Info-Security Conference Securing Your Applications in the Cloud. 29 May 2013

Transcription

1 Info-Security Conference 2013 Securing Your Applications in the Cloud 29 May 2013

2 Applications in the Cloud Problem: In the cloud, application security is your final line of defence We are still not doing application security right generally Why should we expect to be able to do it right in the cloud? Ideas: Awareness, guidance, training, and context Reinforced by the right tools integrated into a secure development lifecycle Paving the way for more secure apps and better competitiveness (DevOps)

3 Quick Re-cap of Terminology IaaS, PaaS, SaaS determines which layers you have to secure yourself IaaS is most similar to traditional app security application still crosses a trust-boundary when it moves from dev to production and you still have to worry about the whole application stack PaaS abstracts out low layers but multi-tenant issues arise SaaS the app provides end-user functions and is part of the platform; can add custom functionality to the app

4 Cloud application security issues Are you securing the right layers? For example, IaaS most layers are in scope can you automate securing them? E.g. using pre-secured VM images? But how do you deal with ongoing image security? Internal apps are now external access control? Shadow IT? Testing and acceptance procedures for SaaS "By 2016, 40% of enterprises will make proof of independent security testing a precondition for using any type of cloud service, up from less than 1% today (Gartner 2013 Application Security forecast)

5 Cloud application security issues Generally application security is still not being done right Developers still don t know about security Developers still don t know how to deal with a customer who asks for security Security is seen as the customer s responsibility, not the developer s Even in-house app development is often distanced from the rest of the organisation E.g. the PCI DSS section 6 compliance issues cannot leave security to the end of the process

6 What is DevOps? Developers want change; operations want stability Traditional lifecycle too slow need continuous deployment Goes hand-in-hand with cloud Who does DevOps? Netflix 70 production deployments PER DAY (Oct 2012)

7 DevOps Security In DevOps the developer is also the tester and also does the QA it is a self-service build environment DevOps changes traditional web application security controls WAFs: continuous deployment = continuous configuration! Pentesting: useful for spot checks but very, very slow in comparison with the speed of deployment DAST/Code audit: Setup/running time/analysis just too slow

8 Tools/Techniques Available Vulnerability Assessment App Code Framework PHP/.NET/Java etc Servers (web, db) Operating System Fast Inexpensive Fully automated Not risk-based Only finds known vulnerabilities Static Source Code Audit App Code Framework PHP/.NET/Java etc Servers (web, db) Operating System Fast Mostly automated but Requires tuning/training Not risk-based Thorough examination of custom code Can be done all the time Penetration Testing App Code Framework PHP/.NET/Java etc Servers (web, db) Operating System Slow Holistic includes business logic and app state Risk-based Can only be done at end

9 So what should we do? LIFECYCLE plus tools secure software development lifecycle (SSDLC) Plan for security from the start of the lifecycle Engage the developers and be engaged (for example consider the differences in impact of SAST when developers are engaged and when they are not) Arm the developers! Training Secure frameworks (Spring, JAAS, Shiro, ESAPI etc) Open communication

10 So what should we do? Automate as much as possible. From OWASP: Unit Tests Develop Code Commit Source Control Build Trigger Deploy to Test Env Report & Notify Publish to release repository Deploy to Production

11 So what should we do? Automate the testing for every single release Unit Tests Develop Code Commit Source Control Build Trigger Deploy to Test Env Auto Test Report & Notify Publish to release repository Deploy to Production SCA Test

12 So what should we do? Keep using old tools: WAF on main functions and infrequently changed parts of the site Periodic penetration testing Manual code audit on most security-sensitive functions

13 Summary It s all about the lifecycle Engage with developers awareness, training, feedback Tools and automation wherever possible

14 Thank you! Richard Stagg Handshake Networking Ltd