Cloud services offer several security advantages for organizations. Yet, despite years of warnings, cloud app developers are still making the same mistakes and opening organizations to serious risks, according to a vendor report.
The report, released Monday by Accurics*, says development teams are still tripping over well-known misconfigurations such as insecure storage buckets, hardcoded passwords and exposed networking. “There seems to be a lack of awareness around the impact of default configurations and security groups, increasing the chance of accidental leaks or exposures,” the report states.
Violations of security policies and configuration drift affecting core networking components like load balancers, gateways and routing take the longest to remediate when they should be fixed the fastest, it adds. Instead of fixing violations and drifts in pre-production environments, teams have to go after them in production systems.
“Security teams need to assert a claim over the security architecture of the development process in order to protect the organization from risks that target the development process and supply chain,” the report explains.
Accurics, which sells solutions that mitigate development risks, came to its conclusions by analyzing hundreds of cloud-native infrastructure deployments across its user base.
The Accuris report points out that the SolarWinds Orion hack highlighted some of the issues related to insecure application development. Attackers accessed and modified Orion source code to insert malware as if it were code committed by an authorized developer. It was compiled into the application and delivered as an officially signed binary update to SolarWinds users.
Of all of the violations identified in the research, 22.5 per cent correspond to poorly configured managed services offerings. “The vast majority of these violations are due to the use of default security profiles or configurations that provide excessive permissions. Default configurations for managed services are often designed to make it easier for developers to get started with a service — meaning that they favour more permissive, rather than more restrictive, access. By using these defaults in normal use, organizations are making it easier for attackers to discover their services, read their data, and potentially modify things.”
Another problem found is a cloud-based identity and access management (IAM), which recently has become popular. More than a third (35.3 per cent) of the IAM drifts detected in the report originated in infrastructure-as-code. Microsoft defines IaC as the management of infrastructure (networks, virtual machines, load balancers, and connection topology) in a descriptive model, using the same versioning DevOps team use for the source code.
The 2020 hack of cloud communications platform Twilio was a recent example of development configuration drift. While the AWS S3 bucket was configured correctly when it was added to their environment in 2015, the configuration was changed five months later to fix a problem and not properly reset once the issue was fixed. This drift went undetected and unaddressed until it was exploited last year.
These issues are serious because of the time it can take to detect and fix them. The report also notes the average time to fix infrastructure misconfigurations in its study group was about 25 days. Misconfigurations in load balancer services required over 149 days.
The report’s recommendations for reducing a company’s exposure to cyberattacks through the development pipeline include:
- As the organization adopts managed services, especially in the development process, ensure they understand the security implications. Adopt security by default approaches such as secure registries and verified base configurations to minimize the opportunity for error. Focus on improving communications between development, security and operations teams.
- Make it a priority to proactively audient the runtime environment for inappropriately accessible resources. Maintain good data hygiene between production and pre-production environments. Pay special attention to the security architecture of your SDLC components. Ensure security teams are involved in or at least consulted before changes to the development toolset.
- If you aren’t already, start leveraging Infrastructure as Code to improve repeatability, consistency and speed of the provisioning process.