cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Google Cloud Build bug lets hackers launch supply chain attack

Hi All

 

An interesting issue with Google Cloud, which is only partially fixed at the present time.  There is a design issue, which assists supply chain attacks.

 

https://www.bleepingcomputer.com/news/security/google-cloud-build-bug-lets-hackers-launch-supply-cha...

 

Regards

 

Caute_Cautim

2 Replies
denbesten
Community Champion

Once again, this plays into the theory that SAAS is a double-edged sword.  On one hand it exposes a larger attack surface than a hosted app behind a VPN.  But it also reduces the risk caused by not keeping up with vendor patches.

 

 

Caute_cautim
Community Champion

@denbesten    I agree, even the clients have a duty of care and due diligence even the NIST SP800-53 R5 points this out, but I wonder how many have actually assessed their Cloud Providers and actually asked for proof they are being maintained other than through SOC Level 1, 2 Reports? 

 

Which as the auditors state, allowing the Cloud Providers to audit themselves every 12 months for the SOC 1, 2 reports cannot be objective.  These assessments need to be completed independently by another third party, with independent reporting conducted etc.

 

Regards

 

Caute_Cautim