Let’s take a look back at the highlights from the past 365 day.

Application Risk Management powered by Fusion 2.0 

The biggest challenge in security, and specifically application security, today, is the noise. Also known as “alert fatigue” or simply, “I have too many vulnerabilities – where do I start??” Development teams can get overwhelmed with the number of alerts they get, and often don’t have the ability to quickly discern which ones are the most critical. Enterprises already ship vulnerable code to production, so the challenge isn’t about fixing everything, it’s fixing what matters most to the business. 

We launched Application Risk Management as an answer to exactly that. Powered by Fusion 2.0, it allows enterprises to get a prioritized list of vulnerabilities, so they know where to start remediating. It also provides a risk indicator per application, so management will be able to assess and manage the risk of each application.

Codebashing 2.0 with Security Champions

Over the last couple of years we have truly seen how valuable developers are to effective application security. One way to help drive adoption across enterprises, is a security champion program that includes a robust education on security specifically for developers. Codebashing 2.0 was built with developers in mind. It brings a fresh look and feel, packaged with gamifications to help drive the competitive nature of developers, and the ability to train and certify anyone in the organization as a certified security champion.

CheckAI

With the introduction of ChatGPT in early 2023, everyone has been talking about GenAI. Developers use it to generate code, designers use it to create new graphics and my mother use it to get travel recommendations. It’s truly life-changing technology. As with many ground-breaking technologies, the risks are yet to be fully realized. As GenAI solutions started to rapidly spread through the industry, we started to see new types of attacks that utilize GenAI: everything from prompt injections to hallucinations to malicious LLMs. This is why we introduced, CheckAI, the industry first and only GPT plugin to scan GenAI generated code and protect against an AI hallucination attack. And we are just getting started here! Expect much more in 2024. 

A new supply-chain module in Checkmarx One

Checkmarx was the first vendor to include malicious detection as part of our SCA solution in 2022. Checkmarx now has the largest malicious packages database in the market, with over 8 million analyzed packages and over 250K malicious packages identified. However, the software supply-chain has much more to pay attention to than just malicious packages. Protecting the entire software supply-chain includes everything in your development process. From your CI/CD plugins and configurations, your compilers and, yes, your open source packages. As part of Checkmarx One 3.0, we introduced a new dedicated module to the wider software supply-chain. Our goal is to help enterprises protect their entire software supply-chain. We introduced 2 new engines: enterprise secrets detection (which utilizes 2MS) and repo health (which utilizes the OSSF Scorecard) and we will continue to add more coverage throughout 2024.

Checkmarx One 3.0

 Probably the biggest launch of the year for us – Checkmarx One 3.0, marks 2 years of investment into our Checkmarx One platform. With close to 500 enterprise customers already using it, and over a 100B LOC which are being scanned every month, it’s the enterprise application security platform every enterprise needs. With over 660 new capabilities introduces in 2023, 8 solutions already on the platform, it was really a remarkable release. In the launch we had over 1500 registrants, which broadcasted around the globe to our customers, prospects, partners and analysts. 

Stay tuned to what is yet to come in 2024 and in version 4.0!

“If everything seems under control, you’re not going fast enough.”

With the recent rise in cloud-native technologies, everything is going faster than ever. Development cycles are shorter than before, and teams are deploying to production continuously. Business demands and time-to-market are the main drivers in the need for speed, and as development teams try to keep up, the risks are much higher since a simple change can reach your entire customer base within minutes.

One of those cloud-native technologies is Infrastructure-as-Code (IaC) which automates the entire process of provisioning and deploying your infrastructure at the speed of DevOps. Beside the known benefits, this presents major risks to your applications and underlying infrastructure. It means that a single change in your IaC will reach production in a matter of minutes and can expose you to new attack vectors as well.

Based on recent research, which was done by analyzing vast number of KICS scans, here are the top IaC misconfigurations you should be aware of.

Top 5 Misconfigurations

1. Open ports – open TCP/UDP ports remain the top misconfiguration to date. Those include HTTP ports, SSH ports, ELB ports, or any other unnecessary ports. The best example to give here is SSH (port 22), which is usually used for remote debugging and is notoriously known for being left open for no good reason. Probing through open ports is probably the first step of every attacker’s TTPs. We also know that attackers use bots to scan for open ports, and once they find an open one, they simply brute force the password and often gain access to servers and other devices. Make sure you leave unnecessary ports closed, or have a good reason for why they may be open.
2. Excessive permissions – as previously written in this blog, providing a cloud resource with the wrong permissions can create the attack surface attackers are hoping for. Configuring your S3 bucket with read permissions, attackers can probe into the bucket looking for unprotected content and gain access to private information. Make sure you understand what least-privilege permissions your cloud resources need, and don’t leave anything to chance.
3. Lack of proper definitions – this affects observability (e.g., lack of proper logging), encryption (e.g., S3 objects without server-side encryption), or anything in between. Make sure you understand which resource requires which property, and make sure they are configured correctly in all cases.
4. Hard-coded secrets (in your IaC) – while not limited to IaC only, this remains a top challenge for all code (application source code as well). Once exposed, attackers can leverage the keys to obtain sensitive information, shut down services, or create whatever resources they need.
5. IaC security drift – we have all been there, we work perfectly through the process, our pipelines are all green, then something happens in production, and we must make a “small” change. Those small changes can have a huge risk on your environment, and you should not make those directly but through code. Using drift detection tools (e.g., Terrarfomer or Driffty), you can get a static file which represents your current production environment, then scan it with KICS to make sure you didn’t introduce any new risk.

Leveraging Infrastructure-as-Code is a critical part of achieving true infrastructure agility, but you should be aware of all the risks. Running fast is important, but don’t become blind to what may surface from errors and omissions. Be aware of the potential misconfigurations listed above and make sure you tackle them from the very beginning.

If you want to automate your IaC security scanning – you can easily integrate KICS into your pipeline and make sure you are appropriately managing your IaC risks.

More about KICS

KICS finds security vulnerabilities, compliance issues, and infrastructure misconfigurations in popular IaC solutions and OpenAPI 3.0 specifications. KICS is open source and always will be. Both the scanning engine and the security queries are clear and open to the software development community. With 2000+ fully customizable and adjustable heuristic rules, or queries, KICS can be easily edited, extended, and added to. What’s more, our robust but simple architecture allows for support of new IaC solutions.

Almost 500,000 people are already taking advantage of KICS. Download KICS for free here and start securing your IaC today!