Comments: PaaS is the abbreviation of Platform-as-a-Service, which means Platform as a Service. The server platform is a business model provided by services. Software as a Service (SaaS ), in the cloud computing era, the corresponding server Platform or development environment as a Service becomes PaaS (Platform as a Service ). When talking about security and cloud computing models, platform-as-a-service (PaaS) has its own special challenges. Unlike other cloud computing models, PaaS security requires application security expertise that most companies cannot afford to invest heavily. This problem is complicated because many companies use the "entry-level" infrastructure-level security control strategy as a response to application-level security risks (for example, once the application code is released for production, use WAF to mitigate detected cross-site scripting programs or other front-end problems ). Due to the lack of control over the underlying infrastructure of PaaS, this strategy becomes non-practical in PaaS deployment applications.
Considering the flexibility of PaaS related to control, you must have certain control capabilities on the underlying computing environment. Like IaaS, PaaS provides almost unlimited design flexibility: You can build any application based on social networking websites to implement Intranet websites or CRM applications. However, unlike IaaS, the "stack" under an application is not transparent, which means that the components and infrastructure supporting the application are both (as designed) a "black box ". That is to say, like SaaS, security control must be built into the application itself; but unlike SaaS, service providers generally implement application-level security control that applies to all customers, security Control Measures in IaaS are for your applications. This means that you must take responsibility for determining which control measures are appropriate and implementing them.
A simple illustration shows the differences between the model and the customer:
- Application Design flexibility
- Function control ratio
- Underlying transparency for those organizations that have invested heavily in application security, they have fixed well-trained developers with independent development, testing, and production processes, therefore, we should be familiar with PaaS security issues. Those institutions that have not yet made these investments can follow the steps below to help meet the challenges of PaaS security to a certain extent.
Step 1: Establish security measures
The fundamental challenge of application security exists long before the PaaS implementation. Therefore, there is considerable research on how to improve the deployment of secure and robust production applications. A technology that provides direct support is called Application Threat modeling. Some good focuses are the OWASP Threat modeling page and Microsoft's security development lifecycle resource page. From the tool perspective, it is free cross-site scripting (XSS) and SQL injection. Enterprises with internal tools can apply them to PaaS security measures, or many PaaS suppliers provide customers with tools with similar functions at a free or discounted price. When enterprises want to use a broader scanning policy, they can also use free tools such as Google's skipfish.
Step 2: scan network applications
Many companies have received application scanning, a network application scanning tool used to solve common security problems (such as cross-platform scripting (XSS) and SQL import. Enterprises with internal tools can apply them to PaaS security measures, or many PaaS suppliers provide similar tools for customers at free or discounted prices. When enterprises want to use a broader scanning policy, they can also use free tools such as Google's skipfish.
Step 3: Train developers
It is critical that application developers fully master the application security principles. This can include language-level training (that is, the security coding principles they currently use to build applications) and a wider range of topics, such as security design principles. Due to the reduction and mobility of developers, training is often required to be repeated on a regular basis, so the cost of security training for developers applications may be relatively high. Fortunately, there are also some free resources, such as Texas A & M/FEMA's domestic campus guard Program, which provides free e-learning materials for security software development. Microsoft also provides free training through its Clinic 2806: security awareness training for Microsoft developers, which is an entry-level training material useful for starting custom programs.
Step 4: have dedicated test data
This situation is always happening: developers use production data for testing. This is a problem that needs to be correctly understood, because confidential data (such as private identifiable data of the customer) may be leaked during testing, especially when the development or test run environment does not implement the same security measures as the production environment. PaaS is more sensitive to environments, and many PaaS services are easier to implement deployment, trial run, and database sharing between production to simplify deployment. Tools such as open-source Databene Benerator can generate high-capacity data that conforms to the specific structure of your database, and data format adjustment helps you have dedicated production data. Generally, these processes belong to a specific framework, so you need to pay attention to finding one that can work normally in your specific environment.
Step 5: reset the priority
The last step is the most important one you can implement. Since PaaS may mean a cultural and priority adjustment, it accepts the adjustment and truly incorporates it into its own ideological and behavioral system. When PaaS is used, all applications are related. This means that the security of the Organization is highly dependent on the development team in the Organization. If this is not a PaaS issue, it would be a nightmare, because at the infrastructure level you cannot implement much action to mitigate identified risks. If you have always relied on infrastructure-level control to meet application-level security challenges, it is time to reconsider.
Author: Ed Moyle Translator: Teng Xiaolong Source: TechTarget China
