Far too many organizations are still trying to apply traditional cybersecurity tactics to modern deployments of cloud infrastructure. And as Log4Shell makes clear, organizations are overlooking obvious points of security failure throughout their software supply chain, from the initial creation of code to how updates are deployed to users.
Supply chain or third-party attacks leverage weaknesses within software components and delivery pipelines to exploit and compromise cloud-based applications. The more complex the cloud application, the more distributed the infrastructure and the broader the attack surface. But there is a silver lining — with cloud-native technologies, security can be built into the software at the time of writing the code.
Threats associated with third-party cloud apps
Third-party cloud apps are a fertile entry point for attackers as they’re designed to be exposed to the internet. Although all modern cloud apps are being built with safety, security and availability- their cyber resilience – in mind. In their mind, they possess various vulnerabilities and cloud misconfigurations. These allow attackers to gain access to the cloud network and breach critical business databases.
Modern cloud applications integrate with several third-party APIs for notifications, monitoring, data aggregation, and analytics. Any security risks within third-party APIs and the cloud on which the third-party APIs are running pose the risk of supply chain attacks. This is also why APIs are increasingly being targeted by criminals as they are the low-hanging fruit in cloud-native apps.
Besides, some supply chain components for cloud apps are sold and delivered by third-parties through cloud marketplaces. Major cloud providers generally host a marketplace where millions of third-party cloud products and apps are sold as supply chain components. Any vulnerabilities and risks in these applications pose risks for cloud infrastructure and SaaS applications that use them.
When addressing security risks associated with third-party apps, organizations require DevOps and security teams to lock arms in order to ensure there’s a complete and up-to-date inventory of all the APIs in use across different applications within the organization. It isn’t going to be enough to simply locate misconfiguration errors but they will need to be remediated quickly. Any security tools used must explicitly be designed to support both developer and security teams to avoid creating a bottleneck in the DevOps process. CISOs need to consider adopting tools that understand the broader context of how APIs fit into the system.
Securing the supply chain with IaC security
Most applications that enterprises use often contain code that the IT teams didn’t write, particularly code used from open source libraries. Organizations cannot control the vulnerabilities and cloud misconfigurations introduced by these open source dependencies, posing significant security risks. If one of these dependencies has a vulnerability, then chances are the organization using the code is vulnerable as well. At runtime, identifying and patching these flaws become far too expensive.
In cloud-native technologies, attackers focus on leveraging vulnerabilities within off-the-shelf web app software in supply chain components used to build cloud apps. These vulnerabilities help attackers expand their attack radius. What organizations require in such circumstances is software that is secure by design. While Infrastructure-as-Code(IaC) brings with it great benefits in fast deployment, it can also be used to build security into the code itself so that it is immutable. IaC security tools can programmatically detect and fix cloud infrastructure misconfigurations and prevent unresolved misconfigurations within the software at runtime.
Automated IaC security tools can not only detect vulnerabilities but also provide DevOps teams with quick fixes, ensuring compliant runtime changes, and automatic remediations to address configuration drifts. This is a proactive approach to security and it evolves at the speed of the cloud. These tools not only provide centralized visibility of all vulnerabilities and cloud misconfigurations but improves risk detection, lack of encryption and prevent malicious code from being deployed at the software development stage.
Leveraging IaC will create a new world order for securing software supply chains. Legacy cloud security tools have, time and again, tried to address the security issues in the cloud but have failed to leverage all its capabilities. This traditionalist approach to identifying security flaws at runtime is not only expensive but ineffective, as it makes room for supply chain vulnerabilities to creep into the network. It is far more effective for organizations to identify and address the flaws in the code used to create the environment in the first place. When security enables DevOps efficiently, the software becomes resilient by design.
The author is VP of Engineering, Tenable titled- Achieving immutability in the software supply chain. The opinion expressed in the article are author’s own.