Case Study

CoGuard Case Study at Support Logic

In this article, we are going through some of the value SupportLogic has received from our automated scan, which has confirmed our position on blind spots in organizations for years.

CoGuard
Written by
CoGuard

How this came about

We at CoGuard had the pleasure of diving into technology with the senior manager of software engineering of SupportLogic, Tyler Pinckard.

SupportLogic is a brand known for their diligence when it comes to security, holding a variety of different security certifications, including SOC2 and ISO27001.

As a veteran in the security field, Tyler has seen many tools and has a comprehensive view on the risks he is facing today. We were discussing the capabilities of CoGuard and the value-add our CoGuard scans can bring to his organization.

SupportLogic agreed to an assessment through CoGuard on part of their infrastructure, and this engagement was a fruitful ground to discuss the capability and uniqueness of security posture analysis and value through CoGuard.

Onboarding was a breeze and the findings were real, important, and actionable
- Tyler Pinckard, Senior manager of Software Engineering, SupportLogic

In this article, we are going through some of the value SupportLogic has received from our automated scan, which has confirmed our position on blind spots in organizations for years.

CoGuard’s messages manifested

CoGuard has been sending the message to the world for a long time how infrastructure configurations need to be tended to with the same care as code. There were certain scenarios we were painting in our blog articles, which SupportLogic has now detected and remediated with the help of our automated scan. We are going through some of these in the following subsections.

Hardened images need to stay hardened

As with the shared responsibility model of cloud providers with their customers, hardened images stay hardened until someone is altering them, albeit so slightly. Quite often, one needs to adjust the application level configuration or install further packages inside.

Hence, just the use of hardened images is not enough; one needs to continuously scan any changes that may be applied there, and fix potential issues that are coming out as a result.

At SupportLogic, the team was able to identify the changes made to hardened images, and how this has affected the security posture.

Hardened does not equal hardened

If a hardened Docker image is downloaded for a specific software, the hardening may only apply to the Docker instructions and the installed libraries on the image itself, but not the configuration of the underlying application. As an example, many hardened versions of NGINX do deploy the default NGINX configuration, which is not configured for e.g. encryption in transit.

During our engagement with SupportLogic, the team was able to achieve full visibility into all images that they have used, and which configuration hardening has been applied specifically for each image.

One needs to scan all application configurations, not just some

A quick application of recommendations from Stack-Overflow community members to infrastructure components, and e voila, a current ticket on the to-do-list of a developer is fixed. Since most scanners nowadays miss application level configurations, this change will go into the production system without any alarms.

The problem is: The configuration may disable critical security functions like proper logging or authorization. This, in turn, may become a gateway for attackers who use this application to gain further access to other components.

At SupportLogic, the team has gained insights into custom configurations applied to tools that are deployed on their infrastructure, and learned about settings which have been changed downstream through multiple deployment processes.

The old song of default configurations

Default configurations are there to get developers started with a product quickly, and make a decision in favor of a specific tool or offering. Hence, security is usually the corner being cut. The default configurations can be very intricate, ranging from allowing access to a database automatically if the request comes from the same device where the instance is installed on, to useful hardening measures being disabled such as protection of the root filesystem of an instance.

Not all developers can be experts in every single tool. Hence, the automated determination of default settings used in different environments has helped SupportLogic ensure that hardening is happening on every layer of the infrastructure.

Does your organization use an unusual tool? We can support it

Every organization has a piece of software or a dependency that is either custom to their use-case, or which is not widely popular, but it is useful in their context and provides what is needed. At SupportLogic, that tool is RethinkDB, which is tailored to the needs of some of SupportLogic’s deployments. The verification to date has been performed manually. In our engagement, we used the technology we developed to auto-generate policies, and we have ever since included RethinkDB into our list of supported tools. This has enabled SupportLogic’s team to auto-verify the configurations, and reduce risk of human error there.

Where are my configs?

During a CoGuard scan, references are pointed out to other services or files which may not be included in the initial scan. Often, teams have a spread out inventory and the exact location of specific functionality is tribal knowledge. By scanning and connecting the different repositories with one another, a better understanding of one’s inventory is created, leading to better auditability of the entire system.

Conclusion

The more blind-spots an organization can fill, the more awareness about security risks is present. Mitigations are built on this knowledge. At our initial scan with SupportLogic, we have helped the senior management by understanding some risks that are hard to spot in a manual process. Hence, we were able to provide value at the first scan and deliver on the items we usually point out as value during an initial call.

If you are also interested in getting more information about potential risk in your infrastructure, don’t hesitate to contact us today at info@coguard.io

You can also explore a test environment or run a test scan to review CoGuard and it's findings here: portal.coguard.io

more resources

Similar Posts

View all resources
DevOps Tips
MySQL in AWS RDS is NOT automatically following CIS benchmarks!

When using AWS, the RDS service allows for many different SQL engines, including Oracle’s MySQL. Here are some of the things you need to consider and possibly fix before using the RDS instance because out of the box does not mean it's secure!

Cyber Security
Shared Responsibility Model for PaaS - A Look at Pantheon

Learn about the shared responsibility model for Platform as a Service (PaaS) using Pantheon as an example. A CoGuard scan of a Pantheon MySQL instance revealed various security concerns, highlighting the need for proactive configuration checks when using PaaS providers.

Press Release
Unlocking the Potential: Quantstamp works with CoGuard to perform infrastructure security evaluations

Quantstamp, a leading provider of smart contract audits, has partnered with CoGuard to identify misconfigurations and vulnerabilities of Web2 infrastructure within Web3 stacks.

Explore a test environment

Try here Demo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Check out and explore a test environment to run infra audits on sample repositories of web applications and view select reports on CoGuard's interative dashboard today.

Book a Call
© 2021-2024 All rights reserved Heinle Solutions Inc.