Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion
‎07-18-2023 04:47 PM
‎07-18-2023 04:47 PM

Google Cloud Build bug lets hackers launch supply chain attack

Hi All

 

An interesting issue with Google Cloud, which is only partially fixed at the present time.  There is a design issue, which assists supply chain attacks.

 

https://www.bleepingcomputer.com/news/security/google-cloud-build-bug-lets-hackers-launch-supply-cha...

 

Regards

 

Caute_Cautim

Reply
0 Kudos
2 Replies
denbesten
Community Champion
‎07-18-2023 06:03 PM
‎07-18-2023 06:03 PM

Once again, this plays into the theory that SAAS is a double-edged sword.  On one hand it exposes a larger attack surface than a hosted app behind a VPN.  But it also reduces the risk caused by not keeping up with vendor patches.

 

 

Reply
0 Kudos
Caute_cautim
Community Champion
‎07-18-2023 06:20 PM
‎07-18-2023 06:20 PM

@denbesten    I agree, even the clients have a duty of care and due diligence even the NIST SP800-53 R5 points this out, but I wonder how many have actually assessed their Cloud Providers and actually asked for proof they are being maintained other than through SOC Level 1, 2 Reports? 

 

Which as the auditors state, allowing the Cloud Providers to audit themselves every 12 months for the SOC 1, 2 reports cannot be objective.  These assessments need to be completed independently by another third party, with independent reporting conducted etc.

 

Regards

 

Caute_Cautim

Reply
0 Kudos