Cloud security company Wiz recently announced a community-based website, cloudvulndb.org, that provides a centralized cloud vulnerabilities database for public access. While the database fills gaps left by MITRE’s CVE vulnerability system and the current shared-responsibility model for cloud security issues, it will require additional, widespread industry support in order to be successful, according to security experts.
The new vulnerability database is a continuation of Wiz’s efforts to streamline the detection and management of cloud vulnerabilities which, it says, often tend to fall between the cracks among current systems.
The shared responsibility model, for example, entails cloud service providers (CSPs) and users sharing security efforts, with the former attending to physical security including hardware and managed services, and the latter being accountable for software, identities and data protection. This model has fallen short at addressing newer bugs, as they don’t fit entirely to either category, according to a Wiz blog on why a cloud vulnerability database is needed.
A central vulnerability database, Wiz says, will help catalogue CSP security issues, and can list the exact steps CSP customers can take to detect or prevent these issues in their own environments.
“This is a first step in a long effort, and we are really focused on the community aspects of this website,” says Amitai Cohen, a threat researcher at Wiz and co-author of the blog. “We think that this website is the first of its kind and we hope that we add more contributions and maintainers with time. We have plans of adding more features on the website, like linking it up with other systems, whether by adding an API or an RSS feed.”
Security analysts and other experts acknowledge concerns and have been calling out for, among other things, an alternative to the CVE (common vulnerabilities and exposures) system.
Why the CVE system falls short on cloud security
“The current CVE system doesn’t (yet) include a comprehensive list of vulnerabilities across all cloud environments,” says Gary McAlum, a senior analyst at TAG Cyber. “CSPs are issuing their own patches that generally are not captured in the CVE system. This leads to security teams having to develop their own methodologies for tracking and remediating those cloud issues that affect them. This approach is cumbersome, manual, and prone to failure and blind spots.”
Understanding how the CVE system works is critical to knowing what it lacks. The CVE system is a list of entries maintained by MITRE, with funding from the US division of Homeland security. Each CVE has an identification number and a description for publicly known cybersecurity vulnerabilities.
CVEs can be thought of as identifiers for security vulnerabilities that already are or are expected to become public. CVEs can only be assigned by CVE numbering authorities (CNAs), which include software vendors, open source projects, hosted services and research groups. Subsequently, the CVEs are published in the MITRE CVE database, making tracking and remediation of those vulnerabilities possible.
The widely adopted CVE IDs also have additional information about vulnerabilities such as workarounds, vulnerable software versions and Common Vulnerability Scoring System (CVSS) scores.
The CVE rule that is problematic for cloud
According to a Cloud Security Alliance (CSA) web post, the criteria that are strictly followed while assigning an ID to a vulnerability have one rule that is particularly problematic for cloud-based services. The rule, INC3, states that a vulnerability should only be assigned a CVE ID if it is customer-controlled or customer-installable. For instance, a bug in a CRM application installed on a company server fulfils that requirement.
This rule, though, creates complications for cloud services. It prevents vulnerabilities in systems that are not customer controlled, or which depend on shared control with CSPs, from from being assigned CVE IDs. This, in turn, prevents information related to vulnerability workarounds, affected versions, references and patches from being centrally distributed. The CSA recommends obtaining industry feedback and approval for possible modifications in the INC3 rule to accommodate cloud vulnerabilities.
While adjustments to the rule are a little more than a work in progress, Wiz has stepped up with cloudvulndb.org, a more immediate solution.
“We have worked with MITRE in the recent past and have communicated the gap we see in CVE with regards to cloud vulnerabilities,” says Alon Schindel, director of data and threat research at Wiz. “They have been positive and seem to acknowledge the gap. Although, an adjustment of this sort to a concrete framework in practice takes more time and industry scale feedback.”
Wiz is scheduled to have a followup meeting with MITRE to further discuss cloudvulndb.org, Schindel says.
Wiz offers solution for cloud vulnerability reporting
Cloudvulndb.org is essentially a CVE-like registry for tracking and cataloguing vulnerabilities on public cloud platforms. The website has been developed to serve as an open-source resource for all known cloud exploits including security flaws in leading public clouds including AWS, Azure, and Google Cloud Platform.
“Having a cloud vulnerabilities database should hold the CSPs accountable for security issues found in their environments,” says Chris Steffen, research director at analyst firm Enterprise Management Associates. “While most of the security-related issues in the cloud are generally the result of misconfiguration by the end user, or a misunderstanding of the shared responsibility model, the cloud providers are not infallible, and having a central repository for security related issues that are directly the responsibility of the CSPs could be valuable.”
The cloudvulndb.org website is based on the GitHub repository “Cloud Security Provider security mistakes” developed by Scott Piper, who is now co-maintainer of cloudvulndb.org. The website’s content presently lists a total of 70 vulnerabilities, all originally listed on Piper’s GitHub repository, and invites public contributions to enrich the database by creating a pull request to add a new issue or edit an existing one.
“I’m thrilled to see the list of cloud provider security mistakes that I was maintaining as a list in a GitHub repo turned into a more community driven and easier to consume site!” Piper said in a recent tweet. “From day one people had wanted easier searching, sorting, and filtering, and this will enable that.”
Cloudvulndb.org needs industry support, analysts say
Analysts applauded the move, but cautioned that broad industry support will be necessary.
“While this is a much-needed step in the right direction, unless it becomes fully institutionalized and adopted, it will not be successful in the long run. It’s imperative that CSPs support and enable this capability. The automatic derivation from GitHub is a nice feature and should account for most cloud vulnerabilities through community reporting,” says TAG Cyber’s McAlum.
However, McAlum points out, to be as up-to-date and accurate as possible, CSP support is a critical success factor.
Enterprise Management’s Steffen concurs, saying, “The key is two-fold: including relevant vulnerabilities that are not covered through one of the other major sources already (i.e., MITRE) and secondly, getting the cooperation of the CSPs to validate and remediate proposed cloud CVEs.”
Wiz’s Schindel says he understands that the new cloud vulnerability database has challenges and adds that the company has a “good relationship with several CSPs” and is working on collaborating with them to bolster the website.