Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Top Threat #5 to Cloud Computing: Insecure Software Development

Published 10/17/2022

Top Threat #5 to Cloud Computing: Insecure Software Development

Written by the CSA Top Threats Working Group.

The CSA Top Threats to Cloud Computing Pandemic Eleven report aims to raise awareness of threats, vulnerabilities, and risks in the cloud. The latest report highlights the Pandemic Eleven top threats, in which the pandemic and the complexity of workloads, supply chains, and new technologies shifted the cloud security landscape.

This blog summarizes the fifth threat (of eleven) from the report: insecure software development. Learn more about threat #3 here and threat #4 here.


Why You Should Leverage Cloud Service Providers

Software is complex, with cloud technologies tending to add to the complexity. In that complexity, unintended functionality emerges which could allow for the creation of exploits and likely misconfigurations. Thanks to the accessibility of the cloud, threat actors can leverage these “features” more easily than ever before.

Adopting a cloud first strategic posture allows entities to offload maintenance and security headaches to a cloud service provider (CSP). Entrusting a CSP to manage the infrastructure and/or platform layers prevents developers from reinventing the wheel and removes the need for companies building services themselves.

Bug Fixes Can Lead to Vulnerabilities

No developer sets out to create insecure software. Yet, patches are released every month by major software vendors that can be used to impact the confidentiality, integrity, and/or availability of a system. Not all software bugs have security implications, but even odd quirks can become significant threats. Embracing cloud technologies allows companies to hone their focus on what is unique to their business, while letting the CSP own and manage everything else.

Business Impact

The direct business effects of insecure software development include:

  • Loss of customer confidence of the product
  • Damage to brand reputation due to a data breach
  • Legal and financial impact from lawsuits

What Are the Key Takeaways?

Here are some key takeaways to consider:

  1. Using cloud technologies prevents reinventing existing solutions
  2. By leveraging the shared responsibility model, items can be owned by a CSP
  3. CSPs will offer guidance on how to implement services in a secure fashion

Example

In September 2021, Apple’s iOS was discovered to be exploited by NSO’s Pegasus software, leveraging a zero-click vulnerability that allowed for remote code execution. In a one-click exploit, targets were hacked on iMessage when clicking the link. However in the recent zero-click exploit, targets could be vulnerable with no interaction required. The attack works quietly with no defense in the background.


Learn more about this threat and the other 10 top threats in our Top Threats to Cloud Computing Pandemic Eleven publication.

Share this content on your favorite social network today!