Risk
12/6/2013
04:33 PM
50%
50%

Experts Offer Advice For Developing Secure Cloud Applications

Research paper offers security advice for application developers for cloud environments

Building security into the application development process has always been a challenge. The reality of cloud computing, however, introduces new hurdles that need to be identified and overcome.

In a new paper, the Cloud Security Alliance (CSA) and the Software Assurance Forum for Excellence in Code (SAFECode) joined forces to help developers navigate the sometimes troubled waters of application security. The report focuses on security considerations for platform-as-a-service (PaaS), though the authors say their advice is relevant to software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS) as well.

"Among all of the cloud security challenges, this report is focused on the challenges faced by software developers who are developing applications for the cloud," says Eric Baize, senior director of the product security office with EMC. "Most of the activities required to develop secure software for the cloud are identical to the fundamental security practices required for any software. However, cloud has some unique characteristics that demand some customization of these practices."

The most notable among these is multi-tenancy, Baize says. Multi-tenancy, the report explains, allows multiple consumers or tenants to maintain a presence in a cloud service provider’s environment in a manner where the computations and data of one tenant are isolated from other tenants.

Cloud providers should model all of their application's interfaces with threats to multi-tenancy in mind, such as information disclosure and privilege escalation, the report advises. In addition, providers should use a "separate schema" database design when building multi-tenant applications as opposed to adding a "TenantID" column to each table.

"APIs are the front door into any application, and it is critical that they are properly secured," the report states. "In many ways, API security for cloud applications is similar to API security for web applications hosted in data centers. Traditional application layer security risks, such as the OWASP Top 10, are still present when deploying your application to the cloud."

To secure APIs, the report recommends determining whether the APIs can be restricted so that only trusted hosts can call them and ensure that interservice communication is securely authenticated. Also, testing should be used to validate security monitoring and alerting capabilities.

The paper touches on a number of other topics as well, including the use of trusted compute pools and the challenges of dealing with authentication and identity management. The focus is on mitigating the primary threats to cloud computing: data breaches, data leakage, denial-of-service, and insecure application interfaces.

The report can be viewed as a set requirements and capabilities that PaaS should be providing to developers, says Steve Orrin, chief technologist for Intel Federal.

"To that end, organizations and their developers need to evaluate the security capabilities and services that their PaaS provides and then ensure they adopt these security capabilities and/or demand their availability from their provider," he says.

Security, Baize adds, has increasingly become an integral part of the design process.

"CSA cloud security recommendations are widely used by cloud practitioners, and SAFECode secure software development practices are increasingly part of standard software engineering processes," he says. "What this report provides is the connection between these two sets of practices by translating cloud-specific security requirements into security practices for software developers."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.