The vast majority of third-party code used in cloud infrastructure contains vulnerabilities and misconfigurations, which could leave organizations exposed to attack, according to Palo Alto Networks.
The security vendor’s Unit 42 Cloud Threat Report 2H 2021 used data from various public sources better to understand the threat from cloud software supply chains.
It revealed that 63% of third-party code templates used to build cloud infrastructure contain insecure configurations, while 96% of third-party container applications deployed in cloud infrastructure contain known vulnerabilities.
Unvetted third-party code can introduce vulnerabilities and malware inserted on purpose by threat actors. A Sonatype study from earlier this month revealed a 650% spike in upstream supply chain attacks of this nature.
To highlight the challenge, Unit 42 analyzed public Terraform modules and found over 2500 were misconfigured in areas such as encryption, logging, networking, backup and recovery, and identity and access management.
“Teams continue to neglect DevOps security, due in part to lack of attention to supply chain threats. Cloud-native applications have a long chain of dependencies, and those dependencies have dependences of their own,” the vendor explained.
“DevOps and security teams need to gain visibility into the bill of materials in every cloud workload in order to evaluate risk at every stage of the dependency chain and establish guardrails.”
Alongside its analysis of public data sources, Unit 42 was recently commissioned by a SaaS customer of Palo Alto Networks to run a red team exercise on its environment. It revealed critical flaws in its software development processes, which exposed the firm to attacks similar to those on SolarWinds and Kaseya.
“The customer whose development environment was tested in the red team exercise has what most would consider a mature cloud security posture,” the vendor claimed. “However, their development environment contained several critical misconfigurations and vulnerabilities, enabling the Unit 42 team to take over the customer’s cloud infrastructure in a matter of days.”