Here’s the interview snippet from the interaction with Mr. Piyush Sharma, VP of Engineering, Tenable
Khushagra: What are the attack vectors cybercriminals leverage in cloud apps to target enterprise networks and obtain sensitive business data?
Piyush: Cloud apps provide a fertile entry point for attackers as they’re designed to be accessible over public internet. Many modern cloud apps are now being built with cyber resilience in mind, but they too can suffer from different types of insecurities, vulnerabilities and misconfigurations. These risks can allow attackers to gain access to the cloud network and access critical business data.
Cybercriminals are increasingly leveraging API and supply chain risks. Modern cloud applications most often integrate with several third-party APIs for purposes like notifications, monitoring, data aggregation, and security analytics. Vulnerabilities in third-party API can inadvertently introduce vulnerabilities into an organization’s cloud app. Because of this, APIs are also increasingly being targeted by criminals — they’re a relatively easier target.
Khushagra: Can container environments be exploited to compromise software supply chains? If so, how?
Piyush: Cybercriminals are constantly researching to find new vulnerabilities in web interfaces and cloud apps. Since some of these applications are used as third-party components for building cloud apps, security teams don’t have control over the vulnerabilities introduced into the cloud. These vulnerabilities have been proven to aid attackers in expanding their blast radius as vulnerabilities in the third-party dependencies allow them to get into the entire organization’s cloud.
Many cloud apps use open source and web 2.0 technologies as interfaces such as REST API, HTML5, JavaScript, JSON, and others. Cloud apps built using these technologies require secure coding practices for development — otherwise, such cloud apps can suffer from OWASP top 10 vulnerabilities, such as SSRF (server-side request forgery). In cyberattacks that occurred in 2021, an apparent trend of exploiting SSRF vulnerabilities was noticed and criminals seem to be increasingly focused on attacking the supply chain rather than directly targeting end-users, seeking leverage to amplify the reach of their attacks.
Khushagra: How can software supply chains be made more secure with IaC security?
Piyush: Traditionally, security for the cloud was a process that was implemented at the end of the build process. Considering that security checks for cloud apps happen at runtime, it’s too late to detect and remediate an attack. The dramatic increase in cyberattacks in 2021 is a reminder of why organizations need to establish Infrastructure-as-Code as a baseline for DevOps and security teams and improve collaboration to ensure DevOps satisfies security requirements. Although it can be challenging for developers to identify and mitigate vulnerabilities at the time of writing code, security tools that are compatible with their workflows, which can automatically detect and resolve vulnerabilities introduced in their build pipelines, can go a long way in making cloud apps secure by design.
Khushagra: What are the risks of using third-party open-source libraries during the software development lifecycle? How can this be mitigated?
Piyush: Most cloud apps that organizations use contain code that is using open-source libraries. Vulnerabilities and cloud misconfigurations in these third-party dependencies are a significant security risk. If the code taken from open-source libraries has a vulnerability, then organizations using the code will become vulnerable to attacks.
The primary reason why cybercriminals look for vulnerabilities in third-party dependencies is because security teams have very little control over vulnerabilities that exist in application source code. Vulnerabilities are introduced and ultimately removed by developers by implementing code changes. Once security teams find vulnerabilities that need to be remediated, they must go through a long-drawn process of convincing a developer that it really is a vulnerability and that it really needs to be fixed immediately. After this comes the process of determining the best way to fix it as most developers are not cybersecurity experts.
With security-as-code, security can be embedded into DevOps tools and workflows by mapping out what changes occur in the code and infrastructure and finding places to add security checks and tests. DevOps teams can also use SaC tools to enforce compliance throughout the development process, eliminating all meaningful security risks before cloud apps are deployed. These apps could also be used to enforce security at runtime as well.
Khushagra: Most organizations are using legacy cloud security tools. What must organizations consider while choosing technologies to secure their cloud environments?
Piyush: Cloud environments are ever evolving, which also means that misconfigurations can occur frequently. Prioritizing risk remediation based on severity becomes critical in the cloud. This is perhaps why legacy cloud security tools do not work as they do not function at the speed of the cloud. Organizations need CSPM solutions that can detect misconfigurations during development, so a more secure posture is maintained during runtime.
CSPM tools need to support both the developer and the security workflows during development and runtime. The only way to achieve true cyber resilience is for cloud-native infrastructure to heal itself by codifying security throughout the development lifecycle. In cloud environments, Infrastructure as Code (IaC) needs to be secure before deployment. Organizations need IaC tools that automatically generate the code to remediate risks so developers can simply mitigate them while writing the code. This developer-first approach allows organizations to fix vulnerabilities quickly without worrying about it at runtime. These tools can help organizations understand security risks and drive next-generation capabilities towards advanced security threat modeling. CSPM tools make security a proactive measure rather than a reactive one.
