The IT world is advancing at an astonishing pace. Just a few years ago data was stored physically on databases and software was managed manually. But today more and more organizations are gravitating towards cloud based solutions for their computing needs. While being extremely convenient, cheap and hassle-free, insecure programming can lead to a plethora of vulnerabilities and loopholes that can spell disaster if exploited maliciously.
Due to the relative freshness of the cloud platform, the security aspect has not yet materialized. OWASP, a pioneer in the application security field, is not waiting. The security experts from one of the world’s leading application security platforms have come up with a Top 10 Cloud Security Risks list, but it must be noted that this benchmark is still in its pre-alpha stage.
The following article will touch on the top 5 security topics that cloud developers must take seriously before dealing with their customer’s sensitive data and also provide important development tips.
More and more organizations are using public clouds to host their business services. This automatically introduces a wide range of risks that increase in severity according to the sensitivity of the business data stored on the specific cloud. When the stored data includes credit card information, criminal records, health-related data and salary logs, the stakes rise exponentially.
Many providers employ a multi-tenancy storage architecture, where multiple consumers’ data is stored in one place. When this storage architecture is not stable, cross data harvesting can occur. Cloud providers also often nominally delete data when requested by the organizations. This is an insecure practice, as it leaves traces and can allow hackers to reconstruct the deleted data.
To to avoid security issues with sensitive data, developers should make sure that:
Due to the huge amounts of organizations using clouds to run their businesses, more and more of them have multiple “tenants”. In other words, multiple businesses today are sharing the same resources – computing, networking, storage, services and functionality related components. While reducing costs for the providers, many new security risks are entering the picture.
Security risks arise due to inadequate logical security controls in between physical resources (CPU, networking, databases, etc). Malicious or ignorant tenants can also cause unintentional damage when poor logical controls are used by the cloud provider. Security issues also arise when infrastructure is misconfigured or when bad architecture leads to single points of failure.
Developers can tackle the aforementioned issues by taking the following steps:
The first kind of cloud services that organizations are using today are virtualized hardware solutions, known as IaaS. These offerings can include virtual server spaces, network connections, IP addresses, storages and load balancers. This requires the IaaS vendors to provide data centers and maintain them, while making sure the infrastructure components are safe.
Data within an application cannot be secure if the infrastructure components that make up the platform of the application are insecure. The problems can lie in default configurations of the various system and network devices, enabling of vulnerable services that consumers don’t really use and also porous network protocols or exploitable open ports.
Compromised services can also be used by hackers as “hop-off points” to other services. A compromised web service (for example, with SQL injections) can lead to a compromised back-end database.
Developer tips for optimized IaaS security:
Platform as a Service (PaaS) services typically involve the delivery of a computing platform and solution stack as a service. For example, developers can use .NET, Java and other programming language environments via the website interface. Unfortunately many PaaS services come with security risks due to coding malpractices and errors in the development stages.
Organizations often use PaaS services that suffer from a lack of provisions in the SLA and/or don’t meet compliance demands. The software used is also often developed insecurely.
Developer tips for optimized PaaS security:
On-Demand Software providers are highly sought after today as they enable enterprise IT organizations to cut support and maintenance expenses. Customer Relationship Management (CRM) is a large SaaS market today, but organizations also use SaaS solutions for Enterprise Resource Planning (ERP), Human Resource Management (HRM) and Content Management (CM) services.
The OWASP Top 10 touches on the most common application layer vulnerabilities that exist today. Cloud providers should make sure that their developers are taking the steps needed to produce robust software so that it withstand assaults from malicious attackers. One way to eliminate vulnerabilities early is to use a SAST methodology called Static Code Analysis (SCA).
Implementing SCA/SAST early in the development process can help mitigate many application layer vulnerabilities that can potentially result in high profile breaches with millions of dollars in damages to organizations and clients alike. The automation of the security process helps create a secure Software Development Life Cycle (sSDLC), an effective way to develop robust software.
Other benefits of scanning code early in the Software Life Cycle (SLC) include:
Whether it’s SaaS, PaaS or IaaS, secure coding is absolutely non-negotiable. With the huge migration to the cloud, providers simply can’t afford to implement insecure applications and software. Cybercrime is rising and this can be countered only by securing the foundation of this upcoming platform – the application code. Cloud security now is now a must.
More and more InfoSec experts around the world are advocating the implementation of multiple solutions to bolster cloud security. The most common combo’s include the scanning of the application code during development with SCA and Pen Testing before release (or after integrating new third-party components). Throwing in firewalls for good measure is also an effective tactic.
Only clear clouds can ensure a safe cyberspace. Stay safe.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.