Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/6/2013
04:33 PM
50%
50%

Experts Offer Advice For Developing Secure Cloud Applications

Research paper offers security advice for application developers for cloud environments

Building security into the application development process has always been a challenge. The reality of cloud computing, however, introduces new hurdles that need to be identified and overcome.

In a new paper, the Cloud Security Alliance (CSA) and the Software Assurance Forum for Excellence in Code (SAFECode) joined forces to help developers navigate the sometimes troubled waters of application security. The report focuses on security considerations for platform-as-a-service (PaaS), though the authors say their advice is relevant to software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS) as well.

"Among all of the cloud security challenges, this report is focused on the challenges faced by software developers who are developing applications for the cloud," says Eric Baize, senior director of the product security office with EMC. "Most of the activities required to develop secure software for the cloud are identical to the fundamental security practices required for any software. However, cloud has some unique characteristics that demand some customization of these practices."

The most notable among these is multi-tenancy, Baize says. Multi-tenancy, the report explains, allows multiple consumers or tenants to maintain a presence in a cloud service provider’s environment in a manner where the computations and data of one tenant are isolated from other tenants.

Cloud providers should model all of their application's interfaces with threats to multi-tenancy in mind, such as information disclosure and privilege escalation, the report advises. In addition, providers should use a "separate schema" database design when building multi-tenant applications as opposed to adding a "TenantID" column to each table.

"APIs are the front door into any application, and it is critical that they are properly secured," the report states. "In many ways, API security for cloud applications is similar to API security for web applications hosted in data centers. Traditional application layer security risks, such as the OWASP Top 10, are still present when deploying your application to the cloud."

To secure APIs, the report recommends determining whether the APIs can be restricted so that only trusted hosts can call them and ensure that interservice communication is securely authenticated. Also, testing should be used to validate security monitoring and alerting capabilities.

The paper touches on a number of other topics as well, including the use of trusted compute pools and the challenges of dealing with authentication and identity management. The focus is on mitigating the primary threats to cloud computing: data breaches, data leakage, denial-of-service, and insecure application interfaces.

The report can be viewed as a set requirements and capabilities that PaaS should be providing to developers, says Steve Orrin, chief technologist for Intel Federal.

"To that end, organizations and their developers need to evaluate the security capabilities and services that their PaaS provides and then ensure they adopt these security capabilities and/or demand their availability from their provider," he says.

Security, Baize adds, has increasingly become an integral part of the design process.

"CSA cloud security recommendations are widely used by cloud practitioners, and SAFECode secure software development practices are increasingly part of standard software engineering processes," he says. "What this report provides is the connection between these two sets of practices by translating cloud-specific security requirements into security practices for software developers."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3700
PUBLISHED: 2020-01-24
yast2-security didn't use secure defaults to protect passwords. This became a problem on 2019-10-07 when configuration files that set secure settings were moved to a different location. As of the 20191022 snapshot the insecure default settings were used until yast2-security switched to stronger defa...
CVE-2019-3699
PUBLISHED: 2020-01-24
UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of privoxy on openSUSE Leap 15.1, Factory allows local attackers to escalate from user privoxy to root. This issue affects: openSUSE Leap 15.1 privoxy version 3.0.28-lp151.1.1 and prior versions. openSUSE Factory privoxy version 3...
CVE-2019-3697
PUBLISHED: 2020-01-24
UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of gnump3d in openSUSE Leap 15.1 allows local attackers to escalate from user gnump3d to root. This issue affects: openSUSE Leap 15.1 gnump3d version 3.0-lp151.2.1 and prior versions.
CVE-2019-3694
PUBLISHED: 2020-01-24
A Symbolic Link (Symlink) Following vulnerability in the packaging of munin in openSUSE Factory, Leap 15.1 allows local attackers to escalate from user munin to root. This issue affects: openSUSE Factory munin version 2.0.49-4.2 and prior versions. openSUSE Leap 15.1 munin version 2.0.40-lp151.1.1 a...
CVE-2019-3693
PUBLISHED: 2020-01-24
A symlink following vulnerability in the packaging of mailman in SUSE SUSE Linux Enterprise Server 11, SUSE Linux Enterprise Server 12; openSUSE Leap 15.1 allowed local attackers to escalate their privileges from user wwwrun to root. Additionally arbitrary files could be changed to group mailman. Th...