A whopping 96% of third-party cloud container apps have known vulnerabilities, highlighting ongoing cloud security challenges.

Cloud computing is often touted as more secure than traditional options. Unfortunately, this is only true if all parties involved make security a prime objective.

According to Palo Alto Networks’ Unit 42 team, some 96% of third-party container apps have known vulnerabilities. In addition, 63% of third-party code templates contain insecure configurations.

The news is especially concerning given the rise of supply chain attacks. Hackers are increasingly targeting widely used, third-party software, services, containers and plugins. Successfully compromising a single vendor who’s product is used by thousands of customers can have a far greater impact than compromising a single target.

Unit 42 highlights the danger of supply chain cloud attacks:

In most supply chain attacks, an attacker compromises a vendor and inserts malicious code in software used by customers. Cloud infrastructure can fall prey to a similar approach in which unvetted third-party code could introduce security flaws and give attackers access to sensitive data in the cloud environment. Additionally, unless organizations verify sources, third-party code can come from anyone, including an Advanced Persistent Threat (APT).

Organizations that want to stay secure must start making DevOps security a priority:

Teams continue to neglect DevOps security, due in part to lack of attention to supply chain threats. Cloud native applications have a long chain of dependencies, and those dependencies have dependences of their own. DevOps and security teams need to gain visibility into the bill of materials in every cloud workload in order to evaluate risk at every stage of the dependency chain and establish guardrails.