Vulnerability management experts Tenable on Monday announced that it has acquired Accurics, a company that will help the combined business leverage Infrastructure as Code (IaC) to fix misconfigurations for any cloud environment — before they can expose a business to risk.
Accurics helps companies address risk across the entire lifecycle and supply chain, in development and runtime, and delivers code fixes to ensure risks are remediated quickly, with minimal burden on security teams. Its enterprise product scans IaC for misconfigurations and monitors provisioned cloud infrastructure for issues.
Tenable’s acquisition speaks to the cloud security industry maturation process, said Frank Dickson, program vice president for security and trust at IDC. Dickson said the first step was securing the workload, while the second step was addressing known vulnerabilities in code.
“Cyber miscreants have now turned their focus on misconfigurations in our cloud environments, so the third step is addressing and preventing misconfigurations,” Dickson explained. “We have offered a number of tools to address misconfigurations, however, many issues occur before instances and environments are provisioned. IaC security looks to address configuration issues before instance creation to embed trust and resilience in IaC tools and proactively prevent misconfigurations.”
Doug Cahill, vice president, analyst services and senior analyst at the Enterprise Strategy Group, added that modern cloud-native applications are increasingly defined via IaC templates that also offer repeatability. However, IaC templates can result in misconfigurations being inadvertently introduced into production environments, creating exploitable attack paths.
As such, scanning IaC templates pre-deployment helps prevent vulnerable configurations from being deployed, a DevSecOps use case 48% of ESG research respondents intend to implement over the next 12 to 24 month, Cahill said. “Tenable’s acquisition of Accurics extends the company’s approach to vulnerability management to the pre-deployment stage, as well as to configurations," he concluded.