Secrets Manager should use customer managed keys

Property
Languageterraform
Severitylow
Servicessm
ProviderAWS

Description

Secrets in AWS Secrets Manager are being encrypted using the default AWS-managed key instead of a customer managed key. This limits control over key rotation, access permissions, and auditability of secret encryption.

Impact

Relying on AWS-managed keys reduces the ability to enforce strict access controls and monitor key usage. In the event of a compromise, it may be harder to revoke access, investigate incidents, or meet compliance requirements, potentially exposing sensitive secrets.

Security threat alerts go to subcription owners and co-administrators

Property
Languageterraform
Severitylow
Servicedatabase
ProviderAzure

Description

The security alert policy for Azure SQL servers is not configured to notify subscription owners or administrators via email when security threats are detected. As a result, critical alerts may not reach those responsible for timely incident response.

Impact

If administrators are not promptly alerted to security threats, there may be delays in detecting and responding to potential attacks or breaches, increasing the risk of data loss, service disruption, or unauthorized access.

Selector usage in network policies

Property
Languageterraform
Severitymedium

Description

The network policy is missing podSelector or namespaceSelector fields, resulting in traffic not being properly restricted to specific pods or namespaces. Without these selectors, the policy does not effectively control which resources are affected.

Impact

If exploited, this misconfiguration can allow unauthorized ingress or egress traffic between pods, increasing the risk of lateral movement, data exposure, or attacks within the cluster due to insufficient network isolation.

SELinux custom options set

Property
Languageterraform
Severitymedium
Vulnerability Typemisconfiguration

Description

Custom SELinux options are set in the pod’s security context, which violates Kubernetes pod security standards by allowing non-default access controls. This configuration can introduce inconsistent or overly permissive security policies within containers.

Impact

Allowing custom SELinux options may enable containers to bypass intended restrictions, increasing the risk of privilege escalation or unauthorized access to system resources, potentially compromising container and cluster security.

Send notification emails for high severity alerts

Property
Languageterraform
Severitymedium
Servicesecurity-center
ProviderAzure
Vulnerability Typemisconfiguration

Description

It is recommended that at least one valid contact is configured for the security center. Microsoft will notify the security contact directly in the event of a security incident using email and require alerting to be turned on.

Resolution

Set alert notifications to be on

Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute

Property
Languagegeneric
Severitylow
CWECWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASPA05:2021 - Security Misconfiguration
Confidence LevelMedium
Impact LevelLow
Likelihood LevelLow

Description

The session cookie is configured without the ‘Secure’ flag, which means it can be sent over unencrypted HTTP connections. This exposes sensitive session data to interception by attackers on the network.

Impact

If exploited, attackers could capture session cookies via unsecured connections, potentially hijacking user sessions and gaining unauthorized access to user accounts or sensitive information. This weakens overall application security and puts user data at risk.

Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute

Property
Languagegeneric
Severitylow
CWECWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASPA05:2021 - Security Misconfiguration
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The application’s configuration disables the Secure flag on cookies, allowing them to be sent over unencrypted HTTP connections. This exposes sensitive authentication or session information to interception by attackers on the network.

Impact

If exploited, attackers could steal users’ session cookies via network sniffing, potentially hijacking accounts or gaining unauthorized access to sensitive data. This weakens the overall security of user sessions and increases the risk of data breaches.

Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute

Property
Languagego
Severitylow
CWECWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASPA05:2021 - Security Misconfiguration
Confidence LevelMedium
Impact LevelLow
Likelihood LevelLow

Description

The code is creating session cookies without setting the ‘Secure’ flag to true. This means cookies can be sent over unencrypted HTTP connections, making them vulnerable to interception.

Impact

If the ‘Secure’ flag is missing, attackers on the same network can capture session cookies via unsecured connections, potentially hijacking user sessions and gaining unauthorized access to sensitive parts of the application.

Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute

Property
Languagego
Severitylow
CWECWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASPA05:2021 - Security Misconfiguration
Confidence LevelMedium
Impact LevelLow
Likelihood LevelLow

Description

The session cookie is being set without the ‘Secure’ flag, which means it can be sent over unencrypted HTTP connections. This makes the cookie vulnerable to interception by attackers on unsecured networks.

Impact

If the ‘Secure’ flag is not set, sensitive session cookies could be stolen via network sniffing on public Wi-Fi or other insecure channels. This could allow attackers to hijack user sessions, impersonate users, and gain unauthorized access to protected areas of the application.