How to Develop Cloud Applications Based on Web App Security Lessons



Similar documents
E-Guide HOW THE VMWARE SOFTWARE DEFINED DATA CENTER WORKS: AN IAAS EXAMPLE

Hybrid cloud computing explained

E-Guide GROWING CYBER THREATS CHALLENGING COST REDUCTION AS REASON TO USE MANAGED SERVICES

Solution Spotlight BEST PRACTICES FOR DEVELOPING MOBILE CLOUD APPS REVEALED

Securing the SIEM system: Control access, prioritize availability

A Guide to MAM and Planning for BYOD Security in the Enterprise

Streamlining the move to the cloud. Key tips for selecting the right cloud tools and preparing your infrastructure for migration

HOW MICROSOFT AZURE AD USERS CAN EMPLOY SSO

E-Guide SIX ENTERPRISE CLOUD STORAGE AND FILE-SHARING SERVICES TO CONSIDER

E-Guide BEST PRACTICES FOR CLOUD BASED DISASTER RECOVERY

Is Your Data Safe in the Cloud?

E-Guide CLOUD COMPUTING FACTS MAY UNCLENCH SERVER HUGGERS HOLD

Benefits of virtualizing your network

E-Guide VIDEO CONFERENCING SOFTWARE AND HARDWARE: HYBRID APPROACH NEEDED

E-Guide UNDERSTANDING PCI MOBILE PAYMENT PROCESSING SECURITY GUIDELINES

How to Define SIEM Strategy, Management and Success in the Enterprise

E-Guide SHAREPOINT UPGRADE BEST PRACTICES

E-Guide NETWORKING MONITORING BEST PRACTICES: SETTING A NETWORK PERFORMANCE BASELINE

Software Defined Networking Goes Well Beyond the Data Center

3 common cloud challenges eradicated with hybrid cloud

E-Guide MANAGING AND MONITORING HYBRID CLOUD RESOURCE POOLS: 3 STEPS TO ENSURE OPTIMUM APPLICATION PERFORMANCE

CLOUD SECURITY CERTIFICATIONS: HOW IMPORTANT ARE THEY?

Data warehouse software bundles: tips and tricks

Hyper-V 3.0: Creating new virtual data center design options Top four methods for deployment

E-Guide WHAT IT MANAGERS NEED TO KNOW ABOUT RISKY FILE-SHARING

2013 Cloud Storage Expectations

E-Guide to Mobile Application Development

Preparing for the cloud: Understanding the infrastructure impacts Eight essential tips for a successful cloud migration

Best Practices for Database Security

Evaluating SaaS vs. on premise for ERP systems

ios7: 3 rd party or platform-enabled MAM? Taking a look behind the scenes with Jack Madden

CLOUD APPLICATION INTEGRATION AND DEPLOYMENT MADE SIMPLE

Advanced analytics key component for decision management systems

Rethink defense-in-depth security model

E-Guide CONSIDERATIONS FOR EFFECTIVE SOFTWARE LICENSE MANAGEMENT

MOBILE APP DEVELOPMENT LEAPS FORWARD

6 Point SIEM Solution Evaluation Checklist

E-Guide CONSIDER SECURITY IN YOUR DAILY BUSINESS OPERATIONS

The changing face of scale-out networkattached

Cloud Security Certification Guide What certification is right for you?

HOW TO SELECT THE BEST SOLID- STATE STORAGE ARRAY FOR YOUR ENVIRONMENT

5 ways to leverage the free VMware hypervisor Key tips for working around the VMware cost barrier

Virtualization backup tools: How the field stacks up

Managing Data Center Growth Explore Your Options

How SSL-Encrypted Web Connections are Intercepted

Managing Virtual Desktop Environments

Key Trends in the Identity and Access Management Market and How CA IAM R12 Suite Addresses These Trends

Key best practices for cloud testing

Cloud Storage: Top Concerns, Provider Considerations, and Application Candidates

The state of cloud adoption in India The use cases, industry trends, business demands, and user expectations driving cloud adoption in Indian

BUYING PROCESS FOR ALL-FLASH SOLID-STATE STORAGE ARRAYS

Best Practices for Scaling a Big Data Analytics Project

How To Protect Your Online Backup From Being Hacked

GUIDELINES FOR EVALUATING PROCUREMENT SOFTWARE

Social channels changing contact center certification

E-Guide THE CHALLENGES BEHIND DATA INTEGRATION IN A BIG DATA WORLD

Does consolidating multiple ERP systems make sense?

Tips to ensuring the success of big data analytics initiatives

WHAT S INSIDE NEW HYPER- CONVERGED SYSTEMS

The skinny on storage clusters

MDM features vs. native mobile security

E-Guide THE LATEST IN SAN AND NAS STORAGE TRENDS

TIPS TO HELP EVALUATE AND DEPLOY FLASH STORAGE

Aligning Public Cloud Strategies to Improve Server Efficiency

- Solution Spotlight ACCELERATING APPLICATION DEPLOYMENT WITH DEVOPS

5 free Exchange add-ons you should consider Eliminating administration pain points on a budget

Cenzic Product Guide. Cloud, Mobile and Web Application Security

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

SAST, DAST and Vulnerability Assessments, = 4

Big Data and the Data Warehouse

Social media driving CRM strategies

Desktop virtualization: Best practices for a seamless deployment

IT Security & Compliance. On Time. On Budget. On Demand.

