Wiz launched a community-driven database to improve reporting and transparency of cloud vulnerabilities, which are sometimes swept under the rug.
Motivated by troubling disparities between cloud and software vulnerability reporting and disclosure, Wiz threat researchers Alon Schindel and Amitai Cohen, along with Scott Piper, Principal Cloud Security Engineer at Block, created The Open Cloud Security Issues and Vulnerabilities Database. The novel project, which debuted Tuesday, offers a way to publicly catalog and classify flaws in the cloud, which can be useful for increasing business awareness and recognizing threat patterns. Additionally, it was designed to boost communication between cloud service providers (CSPs) and their customers.
Currently, there is no incentive for vendors to disclose cloud vulnerabilities because they are not assigned a Common Vulnerability and Exposure (CVE) and do not require user patches.
Mitre, a nonprofit organization that manages the CVE catalog, doesn’t track cloud vulnerabilities, Piper said, largely because it believes CSPs can fix problems. However, that is not always the case.
“There are times when customers have to take action or can take action to see if they have historically been affected by these issues,” Piper said. “A lot of the security community is guided by CVEs, so unless you have one, it’s not a problem.”
Without a CVE, there are no standards to measure the severity of a flaw or even a way for companies to verify if they are using a vulnerable version. It can make it difficult to prioritize security teams.
“There have been cases, for example, where the same problem has appeared on different services belonging to different providers. That’s something worth investigating further and investing more in to defend,” Cohen said.
Having a unique identifier like the CVE also makes discussions more efficient, Cohen said. Without identifiers or a catchy name, it’s hard to talk about cloud vulnerabilities.
Growing need for transparency
These issues, among others, were highlighted by several discoveries in recent years, including Wiz’s discovery and disclosure of ChaosDB, a bug discovered last year in Azure’s Cosmos DB.
Schindel said they noticed significant differences in the way software CVEs and cloud vulnerabilities were published. He also noted that each CSP had its own publication method, and in most cases the details were not publicly available. Emails or alerts were only set up for affected customers.
“We tried to investigate whether customers remediated vulnerabilities when notified by email, and we saw that remediation was relatively low and we understood that there was an issue with the way cloud vulnerabilities and cloud security issues are handled. the cloud today,” Schindel said. “There is no process or standard on how to publish these vulnerabilities with all the relevant details.”
One difference you noticed between software and cloud vulnerability fixing is that software flaws require fixes that are shared between two different entities. That’s not the case with cloud failures, which can be repaired silently.
These issues have been disturbing the information security community recently. First, Tenable CEO Amit Yoran called out Microsoft earlier this month after it quietly patched two critical cloud vulnerabilities in the Azure Synapse service reported by the security vendor. James Sebree, Principal Research Engineer at Tenable, published a separate blog post stating that “miscommunications and downplaying of the severity of issues in their cloud offerings stem from unusual behavior for MSRC in recent times.” “.
Shortly after the Tenable discovery, Orca Security researchers disclosed a different cloud vulnerability in Azure Synapse, dubbed “SynLapse,” involving insufficient tenant separation and putting sensitive customer data at risk. in a technical breakdown From SynLapse, Orca detailed a months-long struggle with Microsoft to fully remedy the flaw in the cloud, which involved multiple patch attempts.
Contributing to the database
Wiz credited the foundation for the project to Piper, a former AWS consultant who published a Github post titled “Cloud Service Provider Security Bugs” that informally tracked known cloud vulnerabilities. Piper started the list, which includes Amazon Web Services, Google Cloud Platform, and Microsoft Azure, to track cloud incidents and findings for vendors, customers, and security researchers.
Now the list has been expanded to a UI database, but the inclusions must meet certain criteria. In addition to being a publicly known security issue in cloud services, the vulnerabilities must have a proven impact on cloud customers and require remediation actions on both sides of the shared responsibility model, according to the site.
Schindel, Cohen and Piper hope the bill will incentivize CSPs to be more transparent. Currently, cloud providers are opaque on security issues and don’t address what happened to cloud-specific vulnerabilities or what the mitigations are, Piper said.
Another goal of the site is to minimize confusion on the user’s side. The more information CSPs publish about the vulnerability, the less they can be questioned by customers about the threat, Cohen said.
While Schindel said the team knows that cloud providers want their customers to be secure, it takes time and collaboration to properly disclose and address vulnerabilities.
“We hope it helps them see the value of this centralized list of security issues and helps cloud customers understand that this is something they need to ask their cloud service providers,” Schindel said. “As a community, we think that is something that is missing today.”
By making issues more public, cloud providers can see issues affecting their peers and potentially implement mitigations or ways to improve their own services.
“The more knowledge there is, hopefully it will drive cloud providers to do a better job overall,” Piper said.