Secure Cloud Development

Challenges with development for the cloud

Application exploits have become daily news, and as a result, application security and secure coding are developing focus areas of cybersecurity. While the industry has talked about application security and secure coding for some time, these areas have not received the attention they deserve.

Research by Microsoft[1] has shown that only a small percentage of organizations have adopted a Secure Development Lifecycle (SDL). Whether an SDL is integrated within organization execution or not, organizations are moving to a cloud-first methodology. Consequently, this has thrust applications away from “bare-metal systems” and toward the cloud, which is outside of organizations’ direct control.

With this cloud-first model, architectures are redefined to support cloud technologies including elasticity, containers, and microservices, while making use of integrated cloud security capabilities (e.g., logical segmentation in a “deny-all” standard operational mode). This operational environment presents both challenges and opportunities for developers.

Risks of applications moving to the cloud

Whether we’re discussing common weakness enumerations (CWEs)[2] or other cloud-based threats, organizations which move their applications to the cloud must first understand the inherent risks of doing so. In 2016, the Cloud Security Alliance (CSA) released the Treacherous 12 Cloud Computing Threats[3]. From a development perspective, data breaches, weak identity, credential and access management, and insecure application programming interfaces (APIs) quickly rise to the top of the list of threats that must be addressed while developing cloud applications.

The CSA, along with SAFECode and the National Institute of Standards (NIST), have recently provided a host of standards and guidance one should consult when authoring cloud services. The CSA SAFECode's Practices for Secure Development of Cloud Applications[4], and the CSA’s Domain 10: Application Security in the Certificate of Cloud Security Knowledge (CCSK), help steer developers along the right path. NIST provides multiple standards in their Special Publications (SPs), including NIST SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing, NIST SP 500-299 NIST Cloud Security Reference Architecture, SP 800-53, 800-171, and much more.

DevOps / DevSecOps

Applications are moving to a DevOps scenario, which allows code to be pushed, tested, and deployed across a cloud environment. This change to how one fundamentally thinks about deployment can present many challenges. A quick response could be, “Insecure applications will now be deployed in a shorter time fame.” While this could be true, the automation that drives DevOps can also be leveraged for application security. Application development can be orchestrated to automatically conduct Static Application Security Testing (SAST) along with Dynamic Application Security Testing (DAST) prior to deployment. Even dynamic testing (e.g., fuzzing) can be done to test for critical faults prior to automatic deployment into production.

Other Recommendations

The first recommendation is application security and secure coding practice training for all developers. The second recommendation is for the organization to adopt an SDL, which includes involvement from developers, program and project managers, the security team, IT teams, QA, and more.

Microsoft’s SDL[5] is a multi-step process for securing software. In the requirements phase, Microsoft recommends that organizations define quality gates/bug bars while analyzing security and privacy risks. In their design phase, an organization must develop a threat model and conduct an attack surface analysis. During the implementation phase, avoid unsafe functions and use SAST. The verification phase focuses on DAST with fuzz testing while updating threat models and attack surface analysis. A response plan is developed during release.

A final note to organizations with limited funds is to research the many free and open source tools that exist. One such tool, offered by the Department of Homeland Security funding Software Assurance Marketplace (SWAMP)[6], is an Internet-facing service. For on-premises hosting, SWAMP-in-a-box (SiB) is available.

About the Author: Mr. Randall Brooks is an Engineering Fellow for Raytheon Company (NYSE: RTN), representing the company within the U.S. International Committee for Information Technology Standards Cyber Security 1 (CS1). Mr. Brooks has more than 20 years of experience in cyber security with a recognized expertise in cloud security, software assurance (SwA) and secure development life cycles (SDLC). In addition to holding seven patents, Mr. Brooks is a CCSK, CISSP, CSSLP, ISSEP, ISSAP and ISSMP. Mr. Brooks graduated from Purdue University with a Bachelor’s of Science from the School of Computer Science. His talk, "Secure Development for the Cloud," will be presented at the 2017 InfoSec World conference.



Click here for more information on our InfoSec World Conference & Expo in Orlando.