Making the move from a tactical to a strategic supply chain

Skills shortage, training present pitfalls for big data analytics

LTO tape technology continues to evolve with LTO 5

Expert guide to achieving data center efficiency How to build an optimal data center cooling system

Capturing the New Frontier:

The State of Desktop Virtualization in 2013: Brian Madden analyzes uses cases, preferred vendors and effective tools

Supply Chain Management Tips and Best Practices

Unlocking data with document capture and imaging

Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

E-Guide BYOD: THE EVOLUTION OF MOBILE SECURITY

7 remote office backup options: Which is right for you?

Strategies for Writing a HIPAA-Friendly BYOD Policy

Protecting Applications on Microsoft Azure against an Evolving Threat Landscape

05.0 Application Development

Advantages on Green Cloud Computing

E-Guide HOW A TOP E-COMMERCE STRATEGY LEADS TO STRONG SALES

Social Media-based Customer Loyalty Programs

BEST PRACTICES FOR MANAGING THE EVOLUTION OF EHRS

Best and worst practices for Exchange archiving

Managing the supply chain for SAP

Identity & Access Management in the Cloud: Fewer passwords, more productivity

Security Issues In Cloud Computing And Their Solutions

Where every interaction matters.

Cyber Exploits: Improving Defenses Against Penetration Attempts

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Transcription:

Applications Based on Before moving applications to the public cloud, it is important to implement security practices and techniques. This expert E-Guide provides guidance on how to develop secure applications specifically for the cloud that are more likely to withstand today's most common attacks. Also discover some of the controls that need to be put in place to secure cloud-based applications once they are developed and deployed. Web App Security By: Dave Shackleford As more organizations look to deploy applications in cloud provider environments, the need for sound security practices and techniques becomes paramount. How should applications be developed for cloud environments to maximize security? Will these applications differ from internal applications? What changes will be needed in the development cycle and quality assurance (QA) processes? All of these questions need to be addressed before moving applications to public cloud environments. How to develop cloud applications securely Before an organization dives headfirst into the cloud application development process, its enterprise security group should encourage developers to explore the secure development platforms, coding security options and tools that are available from the cloud providers. One example of a Platform as a Service provider that is embracing code security and secure development practices is Salesforce.com's Force.com, which has a wiki page devoted to developer security and coding best practices. Force.com's wiki outlines security during the design, development, testing and release phases, mimicking a fairly standard software development life cycle (SDLC). Force.com offers a number of best-practice documents, a self-assessment tool that can help guide security decisions and specific tools advice for each Page 2 of 6

Applications Based on phase of the SDLC. Similarly, Microsoft also has a number of resources available for developers, including its Cloud Fundamentals video series. Despite the availability of these resources, no cloud provider can supply all the resources and other program elements needed to ensure sound development of secure applications for public and hybrid cloud environments. Successful development of secure cloud applications requires adopting a different perspective on the risk posture of cloud applications. Secure development stakeholders should think of cloud applications as being potentially more exposed than standard internal applications. Why? For one, cloud applications are typically hosted and maintained in an environment separate from an organization's core IT assets, so organizations are likely to have less control over them compared to traditional applications. Also, most cloud applications are Web-based, which means they are likely to face a variety of standard-yet-prevalent Web app security threats, including crosssite scripting, SQL injection and directory traversal. An information security team should suggest that its developers carefully review the Open Web Application Security Project (OWASP) Top 10 list of the most viable Web application attacks, and then develop and integrate mitigation methods for those threats before applications are published into cloud environments. The primary attack vector by which many Web applications are compromised is lack of input filtering, so developers should limit the data types, lengths and formats that applications will accept. Developers should also be careful about exposing application programming interfaces (APIs) within their cloud-based applications. API abuse has consistently been ranked as one of the Cloud Security Alliance's Top Threats to Cloud Computing. Cloud app security means authentication, encryption As they live outside the bounds of corporate networks and their monitoring capabilities, cloud applications require strong controls for authentication and authorization. Developers should ensure that an authentication page or interface completely mediates all application content and functionality. Account hijacking is another common cloud security concern, so developers may want to implement a more stringent authentication policy than what is in Page 3 of 6

Applications Based on place for internal applications, leveraging multifactor authentication and strong password complexity and length policies where possible. Given that they will likely be hosted in a multi-tenant environment, the use of file and application-level encryption may also be a good idea within cloud applications. While the likelihood of compromise scenarios from malicious co-tenants is difficult to predict, using encryption and carefully vetting libraries and other third-party code components are sound practices to follow. An organization's existing SDLC should also be adapted for the development and publication of cloud applications. Careful testing of the code and performing QA processes should be considered mandatory prior to publication to cloud platforms. Given the inherent scalability of cloud assets, testing for availability and performance should be adapted to ensure appropriate stress testing. Secure development takes time In general, as organizations are pushing to move to the cloud more and more quickly, there may be a tendency to move toward a rapid development program like Agile. Unless they can dedicate the necessary time and resources towards securing code at each stage of the development project, organizations looking to secure their cloud apps should be careful about committing to such a program. There are clearly plenty of concerns that need to be addressed when developing secure cloud applications, so speeding up the process only increases the risk that an app will be left vulnerable. About the author: Dave Shackleford is senior vice president of research and chief technology officer (CTO) at IANS, and a SANS analyst, instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. He is a VMware vexpert and has extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as chief security officer for Configuresoft; CTO for the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security: Protecting Virtualized Environments, and he recently co-authored the first published Page 4 of 6

Applications Based on course on virtualization security for the SANS Institute. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance. Page 5 of 6

Applications Based on Free resources for technology professionals TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. What makes TechTarget unique? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers all to create compelling and actionable information for enterprise IT professionals across all industries and markets. Related TechTarget Websites Page 6 of 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information