Retention policy for flow logs should be enabled and set to greater than 90 days

Property
Languageterraform
Severitylow
Servicenetwork
ProviderAzure

Description

Flow log resources are missing a retention policy or have it set for less than 90 days, which limits the availability of historical network activity logs required for security investigations.

Impact

Insufficient retention of flow logs can prevent detection and analysis of delayed or long-running attacks, making it difficult to investigate incidents and comply with audit requirements. This increases the risk of undetected breaches or incomplete forensic data.

Reusing a Nonce, Key Pair in Encryption

Property
Languagekotlin
Severitylow
CWECWE-323: Reusing a Nonce, Key Pair in Encryption
OWASPA02:2021 - Cryptographic Failures
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The code uses AES-GCM encryption but may be reusing the same Initialization Vector (IV) or nonce with the same key. This makes encrypted data vulnerable because identical IVs allow patterns to be detected in the ciphertext.

Impact

If the IV or nonce is reused, attackers can analyze multiple encrypted messages to reveal similarities or even recover parts of the plaintext, potentially exposing sensitive information like user data or credentials. This weakens encryption and can lead to significant data breaches.

Reusing a Nonce, Key Pair in Encryption

Property
Languagejava
Severitymedium
CWECWE-323: Reusing a Nonce, Key Pair in Encryption
OWASPA02:2021 - Cryptographic Failures
Confidence LevelLow
Impact LevelMedium
Likelihood LevelMedium

Description

When using AES-GCM encryption, reusing the same Initialization Vector (IV) with the same key for different messages makes the encryption predictable and insecure. Each encryption operation must use a new, unique IV to protect the data properly.

Impact

If the same IV and key are reused, attackers can detect patterns between encrypted messages and may be able to recover sensitive information or compromise the integrity of the data. This could lead to data leaks or unauthorized access to confidential information.

Reusing a Nonce, Key Pair in Encryption

Property
Languagejava
Severityhigh
CWECWE-323: Reusing a Nonce, Key Pair in Encryption
OWASPA02:2021 - Cryptographic Failures
Confidence LevelHigh
Impact LevelMedium
Likelihood LevelMedium

Description

The code is reusing the same IV/nonce value with GCM encryption, rather than generating a new, random value each time. This makes the encryption predictable and breaks the security guarantees of GCM mode.

Impact

If the nonce is reused, attackers can decrypt or tamper with encrypted data, potentially exposing sensitive information or allowing data manipulation. This undermines the effectiveness of encryption and can lead to serious breaches of confidentiality and integrity.

Roles limited to the required actions

Property
Languageterraform
Severitymedium
Serviceauthorization
ProviderAzure

Description

The role definition grants wildcard permissions ("*") across all actions and scopes, allowing the role to perform any operation without restriction. This violates the principle of least privilege and creates overly broad access.

Impact

If exploited, attackers or unauthorized users with this role could perform any action on the subscription, including modifying resources, accessing sensitive data, or disrupting services, significantly increasing the risk of account compromise and data breaches.

Roles should not be assigned to default service accounts

Property
Languageterraform
Severitymedium
Serviceiam
ProviderGoogle
Vulnerability Typemisconfiguration

Description

Roles are assigned to default service accounts instead of dedicated, purpose-specific accounts. Default service accounts often have broad permissions and are shared among multiple services, increasing the risk of accidental or unauthorized access.

Impact

If compromised, a default service account with excessive privileges can be exploited to access or control multiple resources across the project, violating the principle of least privilege and increasing the likelihood and impact of privilege escalation or lateral movement within the environment.

Roles should not be assigned to default service accounts

Property
Languageterraform
Severitymedium
Serviceiam
ProviderGoogle
Vulnerability Typemisconfiguration

Description

Roles are being assigned to default service accounts instead of using dedicated, purpose-specific service accounts. Default service accounts often have broad permissions, increasing the risk of excessive privilege exposure.

Impact

If exploited, attackers or unauthorized processes could leverage the overly permissive default service accounts to gain unnecessary access to resources, violating the principle of least privilege and increasing the risk of data exposure or service manipulation across the GCP environment.

Roles should not be assigned to default service accounts

Property
Languageterraform
Severitymedium
Serviceiam
ProviderGoogle
Vulnerability Typemisconfiguration

Description

This vulnerability occurs when IAM roles are assigned to default Google service accounts instead of custom, purpose-specific accounts. Default service accounts have broad permissions and are often shared across multiple services, which increases risk.

Impact

If exploited, this misconfiguration can grant excessive or unintended permissions to default service accounts, potentially allowing attackers or compromised workloads to access or modify critical resources across the organization, violating the principle of least privilege.

Root and user volumes on Workspaces should be encrypted

Property
Languageterraform
Severityhigh
Serviceworkspaces
ProviderAWS
Vulnerability Typeomission

Description

The AWS WorkSpaces resource is configured without encryption enabled for root and user volumes, leaving all data stored on these disks unprotected at rest. This misconfiguration allows data to be stored in plaintext.

Impact

If the WorkSpace or its underlying storage is compromised, sensitive data can be accessed and read directly by unauthorized parties, leading to potential data breaches, loss of confidentiality, and regulatory non-compliance.

Root file system is not read-only

Property
Languageterraform
Severityhigh
Vulnerability Typeomission

Description

The root file system for one or more containers is not set to read-only, allowing applications and processes within the container to write to the local disk. This configuration increases the risk of unauthorized modifications to the container’s environment.

Impact

If exploited, an attacker who gains access to the container could write malicious files or executables to the file system, tamper with application binaries, or alter system behavior, potentially leading to persistent compromise and making it harder to detect or recover from intrusions.