What happens in the cloud?

Open source is the IT Achilles heel of the software supply chain

From the SolarWinds software supply chain attack to the disclosed Apache Log4j vulnerability, threat actors are increasingly targeting critical vulnerabilities in both cloud providers and the supply chain. However, enterprises are increasingly reliant on cloud computing platforms, with 35 percent of all companies running more than 50 percent of their workloads on Microsoft Azure, AWS and Google Cloud. The problem: Many of them struggle to secure their infrastructures across multiple cloud platforms. At the same time, they have to cope with the skills shortage and, on top of that, the number of cloud security incidents has increased by ten percent year-on-year. This is because cybercriminals have also moved their supply chain attacks to the cloud.

NotPetya

Currently, the greatest risk to the enterprise supply chain comes from open source software. The open source community provides many modules and packages that are used around the world, including by companies within the supply chain. However, the problem with open source software is that it is inherently insecure. This is because it is written by individuals, some of whom lack the expertise or budget to secure it.

This creates a gap in the security architecture, because imported open source packages can have dependencies that IT is simply not aware of. This is exactly what happened with NotPetya: NotPetya is an evolution of a malware chain that managed to infiltrate systems around the world by relying on widely available open-source accounting software. As a result, it spread like wildfire, causing chaos in Ukraine as well as several major countries, including the UK, France, Germany, Russia and the US. The ubiquity of open source software and code means it can be difficult for companies to find out if they or their suppliers are vulnerable to attack. This makes supply chains an attractive target for cybercriminals because they know that by penetrating one system, they can quickly access many more.

DevSecOps

All cloud platforms have vulnerabilities, no matter which provider is chosen. IT managers can do research and draw on the best experts in the industry, but they cannot control the full security of the chosen provider's platform. Still, companies can take the following to heart to protect themselves: Enterprises tend to build security as a single point of protection checkpoint, and attackers will try to circumvent it. A security implementation that assumes the first layer could fail, and enforces multiple layers, has a greater chance of surviving a sophisticated cyberattack. To keep the virtual doors to their network firmly shut, organizations should automate DevSecOps. This ensures that security measures can be carried out in real time and in line with other business objectives.