Top Threat #5 to Cloud Computing: Insecure Software Development
Published 10/17/2022
Written by the CSA Top Threats Working Group.
The CSA Top Threats to Cloud Computing Pandemic Eleven report aims to raise awareness of threats, vulnerabilities, and risks in the cloud. The latest report highlights the Pandemic Eleven top threats, in which the pandemic and the complexity of workloads, supply chains, and new technologies shifted the cloud security landscape.
This blog summarizes the fifth threat (of eleven) from the report: insecure software development. Learn more about threat #3 here and threat #4 here.
Why You Should Leverage Cloud Service Providers
Software is complex, with cloud technologies tending to add to the complexity. In that complexity, unintended functionality emerges which could allow for the creation of exploits and likely misconfigurations. Thanks to the accessibility of the cloud, threat actors can leverage these “features” more easily than ever before.
Adopting a cloud first strategic posture allows entities to offload maintenance and security headaches to a cloud service provider (CSP). Entrusting a CSP to manage the infrastructure and/or platform layers prevents developers from reinventing the wheel and removes the need for companies building services themselves.
Bug Fixes Can Lead to Vulnerabilities
No developer sets out to create insecure software. Yet, patches are released every month by major software vendors that can be used to impact the confidentiality, integrity, and/or availability of a system. Not all software bugs have security implications, but even odd quirks can become significant threats. Embracing cloud technologies allows companies to hone their focus on what is unique to their business, while letting the CSP own and manage everything else.
Business Impact
The direct business effects of insecure software development include:
- Loss of customer confidence of the product
- Damage to brand reputation due to a data breach
- Legal and financial impact from lawsuits
What Are the Key Takeaways?
Here are some key takeaways to consider:
- Using cloud technologies prevents reinventing existing solutions
- By leveraging the shared responsibility model, items can be owned by a CSP
- CSPs will offer guidance on how to implement services in a secure fashion
Example
In September 2021, Apple’s iOS was discovered to be exploited by NSO’s Pegasus software, leveraging a zero-click vulnerability that allowed for remote code execution. In a one-click exploit, targets were hacked on iMessage when clicking the link. However in the recent zero-click exploit, targets could be vulnerable with no interaction required. The attack works quietly with no defense in the background.
Learn more about this threat and the other 10 top threats in our Top Threats to Cloud Computing Pandemic Eleven publication.
Related Articles:
How to Demystify Zero Trust for Non-Security Stakeholders
Published: 12/19/2024
Why Digital Pioneers are Adopting Zero Trust SD-WAN to Drive Modernization
Published: 12/19/2024
Managed Security Service Provider (MSSP): Everything You Need to Know
Published: 12/18/2024
Decoding the Volt Typhoon Attacks: In-Depth Analysis and Defense Strategies
Published: 12/17/2024