As we built virtualization, on top of virtualization layers to create cloud containers, it is the … [+]
Getty Images
As we begin to close out the year, news headlines highlight supply chain issues, with hundreds of container ships stranded in ports. Perhaps you’ve ordered something only to find delays in shipping or maybe you’ve witnessed shortages of critical supplies. In general, demand is outpacing availability across the board. Wall Street is concerned with sales and profits, but an unheralded threat looms in the shadows and that threat could be manifest throughout cloud systems and environments. As we built virtualization, on top of virtualization layers to create cloud containers, it is the supply chain of code and software found in the infrastructure of everyday companies.
Recently, a report from Unit 42 shows how:
● 96% of the third-party container applications contained known vulnerabilities
● 63% of the third-party code contained insecure configurations within a given cloud infrastructure
Repeat Ramifications
As of right now, it may be early in the life of these risk conditions. H; however, the recent report indicates that risks are teeming everywhere and largely unchecked. These conditions are a powder keg of explosive ramifications that are centrally located at the core of trust but have a potential range of effects that could scale exponentially at any time. Container environments, which lie at the evolving application core of customer-facing use, are simply just the beginning. A functional update of even a minor vulnerability can instantly scale to threaten a broad range of data types and disrupt the integrity of the software itself.
These are the very supply chain risk vectors we should all fear, especially after the Colonial Pipeline hack that paralyzed the eastern seaboard of the US for multiple days, and after the equally damaging JBS meat packing plant hack. Central to this ongoing and potentially scaling set of conditions is the operational fact that legacy software, as well as their potential vulnerabilities, can enter new structures and deployment without ever raising fears. They carry hidden risks, are difficult to detect, and they threaten DevOps-based deployment environments and pipelines. A key component to working through these risk conditions is to increase the focus and analysis of technology supply chains for vulnerabilities.
Getting Back in the Cyber Gym
Information technology technologies are going to have to get back to fundamentals of analyzing, monitoring, and securing their software foundations. We can only conquer this potential issue through a continual process of serious assessment, thorough vetting, continual validation, and monitoring throughout the deployment process, at every point of egress and ingress.
Specifically, IT departments in risk-averse environments need to:
● Deconstruct the Lego set of applications and infrastructure, then run down every source of origin, document it and act as needed
● Begin to roll out custom images and containers
● Distrust 3rd party code in all circumstances including marketplace virtual machines and images from the cloud galleries they might be unaware that they have implemented
DevOps shops are not alone. Everywhere you look you will find companies making fundamental decisions about the software security supply chain throughout their organizations. Just shy of one year ago, an attack from a still-unidentified perpetrator was discovered within the SolarWinds breach. The company’s products were built on management and direct access to client infrastructure environments. Attacks of this type make it possible to infiltrate thousands of third-party infrastructures under the umbrella of trust.
Software as a Source of Massive Bait
There is little doubt that inspiration from the SolarWinds breach attempts to break into the assumptive role of third-party software trust continue to this day. There is also little doubt that cybercriminals are aware of the soft middle presented by trusted sources of software. A compromise of a trusted third-party, or at the source of trusted company software can have catastrophic effects.
This is a problem that is on the horizon and one that will require sweeping efforts to overcome.
