Wiz researchers Alon Schindel and Amitai Cohen on Tuesday launched a community-based website — cloudvulndb.org — to list all cloud vulnerabilities and security issues.
The researchers said in the past year they have witnessed an increased number of cloud vulnerabilities published by major cloud service providers. But Schindel and Cohen say security bugs in cloud services tend to fall between the cracks, as they don’t fit well into the shared responsibility model of cloud security. As a result, remediation often requires a joint effort between both CSPs and their customers.
“There is currently no universal standard for cloud vulnerability enumeration — CSPs rarely issue CVEs for security mistakes discovered in their services, there are no industry conventions for assessing severity, no proper notification channels and no unified tracking mechanism,” said Schindel and Cohen. “In most cases, CSPs respond quickly to fix the security issue on their side, but the lack of standardization leaves many cloud customers vulnerable and unaware of the issues in their environments.”
In setting up the new website, the Wiz researchers aim to pave the way for a centralized cloud vulnerability database, by cataloging CSP security mistakes in a new format and listing the exact steps CSP customers can take to detect or prevent these issues in their own environments. The website's content is automatically derived from a GitHub repository.
Christopher Prewitt, chief technology officer at Inversion6, said while another vulnerability repository may not solve all our security problems, these issues should be publicized and addressed. Prewitt said the idea behind a cloud vulnerability database makes sense, as more and more organizations migrate workloads to the cloud.
“Our understanding of this new architecture is often limited and growing over time, having better visibility and coordination around known risks and vulnerabilities would be something all parties would benefit from,” Prewitt said. “Wiz is well-positioned to help lead this effort.”
Davis McCarthy, principal security researcher at Valtix, said where much of an endpoint’s security falls on the user, the ecosystems offered by CSPs are an extension of hardware and software that's out of customer control. McCarthy said the enterprise will need a layered defense to mitigate exploitation in the cloud as more vulnerabilities are found across this growing attack surface.
“Cloud platforms could become security bottlenecks for thousands of organizations without effective and transparent vulnerability management,” McCarthy said. “The creation of this database should provide insight into the overall security posture of a CSP, as well as the risk of latent threats that were never previously measured by the public.”
Ryan Thomas, vice president of product management at LogicHub, added that this initiative was timely and important. Thomas said it's clear that there are many types of in-cloud and cross-cloud vulnerabilities that don't fit the conventional definition of a CVE.
“The extensive use of APIs by cloud services opens new areas of risk, but it also can give users greater visibility and control if they are made aware of weaknesses,” Thomas said. “It's also encouraging to see major cloud vendors like AWS leaning into this initiative, and realizing that while users need to ‘own’ their security, the cloud vendors must proactively close gaps and vulnerabilities ASAP.”