Palo Alto Networks has issued a report identifying more than 34 million vulnerabilities that exist within applications deployed on public clouds.
More than 29 million of those vulnerabilities reside on Amazon Web Services (AWS) platforms, which may not be all that surprising considering that AWS accounted for half of all infrastructure-as-a-service (IaaS) revenue in 2018. Nearly 3.9 million vulnerabilities were discovered in Google Cloud Platform, compared to 1.7 million on Microsoft Azure.
The report also finds that misconfigurations are rampant. A full 65% of all publicly disclosed cloud security incidents were the result of misconfigurations. The report also notes 40,000 container systems have been deployed using default configurations, representing just over half (51%) of all publicly exposed Docker containers. Specifically, report disclosed that 23,354 Docker containers and 20,353 Kubernetes containers have been deployed with default configurations.
The report noted many of the container systems identified allow for unauthenticated access to the data they contained.
Misconfiguration issues are hardly limited to applications. An indictment brought against an alleged hacker this week for breaching more than 100 million customer records belonging to Capital One that resided on a public cloud involved the misconfiguration of a firewall.
Finally, the Palo Alto Networks report noted 28% of organizations communicating with malicious cryptomining C2 domains operated by the threat group Rocke. Cryptomining has become a major issue as cybercriminals look to leverage IT infrastructure resources belonging to others to generate cybercurrencies.
Jen Miller-Osborn, deputy director for the Unit 42 cybersecurity research team at Palo Alto Networks, said the report makes it clear many organizations are still struggling with the shared responsibility approach that cloud security requires. Providers of cloud infrastructure provide high levels of security, but it’s still up to each organization to secure their own applications. Most of those organizations don’t have mature DevSecOps processes in place to ensure vulnerabilities are not being inadvertently being included in cloud applications, said Miller-Osborn.
In the absence of those processes, many organizations continue to view cloud computing as being less secure than on-premises IT environments, where responsibilities for the entire IT infrastructure and application stack reside within one organization. In contrast, it’s often too easy for developers to overlook configuration issues when programmatically deploying code directly onto a cloud service.
Miller-Osborn said many of these misconfiguration issues will be resolved by shifting more responsibility for application security onto the shoulders of developers. There are not enough cybersecurity professionals to keep pace with the rate applications are being deployed in the cloud. Developers will need to address vulnerability and configuration issues as part of the overall quality control process, while cybersecurity teams focus on creating the right policies and then validate whether those controls have been implemented.
The good news is that as the shift toward containerized applications continues, the ability to secure applications should improve. It’s much easier to rip and replace a set of containers that have software components with known vulnerabilities than it is to patch an entire monolithic application.
In the meantime, cybersecurity professionals will need to focus more on building working relationships with developers built more on trust than suspicion.