Bridgecrew's New Security Research Reveals Nearly One in Two Terraform Registry Modules is Misconfigured

By CIO Applications | Friday, July 31, 2020

Idan Tendler, Co-founder and CEO, Guy Eisenkot, Co-founder and VP of Product and Barak Schoster, Co-founder and CTO

IaC, popularized by open-source frameworks such as HashiCorp's Terraform, is utilized to provision cloud resources with improved immutability and scalability. However, security is still behind to catch up with emerging technology.

FREMONT, CA: Bridgecrew, a San Francisco-based company which came out of stealth this April, published its first research report to analyze the infrastructure-as-code (IaC) security ecosystem. The State of Open Source Terraform Security report points out the areas in need for improvement.

The IaC Security Challenge

IaC, popularized by open-source frameworks such as HashiCorp's Terraform, is utilized to provision cloud resources with improved immutability and scalability. However, security is still behind to catch up with emerging technology.

"At a time when organizations are embracing DevSecOps principles more and more, we were surprised by the gaps in security coverage and awareness at the IaC level. Teams have relied on cloud providers' native tools and traditional security posture management solutions, but they aren't getting the commit to cloud visibility they need," said Guy Eisenkot, Co-founder and VP of Product, Bridgecrew.

IaC adds another layer of complexity to already intricate native-cloud environments, which makes it difficult to know if security controls are in place, and where they should be monitored.

Bridgecrew perceives this challenge as an access and knowledge gap. The San Francisco-based startup has been helping teams bridge those gaps with its open-source tools, SaaS platform, and now with research like this.

The Research

Bridgecrew utilized Checkov, its open-source IaC security tool, to scan the Terraform Registry, the largest public resource of IaC modules. The report examines compliance trends across categories like encryption, networking, and cloud providers. 

Here are some top discoveries:

• 44 percent of modules used to provision Azure, AWS, and Google Cloud resources are misconfigured.
• Misconfigured modules have been downloaded more than 15 million times since 2017.
• Q2 2020 had the highest module growth and an increase in misconfigurations.

"IaC compliance is a huge area of risk for cloud-native organizations, but it's also a huge opportunity in terms of both security and cost-management. Knowing about the risks is the first step to seizing that opportunity," remarked Barak Schoster, Co-founder and CTO, Bridgecrew.