Top Threat #6 to Cloud Computing: Unsecure Third-Party Resources
Published 10/30/2022
Written by the CSA Top Threats Working Group.
The CSA Top Threats to Cloud Computing Pandemic Eleven report aims to raise awareness of threats, vulnerabilities, and risks in the cloud. The latest report highlights the Pandemic Eleven top threats, in which the pandemic and the complexity of workloads, supply chains, and new technologies shifted the cloud security landscape.
This blog summarizes the sixth threat (of eleven) from the report: insecure software development. Learn more about threat #4 here and threat #5 here.
What is a Third-Party Resource?
With the increase in the adoption of cloud computing, third-party resources have come to mean different things: from open source code and SaaS products, to managed services provided by a cloud vendor. Risks from third-party resources are also considered supply chain vulnerabilities because third parties are involved in delivering your products or services. The risks exist in every product and service consumed.
Where is Your Weak Link?
Because a product or service is a sum of all others they are using, the exploit can take place at any point in the chain, and work from there. For the malicious hacker, this means that to achieve their goal, they only need to look for the weakest link in the chain that they can use as an entry point.
Business Impact
The direct business effects of unsecure third-party resources include:
- Loss or stoppage of key business processes.
- Business data being accessed by outside parties.
- Patching or fixing a security issue depends on the provider and how quickly they respond. The impact of this can be crucial depending on the importance of the application.
What Are the Key Takeaways?
Here are some key takeaways to consider:
- You can't prevent vulnerabilities in code that you didn’t create, but you can still try and make good decisions about which product to use.
- Identify and track the third parties you are using.
- Perform a periodic review of the third-party resources to remove products you don’t need and revoke access or permissions.
- Penetration-test your application, use secure coding practices, and use static and dynamic application security testing solutions.
Example
From May 2019 until August 2021, the Volkswagen Group suffered from a data breach caused by one of its vendors, who left a storage service unprotected for almost two years. The breached data included Personally Identifiable Information (PII) and more sensitive financial data involving 3.3 million customers.
Learn more about this threat and the other 10 top threats in our Top Threats to Cloud Computing Pandemic Eleven publication.
Related Articles:
CSA Community Spotlight: Nerding Out About Security with CISO Alexander Getsin
Published: 11/21/2024
A Vulnerability Management Crisis: The Issues with CVE
Published: 11/21/2024
Top Threat #5 - Third Party Tango: Dancing Around Insecure Resources
Published: 11/18/2024
The Rocky Path of Managing AI Security Risks in IT Infrastructure
Published: 11/15/2024