Aqua Security - Experts & Thought Leaders

Aqua Security, the pioneer in cloud-native security announced VEX Hub, a vendor-neutral repository for VEX (Vulnerability Exploitability eXchange). VEX is a new industry standard for communicating and sharing information on security vulnerabilities for software artifacts, and VEX Hub provides users and software maintainers with a single library of vulnerability information and fewer false positives.  VEX Hub VEX Hub aggregates VEX documents from software maintainers and organises them in a central repository, making them accessible for consumption by scanning tools. VEX Hub information improves the accuracy of scanning results and provides actionable vulnerability reports to users. As part of the release, the latest version of Aqua Trivy open source consumes VEX Hub information so users can better prioritise vulnerabilities and reduce alert fatigue.    Collecting relevant vulnerability exploitation “For years, users have struggled to locate and prioritise software vulnerabilities, and maintainers have struggled with how to share the information. VEX was created to solve these problems,” said Itay Shakury, VP of Open Source at Aqua Security. “The missing piece to date is a system to collect the relevant vulnerability exploitation information into a central repository – that’s where VEX Hub comes in. We have worked with the VEX community since inception, and we’re ready to take VEX to the next level with VEX Hub.”  Trivy v0.54 VEX Hub is built for collaboration and simplifies the management of VEX information. Aqua’s open-source team has created one place for maintainers to easily share timely vulnerability updates, and for users to find and access critical vulnerability exploitation information. VEX Hub was included in the latest version of Trivy v0.54, so those running on this version can use VEX Hub in their Trivy scans using the '--vex repo' flag. Trivy will deliver fewer false positives and more accurate, actionable vulnerability reports.

Aqua Security, the pioneer in cloud-native security revealed new research that shows how credentials, API tokens, and passkeys – collectively referred to as secrets – from organisations around the globe were exposed for years. By scanning the most popular 100 organisations on Github, which collectively includes more than 50,000 publicly accessible repositories, Aqua researchers found active secrets from open-source organisations and enterprises such as Cisco and Mozilla providing access to sensitive data and software. The exposed secrets could lead to significant financial losses, reputational damage, and legal consequences. Secrets in GitHub repositories Aqua Security’s research team, Aqua Nautilus, revealed that “phantom secrets” can persist in Git-based infrastructure used by most Source Code Management systems (SCMs), including GitHub, Gitlab, Bitbucket, and others. This is due to how even deleted or updated code commits are saved in those systems, such that even a one-time developer mistake can expose secrets to savvy threat actors over extended periods.  Impact of a data leak "Our findings are truly alarming, and everyone involved in software development must grasp the seriousness of this issue," says Yakir Kadkoda, Aqua Nautilus Lead Security Researcher. “For years, we’ve been educating developers not to hard-code secrets into their code. Now it turns out that even doing this just once permanently exposes that secret – even when they thought it was deleted or overwritten. The impact of a sensitive data leak can lead to unauthorised access, compromised security controls, and significant financial or reputational damage. This would be devastating.” API tokens Among the exposed secrets were API tokens of Cisco Meraki and the Mozilla project Among the exposed secrets found by scanning open Github repositories were API tokens of Cisco Meraki and the Mozilla project. The Cisco security team confirmed the findings, “We discovered privileged Meraki API tokens used by some Fortune 500 companies." "These tokens could allow attackers to access network devices, Simple Network Management Protocol secrets, camera footage, and more, serving as an initial foothold for the exposed parties.”  Mozilla project The Mozilla project acknowledged that “An API token for the Mozilla FuzzManager with read-write privileges” and that “an employee’s API token for sql.telemetry.mozilla.org was leaked”; both were assigned a “Critical” score.  Not only does the FuzzManager allow access to many potential security vulnerabilities in Firefox and Tor, but the telemetry gives access to confidential information related to Mozilla products and business. Azure service principal token Additionally, Nautilus found an Azure service principal token belonging to a large healthcare company exposed in a Git commit. This token had the high privilege and high access to obtain credentials to the internal Azure Container Registry, which could have led an attacker to perform a supply chain attack impacting the organisation, and customers. In all cases, the exposed secrets were immediately revoked.  Commit once, expose forever  Most secrets scanners only look at repos accessible via the Git clone command, which overlooks almost 18% of secrets While secure coding best practices already require that secrets should not be hard coded, many developers continue this practice. They rely on secret scanning tools to ensure that such secrets are not pushed into production and often re-commit the updated code without those secrets.  Phantom secrets exist because of underlying processes within Git-based SCMs, which cause code that was overwritten or deleted in repositories to remain accessible within the underlying system. Most secrets scanners only look at repos accessible via the Git clone command, which overlooks almost 18% of secrets.  Software Supply Chain Security module “The findings once again reinforce the best practice that secrets should never be put into code, not even for testing purposes, and security teams must be able to monitor this,” says Amir Jerbi, CTO and co-founder of Aqua Security. “The software supply chain is optimised for speed and convenience, but this cannot come at the expense of secure engineering practices.” Available in August, Aqua customers using the Software Supply Chain Security module will be able to prevent developers from committing code with embedded secrets and scan for phantom secrets hidden within their SCM file system.

