CIO Influence
CIO Influence News Cloud Security

Ermetic Releases CNAPPgoat Open Source Project for Assessing Multi Cloud Security

Ermetic Releases CNAPPgoat Open Source Project for Assessing Multi Cloud Security

Ermetic, a leading cloud infrastructure security company announced CNAPPgoat, an open source project that allows organizations to safely test their cloud security skills, processes, tools and posture in interactive sandbox environments that are easy to deploy and destroy. CNAPPgoat supports AWS, Azure and GCP platforms for assessing the security capabilities included in Cloud Native Application Protection Platforms (CNAPP).

CIO INFLUENCE: JFrog Software Supply Chain Platform Delivers 393% ROI According to Total Economic Impact Study

.@ErmeticSec releases CNAPPgoat open source project for assessing cloud security people, processes and tools against vulnerabilities in safe, interactive environment

The CNAPPgoat project will be officially presented at DEF CON Demo Labs in Las Vegas on Friday, August 11 from 12:00pm-1:55pm by Noam Dahan, Research Lead and Igal Gofman, Head of Research for Ermetic. On Wednesday, August 16 at 10am PST/1pm EST, Ermetic will present a webinar on using CNAPPgoat, to register visit this link.

Unlike projects that illustrate possible attack paths, CNAPPgoat provides a large and expanding library of scenarios that security teams can execute to create a customized cloud environment for simulating unsecured and vulnerable assets and validating their defenses. The ability to easily provision a vulnerable environment with a broad range of risk scenarios provides the following benefits:

  • Create a sandbox for testing an organization’s security posture by assessing security team capabilities, procedures and protocols
  • Use vulnerable environments for hands-on workshops to train team members on new skills and techniques
  • Provision a “shooting range” for pentesters to test their skills at exploiting the scenarios and developing relevant capabilities
  • Benchmark CNAPP tools against known environments to evaluate their capabilities

“Compared to existing open-source projects that create ‘capture the flag’ scenarios where participants are expected to follow a certain path, CNAPPgoat spans the leading cloud provider platforms and CNAPP capabilities while providing a modular and granular approach for provisioning specific categories of risks and vulnerabilities,” said Igal Gofman, Director of Research for Ermetic.

CIO INFLUENCE: World Password Day: Password advice for CIOs

“This breadth and depth allows pentesters and defenders to precisely isolate the elements they want to explore for training, new skills acquisition, prevention and security posture assessments,” added Noam Dahan, Research Lead.

CNAPPgoat enables security teams, trainers and pentesters to provision and run vulnerable scenarios from the following modules that make up the CNAPP specification defined by Gartner:

  • Cloud Infrastructure Entitlement Management (CIEM) – covers risks associated with identities and entitlements, such as the unintended ability of an identity to escalate its privileges
  • Cloud Workload Protection Platform (CWPP) – includes the exposure of workloads to vulnerabilities such as running vulnerable/end of life software or OS versions
  • Cloud Security Posture Management (CSPM) – spans the misconfiguration of cloud infrastructure components, such as publicly exposed storage resources
  • Infrastructure as Code (IaC) scanning – will be added soon for finding misconfigurations directly in the code

CNAPPgoat is an open community initiative designed to be used by anyone for commercial, technical and educational purposes. See today’s blog for implementation details. Additional artifacts including deeper technical dives and guides will be released soon. Contributions are encouraged including new scenarios, scenario proposals, issues, suggestions, feature requests or simply sharing feedback.

CIO INFLUENCE: CIO Influence Interview with Lior Yaari, CEO and Co-Founder at Grip Security

[To share your insights with us, please write to sghosh@martechseries.com] 

Related posts

WISeKey Selected as Collaborator by NIST for the NCCoE Trusted IoT Network Layer Onboarding Project

CIO Influence News Desk

CARUSO Partners Up With Renault Group To Further Improve The Fleet Management Industry

GlobeNewswire

SouthernCarlson Selects Infor CloudSuite Distribution to Help Consolidate Operational Systems, Speed Decision Making & Improve Customer Service

CIO Influence News Desk