Vulnerability management is a notoriously suffocating task. Cloud infrastructure, however, continues to place greater demands on an ever-overworked workforce. Servers no longer remain online for hours: instead, containers are redeployed every second. Rapid and economically-driven development cycles have pushed modern, cloud-deployed applications further away from secure building practices. It’s now imperative to protect cloud-native applications via a comprehensive, cloud-focused security solution.
Table Of Contents
Vulnerability Management is an Endless Task
There’s an ugly truth facing today’s cybersecurity teams: the more pieces of software in production, the more vulnerability patches will clutter up DevSecs’ to-do list. 2021 saw a record-breaking number of bugs, with 18,378 reported throughout the year. This figure represents the fifth consecutive year of never-before-seen highs. However, the makeup of this immense quantity continues to shift. In 2021, for instance, high severity vulnerabilities saw a slight drop from the year before. Picking up the slack, medium and low-severity issues ballooned: one reason for this could be large scale ‘shift left’ practices being employed in developer teams, as more emphasis is placed on responsible coding.
However, many security professionals were surprised to see the study’s apparent decrease in high-severity flaws. Though the shift-left coding approach is no doubt effective in reducing these figures, there’s an equally powerful force pushing the other direction. The Covid-19 pandemic – alongside constant economic pressure – places many developers under the crushing weight of hyper-agile, rushed development cycles. Organizations also feel the brunt of this, as cloud journeys and digital transformations now become reliant on code that’s seen fewer QA cycles. More devs become reliant on legacy, third party, and open-source code, leading to higher and higher risk factors.
As vulnerabilities continue to roll in at staggering rates, one area continues to suffer the worst: the cloud.
The Cloud’s Invisible Blast Radius
In a background of record vulnerability numbers, the already-slow pace of patching paints an even more dire image: bugs are piling up faster than they can be fixed. This is one cause for the staggering increase in cloud vulnerabilities, which have experienced a sixfold increase over the same number of years. IBM’s security X-Force now recognises unpatched vulnerabilities as the most common Cloud entry point; within this, user permississions present the most common and effective attacks, allowing for tech stack compromise in 99% of pen tests.
Unmanageable permissions is a symptom of cloud’s wider issue: as scalable as cloud solutions may be, their rapid changes tend to create complex and unmappable tech stacks. Cloud security teams often spend more time mapping out the data blast radius of an attack, than actually combatting vulnerabilities and patching the software. Cloud-based attacks demand complex analysis of data locations; direct and derived identities; and anomalous user behavior. The drastically larger volume of data objects transform unpatched vulnerabilities into even greater engineering problems.
Microsoft Azure offers a suite of technologies for both aspiring and mature development teams. Their managed database service, Cosmos DB, had a new functionality added in 2019. The Jupyter notebook offered a new, user-friendly way to implement and store machine learning algorithms. Pushing Jupyter Notebooks for any developer or data scientist looking for advanced data visualization, Microsoft added Jupyter Notebooks to all Cosmos DB instances in February 2021.
However, unwittingly to Microsoft, Jupyter came packaged with a major privilege escalation vulnerability. A full technical analysis was never released, but the rough outline is as follows. In cloud computing, each customer has their own primary key – a unique identifier that each user account depends on. Jupyter’s exploit allowed researchers to gain access to the primary key not just of each customer’s Jupyter instance – but every Cosmos DB customer. Accessing this primary key on a Cosmos DB account is game over; it allows full read, write and delete permissions throughout that key’s database. The only pertinent information Microsoft gave prior to a patch release was that this vulnerability could be easily exploited, and potentially impacts thousands of organizations. This included numerous Fortune 500 companies.
While the Jupyter vulnerability was caught swiftly – before any in-the-wild cases were discovered, even – other cloud bugs have not been so patchable. API misconfigurations make up one of the largest weaknesses facing companies, and are directly a result of rushed app development. A single overly-verbose error message can leak custom signatures, server versions, and other information about the app or page’s underlying mechanisms. For an attacker that’s scouting out your organization, API-based error messages can provide a wealth of illicit info.
Protecting Cloud Applications
Vulnerability prioritization software may help in the battle between the ticking clock and the scale of modern vulnerabilities. By prioritizing the most severe issues, security teams can issue just-in-time patches to keep an environment secure. However, even with a competent prioritization process, the impact of a cloud exploit within its broader environment is essentially unmappable. A quality third-party security provider can aid in this mapping process, by automatically discovering and classifying the data traveling throughout your cloud applications.
APIs, one element of specific concern within cloud security, are churned out at even greater speeds than vulnerabilities. Manual security processes are totally outstripped. With machine learning, a future-proof security solution will focus on automated threat and change classification. Each change has its own threat and risk factors assessed, allowing for continuous security reevaluations that keep pace with development. This allows for a security team to keep pace with DevOps, while uncovering blind spots that previously could have crippled operations.
By prioritizing visibility and automation, your security solution can help efficiently prioritize and focus an overworked, rushed, or struggling security team. Modern security solutions embed protective elements into the vulnerable serverless functions, meaning even cutting-edge attack vectors can be thwarted.
