Since this is a supply chain attack on software downloads, I think it's interesting to consider the implications for the security posture of a cloud-native organization.
While cloud-native is commonly recognized as less secure (because the cloud provider could be hacked!), there are a few categories of attacks exclusive to onprem software deployments:
1. You misconfigure the onprem software, making it more insecure than the alternatives. This does not occur with SaaS products.
2. The software delivery system is tampered with, and you download and run malicious code on your systems with high privileges. If you don't run it, this can't happen.
Cloud deployments aren't obviously safer, but they have clear advantages unless you are willing to pay top people to work on and secure each onprem deployment full-time.
NB: I don't actually believe "the cloud" is fundamentally more or less secure than onprem deployments.
Rather, I frequently hear people argue that a website being hacked - or the potential for it - justifies a movement to onprem, and I think this is (usually) false.
> While cloud-native is commonly recognized as less secure (because the cloud provider could be hacked!)
That's not a common recognition by any means. Cloud providers are more secure and spend more on infosec than any business managing their own tech & data centers. Pretending that the cloud provider being the point of entry is in the same ball park of risk (or greater risk) is a strange talking point in 2020
Things aren't black or white, but SaaS typically removes one layer of security (the corporate firewall). Misconfigurations are then typically exposed to the whole world.
Whilst not being a "cloud is someone else's computer" adherent, the notion SaaS products can't be misconfigured into opening up security holes not present / so serious in some on-prem environments doesn't hold water - see the last decade's stories of accidentally open S3 buckets, plaintext secrets pushed to public GitHub repos, and all manner of other "minor misconfigurations"
This is true but there’s a big difference in how easy it is to audit. You can enable Security Hub and Guard Duty on AWS organization-wide in a few minutes and have a pretty solid baseline for hardening your infrastructure and flagging suspicious activity. Doing the same with on-premise infrastructure takes months and entails significant risk since things weren’t designed around APIs and low-privilege IAM.
(GCP is similar but SCC is earlier in the development cycle and their threat detection isn’t well designed.)
1. You misconfigure the onprem software, making it more insecure than the alternatives. This does not occur with SaaS products.
2. The software delivery system is tampered with, and you download and run malicious code on your systems with high privileges. If you don't run it, this can't happen.
Cloud deployments aren't obviously safer, but they have clear advantages unless you are willing to pay top people to work on and secure each onprem deployment full-time.
NB: I don't actually believe "the cloud" is fundamentally more or less secure than onprem deployments. Rather, I frequently hear people argue that a website being hacked - or the potential for it - justifies a movement to onprem, and I think this is (usually) false.