Cloud Context Policies

Purpose: Detects cloud environment misconfigurations.

Business impact: Misconfigured cloud environments increase the risk of unauthorized access, data exposure, and compliance violations. CSPM evaluates cloud configurations against security benchmarks to identify risky settings early. Addressing these findings reduces the likelihood of security incidents and regulatory issues.

Purpose: Detects hardcoded secrets stored in cloud environments.

Business impact: Storing secrets insecurely in cloud environments increases the risk of unauthorized access, data breaches, and broader infrastructure compromise. Secrets such as API keys, tokens, and credentials that are exposed or misconfigured in cloud services can be exploited by attackers. Identifying and securing these secrets early helps protect cloud environments and reduce the impact of security incidents.

Purpose:Detects exposure of personally identifiable information in applications, workloads, and cloud storage during runtime execution.

Business impact: Exposed personally identifiable information (PII) during runtime increases the risk of privacy violations and regulatory impact. Runtime PII, such as email addresses or credit card numbers, may be processed by applications and can be exploited if exposed. Protecting PII during runtime helps maintain user trust and supports compliance with data protection regulations.

Purpose: Detects known open-source vulnerabilities (CVEs) in components used at runtime.

Business impact: Failing to scan applications for vulnerabilities at runtime can leave security flaws undetected and increase the risk of breaches. Runtime vulnerability scanning identifies exploitable weaknesses while applications are running. Addressing these findings early reduces the likelihood of unauthorized access, data exposure, and system compromise.

Purpose: Detects known operating system vulnerabilities (CVEs) in runtime environments.

Business impact: Failing to scan operating systems for vulnerabilities at runtime allows security gaps to persist and increases the risk of system compromise. Runtime scanning identifies exploitable flaws in operating systems while they are in use. Addressing these findings early reduces the likelihood of breaches, unauthorized access, and exposure of sensitive data.

Purpose: Analyzes cloud function source code to detect security vulnerabilities using static analysis.

Business impact: Failing to analyze cloud function source code, such as AWS Lambdas, for security flaws allows insecure coding patterns to reach production. SAST identifies vulnerabilities in function code before runtime, reducing the risk of unauthorized access, data exposure, and logic-based attacks. Addressing these issues early improves the security of serverless workloads.

Purpose: Analyzes application code to detect security vulnerabilities using static analysis before runtime.

Business impact: Failing to analyze application code for security flaws allows insecure coding patterns to persist and increases the risk of breaches and system compromise. SAST identifies vulnerabilities in code before runtime, reducing the likelihood of unauthorized access, data exposure, and logic-based attacks. Addressing these issues early improves application security as systems evolve.

Purpose: Detects exposed secrets in cloud function code or configuration.

Business impact: Failing to detect exposed secrets in cloud functions, such as AWS Lambdas, increases the risk of unauthorized access and system compromise. Hardcoded or misconfigured secrets, including API keys and credentials, can be exploited to access cloud resources or sensitive data. Identifying and securing these secrets early reduces the risk of breaches and limits the impact of security incidents in serverless environments.

Purpose: Detects exposed secrets in applications, workloads and cloud storage during runtime execution.

Business impact: Exposed secrets during runtime increase the risk of unauthorized access and data breaches. Runtime secrets such as API keys, tokens, and credentials are required for application operation, but if mishandled or exposed, they can be exploited by attackers. Detecting and securing runtime secrets early reduces the risk of compromise and limits the impact of security incidents.

Purpose: Detects container images in Kubernetes clusters that have not been scanned for vulnerabilities.

Business impact: Running container images that have not been scanned at runtime introduces unknown security risks into Kubernetes environments. Unverified images may contain critical vulnerabilities or malicious code that attackers can exploit. Scanning images before or during runtime helps enforce security standards, reduce the attack surface, and prevent untrusted images from compromising the cluster.

Purpose: Detects known CVE vulnerabilities in third-party dependencies used by cloud functions.

Business impact: Using cloud functions that rely on third-party libraries with known CVEs exposes serverless workloads to security risks. Vulnerable dependencies can be exploited to gain unauthorized access, execute malicious code, or compromise data. Identifying and addressing these issues early reduces supply chain risk and prevents inherited vulnerabilities from reaching production.

Purpose: Detects known CVE vulnerabilities in third-party dependencies installed on virtual machines.

Business impact: Using virtual machines that contain dependencies with known CVEs exposes systems to exploitation and compromise. Vulnerable third-party libraries installed on VMs can be abused to gain unauthorized access, escalate privileges, or disrupt workloads. Identifying and addressing these vulnerabilities early reduces supply chain risk and helps protect running virtual machine environments.

Purpose: Detects security issues across the environment, including obsolete software, misconfigurations, and system vulnerabilities.

Business impact: Unmanaged vulnerabilities increase the risk of unauthorized access, data breaches, and operational disruption. The Vulnerability Management policy identifies security issues such as end-of-life software, insecure configurations, and system weaknesses across the environment. Addressing these findings reduces overall risk exposure and helps maintain a secure and compliant infrastructure.

Purpose: Detects Kubernetes workloads that use public container images with known CVEs.

Business impact: Using public container images without vulnerability scanning introduces security risks into Kubernetes clusters. Images from public registries may contain known vulnerabilities that attackers can exploit to gain unauthorized access or compromise data. Scanning public images before deployment helps block high-risk images and reduces the risk of cluster compromise.