Misconfigurations in software development environments and poor security hygiene in the supply chain can impact cloud infrastructure and offer opportunities for malicious actors to control unwitting victims’ software development processes.
These were the results of a report from Palo Alto Networks’ security specialist Unit 42, which conducted a red team exercise with a large SaaS provider.
If an attacker (like an APT) compromises third-party developers, it’s possible to infiltrate thousands of organizations’ cloud infrastructures, the report warned.
Supply Chain Flaws in the Cloud
Matt Chiodi, CSO of public cloud at Palo Alto Networks, explained that supply chain flaws in the cloud are difficult to detect because of the massive number of building blocks that go into even a basic cloud-native application.
“Our researchers estimated that the typical cloud-native application is built upon hundreds of these packages,” he said. “Let’s call them ‘Legos.’ Each of these Legos that developers plug into their application carries a certain risk and can be a vector to another supply chain attack.”
The report highlights how vulnerabilities and misconfigurations can quickly snowball within the context of the cloud software supply chain, and called for organizations to “shift security left.”
“Shifting security left is about moving security as close to development as possible,” said Chiodi. “Historically, security and development teams have operated independently of each other.” He added that development teams like to move quickly and try new things and security is more often the opposite.
“The concept of ‘shift left’ attempts to not change developer behaviors, but rather equip them with processes and tools that work natively to secure their existing methods of developing software,” Chiodi said. “If security teams can equip development teams with processes and tools that work natively with development tools and measure regularly, they greatly reduce their risks of supply chain insecurity from cloud-native applications. This is a good first step.”
He pointed out the first wave of migrations to the cloud was marked by “lift and shift,” meaning that organizations simply took existing applications as-is and moved them to the cloud.
“When they did this, they could say the applications were running in the cloud, but the applications themselves were not cloud-native,” he said.
Being Truly Cloud-Native
The current wave of migrations to the cloud recognizes that in order to reap all the benefits of the cloud, the application itself must be cloud-native — meaning it makes full use of cloud-native features like infrastructure-as-code (IaC), containers, Kubernetes and PaaS-based services like Google Cloud SQL and Azure SQL.
“It’s this second wave of migrations to cloud-native that are driving supply chain security in the cloud as an emerging threat,” Chiodi said.
Supply chain attacks can also be a major threat because third-party packages are routinely imported into supply chains via IaC templates that organizations don’t always inspect sufficiently. As a result, security vulnerabilities can creep in and remain undetected.
“The best way to think of IaC is as the foundation of a house. If the foundation is flawed, whatever you build on top of it will also be at risk. It’s the same way in the cloud,” Chiodi said. “IaC is typically used to provision cloud infrastructure. So, if the basic cloud infrastructure is built in an insecure way, the cloud-native applications built on top of it are going to also be at risk.”
Unit 42 analyzed over 42,000 IaC templates and found that 63% of them contain at least one critical or highly insecure configuration.
“This goes to show that the vast majority of what development teams are using to build cloud-native infrastructure is insecure from the start,” he said. “This puts the entire cloud supply chain at risk for the enterprise.”
Chiodi pointed to a Cloud Native Computing Foundation (CNCF) whitepaper that lays out a five-step process for helping DevOps and security teams gain better visibility into the bill of materials in every cloud workload.
The first step is to secure the source code, then secure the materials, then secure the build pipeline, the artifacts and, finally, secure the deployments.
He said for most large organizations, this will be a multi-year process and recommended that enterprises start by reading the CNCF whitepaper and then creating a shift-left security strategy.
“Then, the next step is for security to investigate where and how software is being created in their organization,” he said. “Once they understand this, they can then begin to work side-by-side with development teams to standardize development tools and processes, institute automated code reviews and security-quality guardrails.”