Cybersecurity service provider Palo Alto Networks recently revealed the findings from its threat research team Unit 42 that shed light on the disparity between an organization’s perception of their security to the reality of threats in their supply chains. This major disconnect pose great risk and can impact the business catastrophically.
The Unit 42 team analyzed data from a variety of sources around the world in order to draw conclusions about the growing threats organizations face today in their software supply chains. Their findings indicate that many organizations may have a false sense of security in the cloud and in reality are vastly unprepared for the threats they face.
In addition, a Palo Alto customer commissioned Unit 42 to perform a red team exercise against their software development environment. In three days, one Unit 42 researcher discovered critical software development flaws that left the customer vulnerable to an attack.
Despite the customer’s mature cloud security posture, Unit 42 was able to leverage misconfigurations in the organization’s software development environment, such as the presence of hardcoded IAM (Identity and Access Management) key pairs, a flaw that enables attackers to control development processes and conduct a successful supply chain attack.
The company’s third-party code templates also contained insecure configurations. With this level of risk, an attacker could easily gain access to sensitive data in the cloud and even take control of an organization’s software development environment.
Palo Alto recommends that organizations shift security left when dealing with supply chain threats—meaning software and system testing are performed earlier in the development lifecycle.
Furthermore, these organizations’ DevOps and Security teams must gain visibility into the bill of materials in every cloud workload so that they can evaluate risk at every stage of the dependency chain and establish guardrails.