Security Compliance

Prancer Enterprise is announcing that its entire cloud compliance policies repository is now open source. The repository is available on GitHub at

https://github.com/prancer-io/prancer-compliance-test

This move reflects Prancer’s commitment to open source technology and harness the power of community collaboration to move great ideas through the pipeline faster.

These compliance policies that focused on IaC Security and live cloud resources are based on CIS, NIST 800, PCI, HIPPA, HITRUST, CSA CCM and ISO 27001 compliance standards. These policies are all in REGO Open Policy Agent (OPA) language.

Prancer Enterprise platform helps companies achieve end-to-end security in the cloud by shifting security to the left and apply it early in the development process. Cloud DevOps engineers could have an early feedback on the security of the Infrastructure as Code (IaC) templates with every commit they are making to the code.

Prancer Enterprise Cloud Compliance repository has more than 1000 policies both on the Infrastructure as Code (IaC) Security and post-deployment resources. This unique Cloud compliance policy repository is the most significant contribution to the open-source community based on the de facto Rego policy language.

IaC Security policies cover Azure, AWS and Google Clouds. Kubernetes Objects are also supported in the IaC Security. Post-deployment security scans based on these cloud providers help businesses to increase cloud security posture and maintaining security in the cloud.

As more companies begin to rely on cloud technologies, they are also looking for ways to apply compliance to their cloud environment easily and make it a secure place for their workloads. Prancer Platform helps companies to leverage security throughout the lifecycle of their cloud deployment. Prancer Platform integrates into DevOps pipelines and provides IaC Security scan.

About Prancer

Prancer Enterprise (https://www.prancer.io/) provides a pre-deployment and post-deployment multi-cloud security platform for Infrastructure as Code (IaC) and live cloud environments. It shifts the security to the left and provides end-to-end security scanning based on the Policy as Code concept. DevOps engineers can use it for static code analysis on IaC to find security drifts and maintain their cloud security posture with continuous compliance features.

Offensive Security Testing

 

Prancer for Offensive Security Testing – An Overview

Offensive Security is a term used to describe the art of attacking and exploiting cyber systems. It is a broad field covering many different areas, including infrastructure security, application security, database security, etc.

Offensive Security tools are used by ethical hackers and penetration testers to test the security of systems and applications. The pentester must understand the application components to formulate the attack he wants to do. Also, the more information they have about the underlying technologies, the attacker can better develop the attack.

There are several open-source and commercial tools for offensive security. Two of the most popular tools in Offensive Security are:

Zaproxy: The ZED Attack Proxy (ZAP) is a powerful open-source penetration testing tool that security experts employ to identify vulnerabilities in web applications. In a nutshell, zap intercepts and examines messages that are sent between a browser and a web application, modifying the contents if necessary and then passing them on to the destination. Zap may be used in numerous pentesting situations, including as part of the OWASP top 10 web and API testing.

Burp Suite: Burp suite is a commercial integrated platform for performing security testing of web applications and APIs. It consists of several tools that allow the pentester to map the application, find vulnerabilities, and exploit them. Burp’s tools can be utilized in numerous ways to perform security testing tasks ranging from very simple to highly advanced and specialized.

There are many more tools to choose from, such as nmap, nslookup/dig, Selenium, Nikto, recon-ng, SpiderFoot, etc.

Offensive Security at scale

Manual pentesting may be more time-consuming and expensive than developing an automation suite. There are numerous tools available that can automate the majority of pentest activities, including security scanning against cloud architectures built on microservices and APIs. In turn, this ability to automate time-consuming manually intensive operations allows businesses to speed up their validation process while also reducing product release cycles

When it comes to the amount of data that can be stored, as well as the sheer scale of cloud CSPs, companies simply cannot keep up with the speed of innovation and the overall scale of the cloud. The only way to catch up with these factors is to automate the security testing as part of SDLC processes.