Researchers on Tuesday reported that 96% of third-party container applications deployed in cloud infrastructure consist of known vulnerabilities and 63% of third-party code templates used in building cloud infrastructure have insecure configurations.
In a blog post, the Palo Alto Networks Unit 42 team said that in addition to analyzing data, Unit 42 researchers were hired by a large Palo Alto customer to run a red team exercise against their software development environment. In three days, a single Unit 42 researcher found critical software development flaws that left the customer vulnerable to attacks similar to those on the SolarWinds and Kaseya attacks.
“The customer whose development environment was tested in the red team exercise has what most would consider a mature cloud security posture,” said the Unit 42 researchers. “However, their development environment contained several critical misconfigurations and vulnerabilities, enabling the Unit 42 team to take over the customer’s cloud infrastructure in a matter of days.”
This Unit 42 research replaces anecdotes of incident responders with actual data on how common configuration issues and unpatched vulnerabilities are in the public software supply chain, said Jake Williams, co-founder and chief technology officer at BreachQuest.
“While we are used to working incidents where code and apps are built from Docker Hub images with pre-built security issues, they are usually missing patches and it’s not uncommon to find security misconfigurations in these images either,” Williams said. “This is a problem the security community has dealt with since the dawn of the public cloud. Previous research found that the vast majority of publicly-available Amazon Machine Images contained missing patches and/or configuration issues.”
John Bambenek, principal threat hunter at Netenrich, said, every piece of software gets built on other pieces of software, usually with a copious amount of copying and pasting from Stack Overflow, a popular developer site.
“The problem is most software engineers think the job is done when they type ‘git commit,’” Bambenek said. "We need good tools that automatically patch committed code, push the rebuilt products to production, and then update the docker containers. Microsoft realized tremendous security gains when they started having the operating system default to just applying patches automatically, so until we have similar for containers and other code projects, we’ll have the same security problems that plagued Microsoft in the 90s and turn of the century.”