Top Threat #5 to Cloud Computing: Insecure Software Development
Blog Article Published: 10/17/2022
Written by the CSA Top Threats Working Group.
The CSA Top Threats to Cloud Computing Pandemic Eleven report aims to raise awareness of threats, vulnerabilities, and risks in the cloud. The latest report highlights the Pandemic Eleven top threats, in which the pandemic and the complexity of workloads, supply chains, and new technologies shifted the cloud security landscape.
Why You Should Leverage Cloud Service Providers
Software is complex, with cloud technologies tending to add to the complexity. In that complexity, unintended functionality emerges which could allow for the creation of exploits and likely misconfigurations. Thanks to the accessibility of the cloud, threat actors can leverage these “features” more easily than ever before.
Adopting a cloud first strategic posture allows entities to offload maintenance and security headaches to a cloud service provider (CSP). Entrusting a CSP to manage the infrastructure and/or platform layers prevents developers from reinventing the wheel and removes the need for companies building services themselves.
Bug Fixes Can Lead to Vulnerabilities
No developer sets out to create insecure software. Yet, patches are released every month by major software vendors that can be used to impact the confidentiality, integrity, and/or availability of a system. Not all software bugs have security implications, but even odd quirks can become significant threats. Embracing cloud technologies allows companies to hone their focus on what is unique to their business, while letting the CSP own and manage everything else.
The direct business effects of insecure software development include:
- Loss of customer confidence of the product
- Damage to brand reputation due to a data breach
- Legal and financial impact from lawsuits
What Are the Key Takeaways?
Here are some key takeaways to consider:
- Using cloud technologies prevents reinventing existing solutions
- By leveraging the shared responsibility model, items can be owned by a CSP
- CSPs will offer guidance on how to implement services in a secure fashion
In September 2021, Apple’s iOS was discovered to be exploited by NSO’s Pegasus software, leveraging a zero-click vulnerability that allowed for remote code execution. In a one-click exploit, targets were hacked on iMessage when clicking the link. However in the recent zero-click exploit, targets could be vulnerable with no interaction required. The attack works quietly with no defense in the background.
Learn more about this threat and the other 10 top threats in our Top Threats to Cloud Computing Pandemic Eleven publication.
Trending This Week
#1 Cloud Network Virtualization Benefits of SDN over VLAN
#2 Simple but Effective Tactics to Protect Your Website Against DDoS Attacks in 2021
#3 Understanding the OWASP API Security Top 10
#4 How to Choose a Zero Trust Architecture: SDP or Reverse Proxy
#5 3 Big Amazon S3 Vulnerabilities You May be Missing
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.