Aqua Security, the pioneer in cloud-native security, and Orca Security, the pioneer in agentless cloud security, announced a new partnership to deliver best-in-class cloud-native security through a deep integration between their platforms. Joint customers will benefit from the powerful combination of multi-cloud visibility and security provided by the Orca platform combined with multi-and hybrid cloud runtime protection for cloud-native workloads offered by the Aqua platform. Right cloud-native solution “One of the biggest challenges facing my team this year is seeing the breadth of our cloud operations around the world and simultaneously securing our most critical cloud assets,” said Jairo Orea, Global Chief Information Security Officer, Royal Caribbean Group.  “My team and I did an exhaustive search to find the right cloud-native solution to both identify and stop cloud-native threats, and the Aqua and Orca combination was the only one that covered the use cases we needed to secure our cloud environment. We compared tools and ‘platforms’ from nearly a dozen vendors, but this was the only option that could help my team both manage and protect our cloud environments.” Integration of runtime protection “Best-of-breed security means combining the strengths of two different solutions,” said Dror Davidoff, CEO and co-founder, Aqua Security. “Aqua and Orca are doing that in a seamless way to meet customer demand for market-pioneering cloud-native security. Orca’s deep visibility coupled with Aqua’s sophisticated and scalable container security will allow customers to benefit from a holistic approach to enhanced cloud security.” “As we partner with hundreds of organisations around the world to secure their cloud environments, we are committed to delivering an open ecosystem of the best cloud-native technologies,” said Gil Geron, CEO and co-founder, Orca Security. “The integration of runtime protection from Aqua Security into the Orca Platform, and our plans to continue enhancing this feature set, offer more value to our joint customers.” Orca Security’s agentless-first approach Joint Aqua and Orca customers will get both real-time visibility and real-time protection Joint Aqua and Orca customers will get both real-time visibility and real-time protection. Orca Security’s agentless-first approach provides multi-cloud visibility and continuous security spanning cloud infrastructure, workloads, data, identities, and other critical assets with easy onboarding and fast time-to-value.  Leveraging Aqua’s advanced multi-cloud and hybrid cloud runtime protection solution, joint customers have access to frictionless threat protection against known and unknown attacks that target running workloads and can view the critical alert data within the Orca Platform. Key capabilities of Aqua Security The key capabilities of Aqua Security runtime protection integrated with Orca Security’s visibility include:   Enhanced multi-cloud visibility, with the ability to see Aqua and Orca data in one place.   The deployment of Aqua runtime protection to monitor and defend workloads in real-time.   Aqua alerts are pushed to the Orca Platform as they happen.   Risk prioritisation, utilising enriched data and context from Aqua runtime to understand the greatest impact to the cloud environment. Aqua’s drift prevention, ensured immutability, and the ability to surgically block malicious malware across cloud-native workloads using real-time behavioural detection.  To learn more about the integration and partnership, visit Aqua at Booth #1835 and Orca at Booth #1627 both in the South Hall at RSA.