The dark side of domain-specific languages: Tenable uncovers new attack techniques in open source software

Tenable has disclosed that its Tenable Cloud Security Research team has uncovered new attack techniques in Domain-Specific Languages (DSLs) of popular policy-as-code (PaC) and infrastructure-as-code (IaC) platforms. These can lead to compromised cloud identities, lateral movement, and data exfiltration.

Infrastructure-as-Code (IaC) has become the backbone of modern cloud DevOps practices, with policy engines and Policy-as-Code tools critical for governing sensitive and complex deployments. DSL’s are hardened languages with limited capabilities, which are supposed to be more secure than standard programming languages. However, these frameworks are often assumed secure by default—leaving an open door for attackers to exploit.

This announcement follows a recently discovered SMB force-authentication vulnerability in OPA.

Why it matters:

While DSLs like those in Open Policy Agent (OPA) and HashiCorp’s Terraform are designed to be secure, Tenable’s findings reveal specific overlooked misconfigurations that adversaries can manipulate through third-party components. This highlights ...