Risk
12/6/2013
04:33 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Experts Offer Advice For Developing Secure Cloud Applications

Research paper offers security advice for application developers for cloud environments

Building security into the application development process has always been a challenge. The reality of cloud computing, however, introduces new hurdles that need to be identified and overcome.

In a new paper, the Cloud Security Alliance (CSA) and the Software Assurance Forum for Excellence in Code (SAFECode) joined forces to help developers navigate the sometimes troubled waters of application security. The report focuses on security considerations for platform-as-a-service (PaaS), though the authors say their advice is relevant to software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS) as well.

"Among all of the cloud security challenges, this report is focused on the challenges faced by software developers who are developing applications for the cloud," says Eric Baize, senior director of the product security office with EMC. "Most of the activities required to develop secure software for the cloud are identical to the fundamental security practices required for any software. However, cloud has some unique characteristics that demand some customization of these practices."

The most notable among these is multi-tenancy, Baize says. Multi-tenancy, the report explains, allows multiple consumers or tenants to maintain a presence in a cloud service provider’s environment in a manner where the computations and data of one tenant are isolated from other tenants.

Cloud providers should model all of their application's interfaces with threats to multi-tenancy in mind, such as information disclosure and privilege escalation, the report advises. In addition, providers should use a "separate schema" database design when building multi-tenant applications as opposed to adding a "TenantID" column to each table.

"APIs are the front door into any application, and it is critical that they are properly secured," the report states. "In many ways, API security for cloud applications is similar to API security for web applications hosted in data centers. Traditional application layer security risks, such as the OWASP Top 10, are still present when deploying your application to the cloud."

To secure APIs, the report recommends determining whether the APIs can be restricted so that only trusted hosts can call them and ensure that interservice communication is securely authenticated. Also, testing should be used to validate security monitoring and alerting capabilities.

The paper touches on a number of other topics as well, including the use of trusted compute pools and the challenges of dealing with authentication and identity management. The focus is on mitigating the primary threats to cloud computing: data breaches, data leakage, denial-of-service, and insecure application interfaces.

The report can be viewed as a set requirements and capabilities that PaaS should be providing to developers, says Steve Orrin, chief technologist for Intel Federal.

"To that end, organizations and their developers need to evaluate the security capabilities and services that their PaaS provides and then ensure they adopt these security capabilities and/or demand their availability from their provider," he says.

Security, Baize adds, has increasingly become an integral part of the design process.

"CSA cloud security recommendations are widely used by cloud practitioners, and SAFECode secure software development practices are increasingly part of standard software engineering processes," he says. "What this report provides is the connection between these two sets of practices by translating cloud-specific security requirements into security practices for software developers."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2014-0778
Published: 2014-04-19
The TCPUploader module in Progea Movicon 11.4 before 11.4.1150 allows remote attackers to obtain potentially sensitive version information via network traffic to TCP port 10651.

CVE-2014-1974
Published: 2014-04-19
Directory traversal vulnerability in LYSESOFT AndExplorer before 20140403 and AndExplorerPro before 20140405 allows attackers to overwrite or create arbitrary files via unspecified vectors.

CVE-2014-1983
Published: 2014-04-19
Unspecified vulnerability in Cybozu Remote Service Manager through 2.3.0 and 3.x before 3.1.1 allows remote attackers to cause a denial of service (CPU consumption) via unknown vectors.

Best of the Web