We built a community cloud vulnerability database, now what?
07-25, 16:45–17:30 (US/Eastern), Room 2/3

The shared responsibility model is broken! In the pre-cloud era, the responsibility for security was fully in the hands of the users. Multiple recent cloud vulnerabilities such as ChaosDB, ExtraReplica revealed that the current cloud model isn’t sufficient.

Companies are unable to keep up with cloud complexity, while vendors & cloud providers do not provide clear identification, tracking or severity for vulnerabilities discovered in their platforms. Moreover, there is an inherent lack of transparency, as cloud providers do not share full details of exposure, impact, mitigations steps of vulnerabilities discovered in their platform.

In the past year we initiated a community effort, that started with characterizing the gaps in the current model and continued in building a new community-based cloud vulnerabilities database. We will share our insights from this process along with the learnings of the Wiz Research team from the disclosure process of multiple unprecedented vulnerabilities in Azure, AWS and GCP.

We will review the weaknesses of the cloud that the new central database unveils, and present novel findings about the security impact that the lack of cloud vulnerabilities model results. We will make the case for extending the current CVE model to be more cloud friendly as the current model is broken and call everyone to join the movement for change.

See also: Slides (4.8 MB)

Alon Schindel is the Director of Data and Threat Research at Wiz. He’s an experienced cybersecurity professional who has filled various lead roles in both development and research of cybersecurity products and specializes in threats and how to detect them. In the past year, Alon leads the CloudCVE effort. He is also enthusiastic about data research and AI and holds an MSc in Computational Neuroscience from the Hebrew University.

Amitai is a Threat Researcher at Wiz, where he investigates cloud threats and works to advance research and detection methodology. Amitai is an experienced cyber threat intelligence analyst and writer who enjoys contemplating philosophy of science, marveling at new technology and gadgets, and appreciating video games.