Cloud-based dev teams: shift security left to avoid being the next SolarWinds
Cloud-based managed services as well as infrastructure-as-code (IaC) practices are increasingly popular among application developers for the efficiencies they create. But if dev teams are not careful, experts warn, they could be maliciously exploited to perpetrate watering-hole and supply chain attacks like the one that impacted SolarWinds.
These warnings underscore the growing importance of shifting security left – a DevSecOps philosophy that encourages testing for flaws and vulnerabilities earlier in an app’s development lifecycle. Even then, developers will want to consider baking security policies and bug remediation into their pipeline, and take advantage of tools that provide visibility across the entire development process.
Following an analysis of hundreds of cloud native infrastructure deployments, researchers from Accurics last week published their Cloud Cyber Resilience Report, which notes a growing trend of developers boosting productivity through cloud-hosted managed infrastructure, such as hosted continuous integration and delivery services, or CI/CD, messaging services and serverless computing (aka function-as-a-service or FaaS).
But delegating portions of your development pipeline to these cloud services also creates third-party risk, especially when the cloud service provider (CSP) commits unsafe practices such as misconfiguration errors. Indeed, Accurics found that 22.5 percent of violations of security policy best practices involved insecure managed services configurations.
“We see a reliance on using default security profiles and configurations, along with excessive permissions,” said Om Moolchandani, Accurics co-founder, chief technology officer and chief information security officer in a released statement. “Messaging services and FaaS are also entering a perilous phase of adoption, just as storage buckets experienced a few years ago. If history is any guide, we’ll start seeing more breaches through insecure configurations around these services.”