Organizations neglect DevOps security in latest Cloud Threat Report

Today, Unit 42 (the Palo Alto Networks Security Consulting Group) released new research that illustrates how supply chain security in the cloud continues its growth as an emerging threat.
Today, Unit 42 (the Palo Alto Networks Security Consulting Group) released new research that illustrates how supply chain security in the cloud continues its growth as an emerging threat.

High-profile software supply chain attacks such as SolarWinds and Kaseya VSA have shed a glaring light on the disparity between organizations’ perceptions of security within their cloud infrastructure, and the reality of threats in their supply chains that can impact business catastrophically.

In the Unit 42 Cloud Threat Report, 2H 2021, Unit 42’s researchers dive deep into the full scope of supply chain attacks in the cloud and explain often misunderstood details about how they occur. It also provides actionable recommendations any organization can adopt immediately to begin protecting their software supply chains in the cloud.

Key Findings

Poor supply chain hygiene impacts cloud infrastructure

The customer whose development environment was tested in the red team exercise has what most would consider a mature cloud security posture. However, their development environment contained several critical misconfigurations and vulnerabilities, enabling the Unit 42 team to take over the customer’s cloud infrastructure in a matter of days.

Third-party code = secure code

In most supply chain attacks, an attacker compromises a vendor and inserts malicious code in software used by customers. Cloud infrastructure can fall prey to a similar approach in which unvetted third-party code could introduce security flaws and give attackers access to sensitive data in the cloud environment. Additionally, unless organizations verify sources, third-party code can come from anyone, including an Advanced Persistent Threat (APT).

Cloud, Cloud, Organizations neglect DevOps security in latest Cloud Threat Report
Figure 1. As an example of the prevalence of misconfigurations, Unit 42 researchers analyzed public Terraform modules by number of misconfigurations (left) and types of misconfigurations and their percentages (right). Source: Unit 42 Cloud Threat Report, 2H 2021.
Organizations need to shift security left

Teams continue to neglect DevOps security, due in part to lack of attention to supply chain threats. Cloud-native applications have a long chain of dependencies, and those dependencies have dependencies of their own. DevOps and security teams need to gain visibility into the bill of materials in every cloud workload to evaluate risk at every stage of the dependency chain and establish guardrails.

Secure your software supply chain in the cloud

While the report provides key knowledge about software supply chain attacks themselves, the main focus is on how you can protect your organization from this growing threat starting immediately.


Unit 42 analyzed data from a variety of public data sources worldwide to draw conclusions about the growing threats organizations face today in their software supply chains.


In addition to analyzing data, a large SaaS provider (a customer of Palo Alto Networks) commissioned its researchers to run a red team exercise against its software development environment. In three days, a single Unit 42 researcher discovered critical software development flaws that left the customer vulnerable to an attack similar to those on SolarWinds and Kaseya VSA.

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

How to move from CIO to Chief Customer Success Officer

Amber Donovan-Stevens • 21st October 2021

Dean Leung, Chief Customer Success Officer at iManage, reflects on his own path shifting from CIO to Chief Customer Success Officer (CCSO) and discusses both the similarities and differences of the two roles, and why it can be a natural progression when approached with the proper mindset.

The importance of edtech in the early years sector

Amber Donovan-Stevens • 18th October 2021

Technology has become an operational mainstay across a multitude of industries – helping businesses, education establishments, governments, and charities to streamline their processes and enhance communications. When it comes to the early years education sector, this is no different. Chris Reid, CEO and founder of Connect Childcare, shares his thoughts on the intrinsic link between...

A deep dive into the Scaled Agile Framework

Jeff Keyes • 14th October 2021

The Scaled Agile Framework (SAFe) was designed to help large organizations successfully adopt agile methodologies. In this article Jeff Keyes, VP of Product Marketing and Strategy at Plutora, discusses the four core values of this approach, and how and why businesses are using the SAFe framework to improve agility in software development.

How click fraud has worsened in the wake of Covid-19

Amber Donovan-Stevens • 05th October 2021

Stewart Boutcher, CTO and Data Lead at Beacon, examines how click fraud – which was already a serious threat to companies engaged in digital marketing prior to the pandemic – has worsened considerably in its wake. He seeks to provide a forecast on how the situation is likely to evolve overtime, and advice on what...

Join our webinar on 26th October: Intelligent Automation - Maintaining the competitive edge.