As more organizations look to deploy applications in cloud provider environments, the need for sound security practices...
and techniques becomes paramount. How should applications be developed for cloud environments to maximize security? Will these applications differ from internal applications? What changes will be needed in the development cycle and quality assurance (QA) processes? All of these questions need to be addressed before moving applications to public cloud environments.
In this tip, we'll provide guidance on how to develop secure applications specifically for the cloud that are more likely to withstand today's most common attacks. We'll also discuss some of controls that need to be put in place to secure cloud-based applications once they are developed and deployed.
How to develop cloud applications securely
Before an organization dives headfirst into the cloud application development process, its enterprise security group should encourage developers to explore the secure development platforms, coding security options and tools that are available from the cloud providers. One example of a Platform as a Service provider that is embracing code security and secure development practices is Salesforce.com's Force.com, which has a wiki page devoted to developer security and coding best practices. Force.com's wiki outlines security during the design, development, testing and release phases, mimicking a fairly standard software development life cycle (SDLC). Force.com offers a number of best-practice documents, a self-assessment tool that can help guide security decisions and specific tools advice for each phase of the SDLC. Similarly, Microsoft also has a number of resources available for developers, including its Cloud Fundamentals video series.
Despite the availability of these resources, no cloud provider can supply all the resources and other program elements needed to ensure sound development of secure applications for public and hybrid cloud environments. Successful development of secure cloud applications requires adopting a different perspective on the risk posture of cloud applications. Secure development stakeholders should think of cloud applications as being potentially more exposed than standard internal applications. Why? For one, cloud applications are typically hosted and maintained in an environment separate from an organization's core IT assets, so organizations are likely to have less control over them compared to traditional applications. Also, most cloud applications are Web-based, which means they are likely to face a variety of standard-yet-prevalent Web app security threats, including cross-site scripting, SQL injection and directory traversal.
An information security team should suggest that its developers carefully review the Open Web Application Security Project (OWASP) Top 10 list of the most viable Web application attacks, and then develop and integrate mitigation methods for those threats before applications are published into cloud environments. The primary attack vector by which many Web applications are compromised is lack of input filtering, so developers should limit the data types, lengths and formats that applications will accept. Developers should also be careful about exposing application programming interfaces (APIs) within their cloud-based applications. API abuse has consistently been ranked as one of the Cloud Security Alliance's Top Threats to Cloud Computing.
Cloud app security means authentication, encryption
As they live outside the bounds of corporate networks and their monitoring capabilities, cloud applications require strong controls for authentication and authorization. Developers should ensure that an authentication page or interface completely mediates all application content and functionality. Account hijacking is another common cloud security concern, so developers may want to implement a more stringent authentication policy than what is in place for internal applications, leveraging multifactor authentication and strong password complexity and length policies where possible. Given that they will likely be hosted in a multi-tenant environment, the use of file and application-level encryption may also be a good idea within cloud applications. While the likelihood of compromise scenarios from malicious co-tenants is difficult to predict, using encryption and carefully vetting libraries and other third-party code components are sound practices to follow.
An organization's existing SDLC should also be adapted for the development and publication of cloud applications. Careful testing of the code and performing QA processes should be considered mandatory prior to publication to cloud platforms. Given the inherent scalability of cloud assets, testing for availability and performance should be adapted to ensure appropriate stress testing.
Secure development takes time
In general, as organizations are pushing to move to the cloud more and more quickly, there may be a tendency to move toward a rapid development program like Agile. Unless they can dedicate the necessary time and resources towards securing code at each stage of the development project, organizations looking to secure their cloud apps should be careful about committing to such a program. There are clearly plenty of concerns that need to be addressed when developing secure cloud applications, so speeding up the process only increases the risk that an app will be left vulnerable.
About the author
Dave Shackleford is senior vice president of research and chief technology officer (CTO) at IANS, and a SANS analyst, instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. He is a VMware vExpert and has extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as chief security officer for Configuresoft; CTO for the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security: Protecting Virtualized Environments, and he recently co-authored the first published course on virtualization security for the SANS Institute. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.