Attacks on cloud software supply chains exacerbate enterprise threat landscape

Sicherheit (Pexels, allgemeine Nutzung)[German]Security vendor Palo Alto Networks presented its Unit 42 Cloud Threat Report 2H 2021 before the end of last month. The conclusion is that attacks on software supply chains in the cloud are exacerbating the threat situation for companies. To do so, Palo Alto Networks experts analyzed data from a variety of public data sources around the world.


Advertising

Cyberangriffe on the software supply chain, as in the case of SolarWinds and Kaseya VSA, have been in the headlines this year. They have highlighted the disconnect between the perception of security within enterprises' cloud infrastructure and the reality of threats in their supply chains that can have catastrophic effects on business.

In the new Unit 42 Cloud Threat Report 2H 2021 IT security researchers Palo Alto Networks take a deep dive into the full extent of supply chain attacks in the cloud and explain often misunderstood details about how these attacks occur. They also provide recommendations that any organization can implement immediately to protect their software supply chains in the cloud.

How the study was conducted

Palo Alto Networks experts analyzed data from a variety of public data sources around the world. The goal was to draw conclusions about the growing threats companies face today in their software supply chains. The analysis revealed the following:

  • 63 percent of third-party code templates used in building cloud infrastructures contain insecure configurations.
  • 96 percent of third-party container applications used in cloud infrastructure contain known vulnerabilities.

In addition to the data analysis, the researchers were commissioned by a major SaaS provider (a Palo Alto Networks customer) to conduct a Red Team exercise against its own software development environment. In just three days, a single researcher already discovered critical flaws in the software development environment that made the customer vulnerable to an attack similar to those on SolarWinds and Kaseya VSA.


Advertising

Key findings

Poor supply chain hygiene impacts cloud infrastructure

The customer whose development environment was tested as part of the Red Team exercise has a common cloud security approach that most organizations would consider mature. However, the development environment contained several critical misconfigurations and vulnerabilities that allowed the Unit 42 team to take over the customer's cloud infrastructure in a matter of days.

Third-party code is not secure

In most supply chain attacks, an attacker compromises a vendor and inserts malicious code into software used by customers. Cloud infrastructure can fall victim to a similar approach, where unverified third-party code could introduce vulnerabilities and give attackers access to sensitive data in the cloud environment. If organizations don't vet their sources, third-party code can have any origin, including an Advanced Persistent Threat (APT).

Enterprises need to shift security to the left

Teams continue to neglect DevOps security, in part because they don't pay attention to threats in the supply chain. Cloud-native applications have a long chain of dependencies, and those dependencies in turn have their own dependencies. DevOps and security teams need to gain visibility into the bill of materials of each cloud workload to assess risk at each stage of the dependency chain and set guardrails.

The software supply chain in the cloud needs to be protected

While the report includes key insights into attacks on the software supply chain itself, the focus is on how enterprises can protect themselves from this growing threat, starting now. The Unit 42 Cloud Threat Report 2H 2021 is available for free download (requires registration with name and email address). It shows how common supply chain issues undermine cloud security and what organizations can do to gain confidence in their supply chain.


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *