As companies move more and more resources to the cloud, some will safety Risks are increasing: misconfigurations and uncertainty in the cloud supply chain.

Infected IT management software violations by SolarWinds and Kaseya are among the most notorious examples of uncertainty in the supply chain. But it is the chain of code used to build cloud infrastructure that is increasingly at risk, which is driving the move to shift security to the left.

Open source software can be a weak security link in this chain. after a Report published in September from Sona typeAs threat actors move up the chain to infiltrate open source software, attacks on the “next generation” software supply chain have increased 650% over the past year.

These attacks are more easily scalable so that cybercriminals can distribute malware throughout the supply chain for maximum damage.

What is often overlooked in discussions about supply chain risk is that “attackers don’t necessarily modify source code repositories to facilitate these violations,” like Matthew Chiodi, Vice President and Chief Security Officer, Cloud for Prisma Cloud from Palo Alto Networks, wrote in a September report by the company’s Unit 42 Threat Research Team.

“You don’t have to,” he added. “They find weak points in the software development pipeline and attack them.”

Chiodi, who led the team that produced the report, makes it clear that open source is not the problem.

“In fact, I think using open source is a prerequisite for innovation,” he said. “Anyone who says their company can’t use open source should probably find another job because it seals their company’s fate from an innovation point of view.”

Almost all modern Cloud native Applications are developed using open source components, including almost every software-as-a-service (SaaS) platform. The problem is that nobody is tasked with maintaining or securing this code.

“Many new cloud features and services, including SaaS applications, are being rolled out every day,” Chiodi told The New Stack. “However, some popular open source modules used in these applications have not been updated in years. And that is the core of the problem. “

Vulnerabilities in Open Source

Unit 42 report was triggered by a Cloud Native Computing Foundation (CNCF) White paper on Software supply chain best practices. This article found that 98% of all codebases contain open source software and 92% of those codebases contain obsolete or vulnerable code that can be exploited, said co-author Andrés Vega, CNCF Tech Lead for Security SIG and member of the Security Technical Advisory Group.

In their own research, the team at Palo Alto Networks Unit 42 found that 63% of the third-party code templates used in building a cloud infrastructure contained insecure configurations, and 96% of the third-party container applications deployed in the cloud infrastructure had known vulnerabilities.

“Dealing proactively with these threats is paramount,” Chiodi wrote.

Most modern cloud-native applications are developed using Infrastructure as Code (IaC) and several different components are provided. This process, according to Chiodi, depends on several IaC packages and usually helmet charts, a package manager for Kubernetes Applications.

The chain of dependencies in a modern cloud-native application. (Image courtesy of Prisma Cloud by Palo Alto Networks Unit 42’s “Cloud Threat Report 2H 2021”.)

In turn, each Helm diagram depends on multiple container images, and each of these images depends on multiple application packages.

“In other words, each of these modules a developer might bring in depends on other modules, so there is this chain of dependencies,” said Chiodi, who is responsible for most of the security problems.

There’s a direct correlation between the number of dependencies and a higher likelihood of misconfiguration, Chiodi told The New Stack. For example, with one to 20 dependent packages for container images, you have an average of 22 vulnerabilities, and with more than 100 dependent packages, the number increases to an average of 515 vulnerabilities.

The team from Unit 42 used it Bridge crew‘s static analysis tool, Checkov, which helps to identify misconfigurations in IaC frameworks in order to analyze them Terraform Modules in common, public container registries. The team found that almost half of these modules contain at least one critical or serious misconfiguration.

“When you factor in the number of times each module was downloaded, 64% resulted in at least one high or critically unsafe configuration,” said Chiodi. “So most of what is downloaded from public registers has very bad configurations.”

What are the effects of vulnerable software?

Another damn one report from Veracode, an application security company, found that while more than 80% of developers said they looked at security when choosing a library, most never update the third-party libraries used in their software.

While developers are quick to fix some vulnerabilities in third-party software, the report said it could take them up to three months to patch half of the vulnerable libraries and a year to fix 75%.

The Veracode report examined 13 million scans from 86,000+ repositories containing over 300,000 unique libraries, as well as conversations with 1,700+ developers.

Vulnerabilities in widely used components can have enormous potential consequences. For example, security flaws and malware were recently found in open source npm packages, one of which more than counts 14 million downloads per week.

Many security issues that stem from open source software are related to trust, said Cole Kennedy, CEO and Co-Founder of TestifySec, a cybersecurity company.

A developer may want to incorporate a repository with “only one employee who lives in mainland China and who is also employed by the Chinese military, which could be a problem,” he said. “And that’s really the problem we’re seeing with open source: a lot of it is not checked.”

Then there are legal consequences. For example a opinion poll from cybersecurity firm Venafi of more than 1,000 IT and development leaders found 94% of them calling for consequences such as fines and legal liability for software vendors who fail to protect the security of their software build pipeline.

In addition, the pressure is growing from existing and proposed laws. President Bidens supreme command found in May that software parts lists (SBOMs) with detailed information on commercial and open source components are now being requested from suppliers to the federal government.

They were too proposed for critical infrastructure the Agency for Cybersecurity and Infrastructure Security (CISA).

This is how you avoid software risks

CNCF’s Best Practices White Paper breaks the problem of securing the software supply chain into five key areas, using the analogy of a physical manufacturing supply chain and adopting the practices that are used to secure it. These five areas include securing source code, materials, build pipelines, artifacts, and deployments.

The organization also offers recommendations for security assessments and the security review process and a Acceptance framework to assess your own architecture.

The CNCF whitepaper looked at practices across several industries. “If we standardize state-of-the-art security recommendations for security-conscious organizations and highly regulated industries, how do we bring that together?” Said Vega, the newspaper’s co-author.

Another difference to consider is the different security risks of small, one-off projects and libraries as well as larger, commercially supported projects like Linux and Kubernetes, which are very dynamic. “These large open source projects are probably safer than most closed source corporate projects because they have more eyes on them,” said Kennedy.

Third-party reviews already exist for some open source projects, usually company sponsored. For example, Cure 53, a cybersecurity company, has provided some ratings for the CNCF and the Open Source Security Foundation Scoring lists can be used to assess project security.

“If you have in-house expertise, you can see the actual source code, who submitted it and where it came from,” said Kennedy.

Sigstore is a new service and standard for signing, verifying and protecting software components, “for open source maintainers, by open source maintainers,” as the website says. “It has a public record system that anyone can review,” Vega said. The project started as an open source initiative at Red Hat, is now under the auspices of The Linux Foundation.

The companies CloudBees, Sophos, Venafi and Veracode are working to define a vendor-neutral map of standard controls for the evaluation of software that development teams need for purchasing, according to a Venafi blog entry. These controls, along with details of possible exposure, are Listed on GitHub.

Protection of the development pipeline

Traditionally, developers have relied on tools to scan for vulnerabilities. But once compiled, any vulnerability that is introduced into your code is often hidden from scanning tools.

Language can also affect the ability to find vulnerabilities in software. In C, a vulnerability is easier to hide, but some aspects of memory in C can make code more secure, Kennedy said. Vulnerabilities are easier to find in Python, but code is exposed to more types of attack.

Provision Certificates – Verifiable proof of software quality – definitely helps. TestifySec, for example, puts together a service offering that supports companies in implementing software supply chain security.

“We’re also developing a product, both open source and commercial SaaS,” said Kennedy. “We have an open source version of our new product Witness, a command line tool that provides these attestations.”

For its part, Palo Alto Networks has just launched Prisma Cloud 3.0, a cloud-native application protection platform that includes many new features including cloud code security.

“This enables companies to integrate security for IaC and cloud native applications as part of their developers and DevOps Workflows and you can build open source security right into those operations, ”said Chiodi.

“It also gives companies the ability to monitor and manage their cloud security status with all major cloud providers. We offer all of this on one platform instead of having to buy 15 different tools. “

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Kaseya.

Featured image by Miltiadis Fragkidis via Unsplash.

Source link
#challenges #securing #open #source #supply #chain

Leave a Reply