Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Bridgecrew Releases State of Open Source Terraform Security Report

Bridgecrew Releases State of Open Source Terraform Security Report

This item in japanese

Bridgecrew, a developer-first platform that codifies cloud security, recently published the State of Open Source Terraform Security report. To scan around 2,600 Terraform modules within public and open source Terraform Registry, the company utilized open-source Infrastructure-as-Code (IaC) static analysis tool Checkov. One of the key findings reveals that modules used to provision AWS resources are most likely misconfigured.

Emphasizing that Terraform is thriving, the report states that there has been a dramatic rise in module contributions within Terraform Registry in Q2 2020. However, as IaC security may not be a top priority for the community, 48% of these modules are misconfigured. Guy Eisenkot, co-founder and VP of product, Bridgecrew, said, "At a time when organizations are embracing DevSecOps principles more and more, we were surprised by the gaps in security coverage and awareness at the IaC level."

The report highlighted that the majority of Checkov checks failed because the engineering teams did not define modules' optional arguments for enhancing data security and traceability. The checks were categorized according to the classifications defined by Center of Internet Security (CIS), applicable across cloud providers.

Pointing out the lack of awareness about defining logging at the IaC level, the report has shown that the backup and recovery category was the most common failing check category with 81% of failing checks. Logging and encryption took the 2nd and 3rd place, respectively. With the AWS modules, more than half of checks in these categories failed.

When looking at the Registry module downloads, over 15 million downloads contained misconfigured resources. Clarifying that these misconfigurations do not represent a risk, the report explained that the impact is on organizations' overall compliance posture. The report further concluded that out of the top ten most downloaded modules, eight contain misconfigurations. The most downloaded misconfigured modules include top-rated and widely used services such as AWS RDS, AWS EKS, AWS ELB, and AWS IAM.

In parallel, a HashiCorp spokesperson highlighted the advantages of Enterprise edition to The New Stack, "At HashiCorp, one of the things we focus on is bringing governance to organizations and teams while not sacrificing the benefits of open source. Terraform Cloud and Enterprise offerings help organizations with governance and compliance to avoid scenarios like those suggested in this report."

Further to this, Terraform Registry has a "verified" status to indicate Hashicorp has confirmed the authenticity of the module, but this does not indicate that the Hashicorp has reviewed the module's contents.

In conclusion, the report recommends fixing misconfigurations fast and early. This can be achieved by incorporating backup and log auditing policies, taking a comprehensive approach for network or IAM resizing, and migrating existing non-IaC workloads into pre-vetted modules with explicit encryption definition at rest and in transit.

The full State of Open Source Terraform Security 2020 report can be downloaded via the Bridgecrew website.

Rate this Article