Cloud-based managed services as well as infrastructure-as-code (IaC) practices are increasingly popular among application developers for the efficiencies they create. But if dev teams are not careful, experts warn, they could be maliciously exploited to perpetrate watering-hole and supply chain attacks like the one that impacted SolarWinds.

These warnings underscore the growing importance of shifting security left – a DevSecOps philosophy that encourages testing for flaws and vulnerabilities earlier in an app’s development lifecycle. Even then, developers will want to consider baking security policies and bug remediation into their pipeline, and take advantage of tools that provide visibility across the entire development process.

“The entire way we perform security in a development environment needs to be rethought. security in this new paradigm requires an understanding of the entire development process, from design to code to cloud,” said Idan Plotnik, co-founder and CEO of Apiiro.

Following an analysis of hundreds of cloud native infrastructure deployments, researchers from Accurics last week published their Cloud Cyber Resilience Report, which notes a growing trend of developers boosting productivity through cloud-hosted managed infrastructure, such as hosted continuous integration and delivery services, or CI/CD, messaging services and serverless computing (aka function-as-a-service or FaaS).

But delegating portions of your development pipeline to these cloud services also creates third-party risk, especially when the cloud service provider (CSP) commits unsafe practices such as misconfiguration errors. Indeed, Accurics found that 22.5 percent of violations of security policy best practices involved insecure managed services configurations.

“We see a reliance on using default security profiles and configurations, along with excessive permissions,” said Om Moolchandani, Accurics co-founder, chief technology officer and chief information security officer in a released statement. “Messaging services and FaaS are also entering a perilous phase of adoption, just as storage buckets experienced a few years ago. If history is any guide, we’ll start seeing more breaches through insecure configurations around these services.”

For instance, if attackers were able to compromise a FaaS service, they could directly view – or even modify – the workings of the app, the report notes. And when those services are used to actually build your app, those risks are multiplied.

The study also found that the mean time to repair (MTTR) security policy violations that took place during production were remediated in just five days, but violations that occurred during the pre-production stage required more than 51 days to remediate.

That's alarming, the report notes, when you consider that services such as CI/CD pipelines, and often serverless computing, constitute integral parts of the development process and by definition exist in pre-production. It suggests that organizations may not recognize the risk that managed services in pre-production represent.

Accurics also noted that developers compound risk further when they leverage IaC to provision and run pipeline resources in automated fashion. Indeed, if a bad actor is able to compromise the pipeline via IaC, then any malicious changes the adversary makes to the source code will automatically be delivered into the production environment. This creates an opportunity to pull off an attack similar to the SolarWinds incident, whereby attackers were able to secretly modify the company’s Orion software and insert malware code as if it were committed by an actual developer before being installed by thousands of user organization as part of a regular software update.

Penetration testing toolkits are starting to include reconnaissance capabilities that help testers detect weaknesses and exposures in these managed services, the report states. That suggests that attackers either already are, or will soon be, targeting these weaknesses.

"Watering hole and supply chain attacks are very lucrative targets for cybercriminals,” said Maty Siman, founder and CTO of Checkmarx. “For one, usually, the compiled software is trusted by both the customers and the users. The customers then give high permissions out, as it is signed/approved by the vendor, and users provide the software with all of their sensitive information."

“In the past, carrying out these types of attacks required sophisticated capabilities,” Siman continued, “often to the extent of nation-state level sophistication, such as the case with NotPetya in 2017 where nation-state hackers modified the code of popular Ukrainian accounting software” to distribute a disk wiper program disguised as ransomware.

The report’s authors and outside experts had recommendations for how to address some of these risks of cloud-based app development.

Ideally, security should be incorporated as early into the development cycle as possible, including pre-production. Meaning: “As organizations perform more development tasks in the cloud, it becomes critical to shift security left and embed security in the development process itself,” the Accurics report stated.

Much of the onus for baking security into app development now falls on the developers themselves. “It is no longer the responsibility of someone else,” said Siman. "That responsibility has gradually shifted… from IT, to DevOps, to developers. Securing the development pipeline... is a new skill developers need to learn."

Among the key lessons today’s developers must come to understand: "Modern-day best practices for secure development, such as code scanning and real-time AppSec education, should be applied not only to the delivered software but also to the code that defines the pipeline,” said Siman. In other words, this means ensuring the security of your infrastructure, including infrastructure-as-code.

To ease the burden on development teams, DevSecOps leaders can help automate the security of IaC through policy as code – the practice of codifying security policy checks in the early stages of the development cycle. They also may wish to seek out solutions that can automate the remediation of these policy violations, and detect risky or suspicious new changes to the infrastructure.

According to the Accurics report, such solutions can “provide guardrails that help you enforce baseline security policies at build time and runtime,” as well as “reduce MTTR in both production and pre-production, and minimize attackers’ window of opportunity.”

“When everything is code, we can better automate our visibility, understanding, and prevention of misconfigurations and malicious changes,” said Plotnik. This is true for cloud storage buckets and it will be just as true for FaaS.”

But securing IaC is still not enough: “You need to take a new approach,” Plotnik continued. “Only by looking across application code, infrastructure-as-code [and] open-source code risks – together with developer experience, security controls in production and business impact – can you defend against advanced attacks like the one that targeted SolarWinds.”