Software automatically detects security vulnerabilities in the cloudMarie Donlon | June 03, 2021
With cyberattacks on cloud computing systems on the rise, a spin-off company of the Fraunhofer Institute for Mechatronic Systems Design IEM and the Heinz Nixdorf Institute at Paderborn University has developed a tool designed to automatically detect and fix security vulnerabilities in cloud computing software.
CodeShield, software from the company of the same name, was developed in response to the increase in companies moving their IT infrastructure to the cloud for its computing and storage capabilities. As companies began to move their IT infrastructure to the cloud, vulnerabilities — such as insecure web interfaces, incorrectly configured interfaces and access protocols open to exploitation by cybercriminals — have emerged. This, according to researchers, can result in the loss of sensitive data, among other issues.
As such, CodeShield was developed to automatically analyze and evaluate the security of cloud applications and fix vulnerabilities discovered along the way.
"Targets of hacker attacks can include companies' publicly writable buckets. These types of cloud container store data in the form of objects. Attacks are possible if the bucket is not read-only and can therefore be accessed publicly, for example," explained Professor Eric Bodden, a scientist at Fraunhofer IEM.
Designed to thwart such cyberattacks, CodeShield software automatically analyzes vulnerabilities in the program code, concentrating specifically on popular cloud-native applications — examples of which include Spotify and Netflix. Likewise, electric scooters are also connected to the cloud and hosted by the cloud provider. Not only is the code programmed in the cloud, it is then stored and executed at companies such as Amazon Web Services.
"The interfaces and components made available by the providers — which can be described as a kind of modular toolbox — are not easy to use. Although they enable programmers to develop new applications within a short space of time, private data can end up being published inadvertently if the interfaces are configured incorrectly," explained Bodden. "CodeShield doesn't just discover these vulnerabilities in real time using automated means — it also visualizes them at the same time."
In addition to analyzing and measuring everything from the website and app to the code and data container, CodeShield displays the cloud infrastructure as diagrams, enabling programmers to rapidly detect issues and vulnerabilities.
CodeShield uses a so-called fingerprinting method to reveal security vulnerabilities in the code. To accomplish this, the researchers downloaded open-source components from the cloud and calculated fingerprints for each component, which allows for the detection of insecure code immediately if later integrated into an application.
The software also analyzes the program code written by developers, stored in the cloud and edited frequently to modify functionalities. According to the research team, CodeShield has a false positive rate that is below 5%.