Experts Offer Advice for Developing Secure Cloud Applications
Building security into the application development process has always been a challenge. The reality of cloud computing however introduces new hurdles that need to be identified and climbed.
In a new paper, the Cloud Security Alliance (CSA) and the Software Assurance Forum for Excellence in Code (SAFECode) joined forces to release guidance to help developers navigate the sometimes troubled waters of application security. The report is focuses on security considerations for platform-as-a-service (PaaS), though the authors say the advice in the paper is relevant to software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS) as well.
“Among all of the cloud security challenges, this report is focused on the challenges faced by software developers who are developing applications for the cloud,” says Eric Baize, senior director of the product security office with EMC. “Most of the activities required to develop secure software for the cloud are identical to the fundamental security practices required for any software. However, cloud has some unique characteristics that demand some customization of these practices.”
The most notable among these is multi-tenancy, says Baize. Multi-tenancy, the report explains, allows multiple consumers or tenants to maintain a presence in a cloud service provider’s environment in a manner where the computations and data of one tenant are isolated from other tenants.
Cloud providers should model all their application’s interfaces with threats to multi-tenancy in mind, such as information disclosure and privilege escalation, the report advises. In addition, providers should use a “separate schema” database design when building multitenant applications as opposed to adding a “TenantID” column to each table.
“APIs are the front door into any application and it is critical that they are properly secured,” according to the report. “In many ways, API security for cloud applications is similar to API security for web applications hosted in data centers. Traditional application layer security risks, such as the OWASP Top 10, are still present when deploying your application to the cloud.”
To secure APIs, the report recommends determining if the APIs can be restricted so that only trusted hosts can call them and ensure that inter-service communication is securely authenticated. Also, testing should be used to validate security monitoring and alerting capabilities.
The paper touches on a number of other topics as well, including the use of trusted compute pools and the challenges of dealing with authentication and identity management. The focus is on mitigating the primary threats to cloud computing: data breaches, data leakage, denial-of-service and insecure application interfaces.
The report can be viewed as a set requirements and capabilities that PaaS should be providing to developers, says Steve Orrin, chief technologist for Intel Federal, LLC.
“To that end, organizations and their developers need to evaluate the security capabilities and services that their PaaS provides and then ensure they adopt these security capabilities and/or demand their availability from their provider,” he says.
Security, Baize adds, has increasingly become an integral part of the design process.
“CSA cloud security recommendations are widely used by cloud practitioners and SAFECode secure software development practices are increasingly part of standard software engineering processes,” he says. “What this report provides is the connection between these two sets of practices by translating cloud-specific security requirements into security practices for software developers.”
Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.