Addressing security weaknesses in the software development pipeline
A recent Cloud Threat Report by Palo Alto Networks’ elite cloud threat researchers, Unit 42, reported on research emulating high-profile supply chain attacks like those involving SolarWinds and Kaseya, and found supply chain security in the cloud continues its growth as an emerging threat.
Speaking ahead of a webinar on securing cloud-native infrastructure, Frans de Waal, Prisma Cloud Sales Specialist, Palo Alto Networks, says: “The research indicates that many organisations may still have a false sense of supply chain security in the cloud. Attackers don’t necessarily modify source code repositories to facilitate supply chain breaches. They don’t have to. They find weaknesses in the software development pipeline and attack those. Unit 42 researchers found that 63% of third-party code templates used in building cloud infrastructure contained insecure configurations, and 96% of third-party container applications deployed in cloud infrastructure contain known vulnerabilities."
A Unit 42 red team exercise performed against a SaaS customer’s continuous integration and continuous development (CI/CD) pipeline was able to achieve administrator access within the organisation’s cloud environment due to the hardcoding of 26 identity and access management (IAM) key pairs being stored within an internal GitLab repository. SaaS vendors use CI/CD pipelines to provide rapid deployment capabilities for their services and applications. Some attackers deliberately target SaaS vendors with the specific mission of compromising that vendor’s CI/CD pipeline to insert malicious code into a portion of the application’s containerised ecosystem.
Every repository within the GitLab environment was accessible to any of the organisation’s developer accounts. Some of the key pairs stored in the GitLab repository allowed researchers to escalate their permissions within the organisation’s cloud environment to the extent that they would be capable of compromising the CI/CD pipeline, potentially resulting in hundreds, if not thousands, of downstream clients being affected.
De Waal says: "Organisations need to be taking a software-centric and cloud-focused approach to security; automating security to keep pace with changing applications and software infrastructure. Prisma Cloud is the industry’s most comprehensive cloud native security platform (CNSP), with the industry’s broadest security and compliance coverage – for users, applications, data and the entire cloud native technology stack – throughout the development life cycle and across hybrid and multicloud environments.”
Palo Alto, in partnership with ITWeb, will host a webinar on the Security Automation Stack on 30 November. The webinar will outline frameworks for representing all aspects of infrastructure and security as code, coupled with automation, applied throughout the build, deploy and run phases. This event will also demonstrate the Prisma Cloud benefits for organisations scaling in the cloud. For more information and to register for this event, click here.