Applications Based on Before moving applications to the public cloud, it is important to implement security practices and techniques. This expert E-Guide provides guidance on how to develop secure applications specifically for the cloud that are more likely to withstand today's most common attacks. Also discover some of the controls that need to be put in place to secure cloud-based applications once they are developed and deployed. Web App Security By: Dave Shackleford As more organizations look to deploy applications in cloud provider environments, the need for sound security practices and techniques becomes paramount. How should applications be developed for cloud environments to maximize security? Will these applications differ from internal applications? What changes will be needed in the development cycle and quality assurance (QA) processes? All of these questions need to be addressed before moving applications to public cloud environments. How to develop cloud applications securely Before an organization dives headfirst into the cloud application development process, its enterprise security group should encourage developers to explore the secure development platforms, coding security options and tools that are available from the cloud providers. One example of a Platform as a Service provider that is embracing code security and secure development practices is Salesforce.com's Force.com, which has a wiki page devoted to developer security and coding best practices. Force.com's wiki outlines security during the design, development, testing and release phases, mimicking a fairly standard software development life cycle (SDLC). Force.com offers a number of best-practice documents, a self-assessment tool that can help guide security decisions and specific tools advice for each Page 2 of 6
Applications Based on phase of the SDLC. Similarly, Microsoft also has a number of resources available for developers, including its Cloud Fundamentals video series. Despite the availability of these resources, no cloud provider can supply all the resources and other program elements needed to ensure sound development of secure applications for public and hybrid cloud environments. Successful development of secure cloud applications requires adopting a different perspective on the risk posture of cloud applications. Secure development stakeholders should think of cloud applications as being potentially more exposed than standard internal applications. Why? For one, cloud applications are typically hosted and maintained in an environment separate from an organization's core IT assets, so organizations are likely to have less control over them compared to traditional applications. Also, most cloud applications are Web-based, which means they are likely to face a variety of standard-yet-prevalent Web app security threats, including crosssite scripting, SQL injection and directory traversal. An information security team should suggest that its developers carefully review the Open Web Application Security Project (OWASP) Top 10 list of the most viable Web application attacks, and then develop and integrate mitigation methods for those threats before applications are published into cloud environments. The primary attack vector by which many Web applications are compromised is lack of input filtering, so developers should limit the data types, lengths and formats that applications will accept. Developers should also be careful about exposing application programming interfaces (APIs) within their cloud-based applications. API abuse has consistently been ranked as one of the Cloud Security Alliance's Top Threats to Cloud Computing. Cloud app security means authentication, encryption As they live outside the bounds of corporate networks and their monitoring capabilities, cloud applications require strong controls for authentication and authorization. Developers should ensure that an authentication page or interface completely mediates all application content and functionality. Account hijacking is another common cloud security concern, so developers may want to implement a more stringent authentication policy than what is in Page 3 of 6
Applications Based on place for internal applications, leveraging multifactor authentication and strong password complexity and length policies where possible. Given that they will likely be hosted in a multi-tenant environment, the use of file and application-level encryption may also be a good idea within cloud applications. While the likelihood of compromise scenarios from malicious co-tenants is difficult to predict, using encryption and carefully vetting libraries and other third-party code components are sound practices to follow. An organization's existing SDLC should also be adapted for the development and publication of cloud applications. Careful testing of the code and performing QA processes should be considered mandatory prior to publication to cloud platforms. Given the inherent scalability of cloud assets, testing for availability and performance should be adapted to ensure appropriate stress testing. Secure development takes time In general, as organizations are pushing to move to the cloud more and more quickly, there may be a tendency to move toward a rapid development program like Agile. Unless they can dedicate the necessary time and resources towards securing code at each stage of the development project, organizations looking to secure their cloud apps should be careful about committing to such a program. There are clearly plenty of concerns that need to be addressed when developing secure cloud applications, so speeding up the process only increases the risk that an app will be left vulnerable. About the author: Dave Shackleford is senior vice president of research and chief technology officer (CTO) at IANS, and a SANS analyst, instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. He is a VMware vexpert and has extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as chief security officer for Configuresoft; CTO for the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security: Protecting Virtualized Environments, and he recently co-authored the first published Page 4 of 6
Applications Based on course on virtualization security for the SANS Institute. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance. Page 5 of 6
Applications Based on Free resources for technology professionals TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. What makes TechTarget unique? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers all to create compelling and actionable information for enterprise IT professionals across all industries and markets. Related TechTarget Websites Page 6 of 6