해 보기

취약성 관리 플랫폼에 통합된 유일한 컨테이너 보안 서비스에 대한 전체 액세스 권한을 누리십시오. 컨테이너 이미지에서 취약성, 맬웨어 및 정책 위반을 모니터링합니다. 지속적 통합 및 지속적 배포(CI/CD) 시스템과 통합하여 DevOps 실무를 지원하고 보안을 강화하고 기업 정책 컴플라이언스를 지원합니다.

Tenable.io Container Security 구매

Tenable.io Container Security는 빌드 프로세스와의 통합을 통해 취약성, 맬웨어, 정책 위반 등 컨테이너 이미지의 보안에 대한 가시성을 제공하여 DevOps 프로세스를 원활하고 안전하게 지원합니다.

Tenable Lumin 사용해 보기

Tenable Lumin을 사용하여 Cyber Exposure를 시각화 및 탐색하고 시간 경과에 따른 위험 감소를 추적하고 유사한 조직을 벤치마크하십시오.

Tenable Lumin 평가판에는 Tenable.io Vulnerability Management, Tenable.io Web Application Scanning 및 Tenable.cs Cloud Security도 포함되어 있습니다.

Tenable Lumin 구매

조직 전체에서 인사이트를 얻고 사이버 위험을 관리하는 데 Lumin이 어떻게 도움이 되는지 알아보려면 영업 담당자에게 문의하십시오.

Tenable.cs 사용해 보기

클라우드 인프라 구성 오류를 감지 및 수정하고 런타임 취약성을 볼 수 있는 전체 액세스 권한을 누리십시오. 지금 무료 평가판에 등록하십시오.

Tenable.cs Cloud Security 평가판에는 Tenable.io Vulnerability Management, Tenable Lumin 및 Tenable.io Web Application Scanning도 포함되어 있습니다.

영업 담당자에게 연락하여 Tenable.cs 구매

영업 담당자에게 연락하여 Tenable.cs 클라우드 보안에 대해 자세히 알아보고, 클라우드 계정을 온보딩하는 것이 얼마나 쉬운지 확인하고, 몇 분 내에 클라우드 구성 오류와 취약성에 대한 가시성을 얻으십시오.

Nessus Expert 무료로 사용해 보기

7일간 무료

최신 공격 표면을 방어하기 위해 구축된 Nessus Expert를 사용하면 IT부터 클라우드까지, 더 많은 것을 모니터링하고 조직을 취약성으로부터 보호할 수 있습니다.

Nessus Professional이 이미 있습니까?
7일간 Nessus Expert로 무료 업그레이드하십시오.

Nessus Expert 구매

최신 공격 표면을 방어하기 위해 구축된 Nessus Expert를 사용하면 IT부터 클라우드까지, 더 많은 것을 모니터링하고 조직을 취약성으로부터 보호할 수 있습니다.

라이선스 선택

프로모션 가격은 12월 31일까지 연장되었습니다.
여러 해 라이선스를 구매하여 비용을 더 절감하십시오.

지원 및 교육 추가