https://community.isc2.org/t5/Cloud-Security/Google-Cloud-Build-bug-lets-hackers-launch-supply-chain-attack/m-p/60941#M329 <P>Hi All</P><P>&nbsp;</P><P>An interesting issue with Google Cloud, which is only partially fixed at the present time.&nbsp; There is a design issue, which assists supply chain attacks.</P><P>&nbsp;</P><P><A href="https://www.bleepingcomputer.com/news/security/google-cloud-build-bug-lets-hackers-launch-supply-chain-attacks/" target="_blank">https://www.bleepingcomputer.com/news/security/google-cloud-build-bug-lets-hackers-launch-supply-chain-attacks/</A></P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P> Mon, 09 Oct 2023 10:38:34 GMT Caute_cautim 2023-10-09T10:38:34Z https://community.isc2.org/t5/Cloud-Security/Google-Cloud-Build-bug-lets-hackers-launch-supply-chain-attack/m-p/60941#M329 <P>Hi All</P><P>&nbsp;</P><P>An interesting issue with Google Cloud, which is only partially fixed at the present time.&nbsp; There is a design issue, which assists supply chain attacks.</P><P>&nbsp;</P><P><A href="https://www.bleepingcomputer.com/news/security/google-cloud-build-bug-lets-hackers-launch-supply-chain-attacks/" target="_blank">https://www.bleepingcomputer.com/news/security/google-cloud-build-bug-lets-hackers-launch-supply-chain-attacks/</A></P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P> Mon, 09 Oct 2023 10:38:34 GMT https://community.isc2.org/t5/Cloud-Security/Google-Cloud-Build-bug-lets-hackers-launch-supply-chain-attack/m-p/60941#M329 Caute_cautim 2023-10-09T10:38:34Z https://community.isc2.org/t5/Cloud-Security/Google-Cloud-Build-bug-lets-hackers-launch-supply-chain-attack/m-p/60944#M330 <P>Once again, this plays into the theory that SAAS is a double-edged sword.&nbsp; On one hand it exposes a larger attack surface than a hosted app behind a VPN.&nbsp; But it also reduces the risk caused by not keeping up with vendor patches.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 18 Jul 2023 22:03:52 GMT https://community.isc2.org/t5/Cloud-Security/Google-Cloud-Build-bug-lets-hackers-launch-supply-chain-attack/m-p/60944#M330 denbesten 2023-07-18T22:03:52Z https://community.isc2.org/t5/Cloud-Security/Google-Cloud-Build-bug-lets-hackers-launch-supply-chain-attack/m-p/60946#M331 <P><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/311867713">@denbesten</a>&nbsp;&nbsp;&nbsp; I agree, even the clients have a duty of care and due diligence even the NIST SP800-53 R5 points this out, but I wonder how many have actually assessed their Cloud Providers and actually asked for proof they are being maintained other than through SOC Level 1, 2 Reports?&nbsp;</P><P>&nbsp;</P><P>Which as the auditors state, allowing the Cloud Providers to audit themselves every 12 months for the SOC 1, 2 reports cannot be objective.&nbsp; These assessments need to be completed independently by another third party, with independent reporting conducted etc.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P> Tue, 18 Jul 2023 22:20:33 GMT https://community.isc2.org/t5/Cloud-Security/Google-Cloud-Build-bug-lets-hackers-launch-supply-chain-attack/m-p/60946#M331 Caute_cautim 2023-07-18T22:20:33Z