3 weeks ago
33
It’s often the nature of the job that cloud security teams work with only partial visibility when trying to identify and assess cyber risk. Even when an issue has been identified, assigning ownership for the necessary remediation is an additional possible stumbling block.
The result is a speed of fix that’s sub-optimal – and the process of assigning the responsibility for remedying remains fuzzy. However, a solution from Tenable and OX could address these problems by combining CNAPP (cloud-native application protection) with applications’ security contexts.
The twosome’s approach links cloud exposures to underlying code and, thereby, the developers or teams responsible. It uses an asset graph that traces risk back through services, pipelines, and lines of code. It also validates whether any vulnerabilities can be reached and exploited in production systems.
Bringing together risk detection, vulnerability intel, and code analysis in a single workflow makes good operational sense. Over-granted permissions and emerging vulnerabilities can be mapped to their origin in source code, drawing a clear path to a specific developer or team. Whether it falls to the originating developers to test and apply a patch depends on the organisation.
Security checks begin early on through integration with existing infra-as-code and CI/CD pipelines, so issues emanating from outdated repos can be flagged early on. OX adds static and dynamic security testing (SAST and DAST, respectively), identity management and analysis capabilities.
There’s a sensible emphasis on whether issues, once found, can be actively exploited in production conditions. It’s of course useful to discover issues at any stage of the pipeline, but when live systems are using compromised code that the wider internet is suddenly aware of, speed is of the essence. Given that all organisations deploy third party packages that can ship vulnerabilities inherently, those overseeing the software supply chain are will look first to affected production systems.
The risk prioritisation feature of the solution combines infrastructure-level analysis with application context. Tenable gives teams risk baselines to work from, and OX evaluates risk (according to how susceptible the affected libraries etc. may be) and the exploitability of any flaw. This, the companies say, can narrow teams’ focus to those exposures that can actually be used in an attack, rather than a torrent of red icons with no context as to their potential risk to the business.
Remediation can follow, linked to the relevant owner with details, quoted code, repository location, and commit history.
Tenable Cloud Security (part of the Tenable One platform) is an agentless solution that covers multi- and hybrid cloud environments. It can address permissions-based issues, protecting sensitive data by finding and classifying assets automatically. It can prioritise and categorise personally-identifiable information, model training data, and inference endpoints and so on, according to their value to the organisation.
Tenable says that organisations deploying the combination of its and OX systems report reduced ambiguity when assigning ownership to problems (think of it as more helpful yet automated ‘finger-pointing’) and a shorter time-to-remediation. “By connecting cloud risk to the exact code and developer responsible, this partnership eliminates ownership confusion and stops critical threats before they reach production,” Tenable said in a blog post.
(Image source: “Clouds” by arripay is licensed under CC BY-SA 2.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/2.0/?)
Want to learn more about Cloud Computing from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and co-located with other leading technology events. Click here for more information.
CloudTech News is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.