As more and more enterprises look for applications that can be deployed in a cloud vendor environment, the industry's need for sound security and technology becomes critical.
As more and more enterprises look for applications that can be deployed in a cloud vendor environment, the industry's need for sound security and technology becomes critical. So how should you develop applications in the cloud computing environment to maximize security? Are these cloud applications different from traditional internal applications? What changes are needed in the development lifecycle and QA process? All of these issues must be addressed before moving the application to a public cloud environment.
In this article, we provide guidance on how to specifically apply security for cloud development that is more vulnerable to today's most common attacks. We will also discuss some of the controls that need to be put in place to ensure the security of these cloud applications after application development and deployment.
How to safely develop cloud applications
Before the enterprise goes into the cloud application development process, the security team of the enterprise should encourage their developers to explore the security development platform, the programming security product and the related tools provided by the cloud manufacturer. One of the typical representatives of a service (PaaS) provider that uses code security and security development measures is Salesforce.com's force.com, who has a dedicated page on the wiki that describes developer security and programming best practices. Force.com's Wiki page provides a comprehensive overview of security issues at all stages of design, development, testing, and publishing, which is essentially a fairly standard software development lifecycle (SDLC). Force.com provides a number of best practices articles, a self-assessment tool that can help guide security decisions, and specific tools for use at various stages of SDLC. Similarly, Microsoft offers a number of resources for developers to use, including the company's "Cloud Base" video series.
How to develop cloud application based on network application experience
Despite these available resources, no cloud vendor has yet been able to provide all the resources and other program components to meet the need to ensure the sound development of secure applications in the public cloud and mixed cloud environments. Successful security cloud application development requires that we be able to take targeted measures based on the risk characteristics of cloud applications. Those responsible for security development should consider cloud applications to be more open to development objects than standard internal applications. Why is that? First, cloud applications are typically hosted and maintained in an environment that is independent of the enterprise's core IT equipment, so the enterprise has less control over cloud applications than traditional internal applications. Second, most cloud applications are web-based, which means it is likely to face security threats from a wide range of standards that are not yet popular with Web applications, including cross-site scripting, SQL injection, and directory traversal.
An information security team should recommend that its developers seriously consider the top Ten Network application attacks presented by the Open Network Application Security Project (OWASP), and then develop and integrate mitigation measures for these attacks before releasing applications and deploying them to the cloud environment. The main reason many network applications are attacked is the lack of filtering of input, so developers should strictly define the data types, lengths, and formats that the application can accept. Developers should also be cautious and avoid exposing application programming interfaces (APIs) to their cloud applications as much as possible. API abuse has long been one of the major threats to cloud computing by the Cloud Security alliance.
Cloud application security means authentication and encryption
Given that cloud applications are outside the confines of corporate networks and enterprise monitoring, it is imperative to achieve their certification and authorization with more intense control. Developers should ensure that the certification page or interface is fully capable of managing all application content and functionality. Account hijacking is another common cloud computing security issue, so developers may need to implement a more restrictive authentication strategy than internal applications, and they should take full advantage of multiple authentication methods, strong password complexity, and length policies as much as possible. Since cloud applications are hosted in a multi-tenant environment, using file and application-level encryption techniques can be very appropriate. While the likelihood of a malicious cooperative tenant compromise is unpredictable, using cryptography and careful review of the library and other Third-party code components is a robust approach to follow.
The current SDLC of an enterprise should also be applied to the development and release of cloud applications. Before you officially publish to the cloud computing platform, consider enforcing careful testing of your code and performing QA processes. Due to the inherent scalability of cloud computing resources, you should perform usability testing, performance testing, and a certain degree of stress testing.
Security development takes a certain amount of time
Generally, as companies implement cloud computing more and more quickly, there is a growing trend in the industry for rapid development programs such as agile. Unless the enterprise can devote the necessary time and resources to the security of the code at every stage of the development project, those enterprises wishing to implement their cloud application security should be particularly cautious in delivering such applications. Obviously, when developing a security cloud application, there are a number of issues that need to be addressed and resolved, so the consequence of speeding up this process is only to increase the risk of a problematic application.