Cybersecurity provider Palo Alto Networks recently revealed the findings from its threat research team Unit 42 that shed light on the major disconnect between an organization’s perception of their security to the reality of threats that pose great risk and can impact the business catastrophically.
This deep dive into software supply chain attacks specifically, as well as the actionable recommendations for organizations in securing software supply chains in the cloud, are explained in the study entitled Palo Alto Networks’ Unit 42 Cloud Threat Report 2H 2021.
In a nutshell, based on the data analysis from several public data sources, the Unit 42 team discovered the growing number organizations who have a false sense of security in the cloud, most of which are also greatly unprepared to face the threats.
To test their vulnerability, a Palo Alto customer commissioned Unit 42 to perform a red team exercise against their software development environment. In three days, one Unit 42 researcher pinpointed a critical software development flaw from the large SaaS provider’s system that can result to a customer attack the likes of SolarWinds and Kaseya.
Despite the company’s mature cloud security posture, Unit 42 researchers were able to exploit misconfigurations in the organization’s software development environment like hardcoded IAM key pairs, a flaw that enables attackers to control development processes and launch a successful supply chain attack.
Furthermore, the company’s third-party code templates contained insecure configurations, and third-party container applications deployed in cloud infrastructure contained known vulnerabilities. Since third-party code templates are used for building cloud infrastructure and third-party container applications run programs, vulnerabilities could mean attackers can access sensitive cloud data used to control an organization’s software development environment.
Palo Alto recommends a “shift-left approach” when dealing with supply chain threats. This means software and system testing are introduced much earlier in the development lifecycle. These enterprises must also not neglect the importance of DevOps security since cloud native applications have a long chain of dependencies and the risks should be evaluated at every stage of the dependency chain with established guardrails.
