My company is working on a cloud-based automobile traffic management application and has asked me to investigate...
the security aspects further. Although we have somebody who has performed pen testing for us, it is felt that we need to understand more areas of security within our own engineering department -- but I don't know what I need to know, if that makes sense. What knowledge or resources are needed for us to be able to validate the security of this application?
Securing cloud-based applications requires expert knowledge and is not something that can be learned overnight. If the necessary skills don't exist in-house, the best option enterprises have is contracting a company that specializes in application and cloud security to thoroughly review all aspects of the application and provide recommendations on how best to remove or mitigate any weaknesses found.
The contracted company should be able to demonstrate knowledge of security best practices as well as an understanding of any relevant regulations applicable to the application, such as the requirements of the Payment Card Industry Data Security Standard for processing credit card payments. Security personnel should also be experienced in the programming languages used to develop the application, as well as any frameworks used. Knowledge of mistakes common to a particular language or framework is essential to eradicate obvious flaws that may lead to exploitable vulnerabilities in a live application.
The main areas requiring attention -- and the ones that any company developing an application should become familiar with -- are data input and output validation, along with authentication and session management. System and application configuration also need rigorous review. Code reviews, vulnerability assessments and penetration tests are all important checks to reduce the chances of an exploitable vulnerability being present in the live application. Automated code analyzers or scanners can quickly review uncompiled code -- including functions that are rarely executed-- for the most common programming errors, such as missing input and output validation. Be sure to check that pen tests follow the Open Source Security Testing Methodology, as it details how a security test should be carried out and includes acceptable practice guidelines. Feedback, reports and recommendations produced by third parties must be acted upon quickly so that vulnerabilities are closed before hackers can exploit them.
To ensure that data is correctly protected in cloud environments, developers need to classify the data and monitor how and when it is accessed. The chosen cloud provider should offer service level, code of conduct and confidentiality agreements, which set out both its responsibilities and how it will safeguard your data, including functions such as monitoring and storage.
Hosting cloud-based applications can ease certain security issues but it won't remove the need to follow traditional security principles. An application's overall security will be dramatically improved if developers learn how to write secure code. Future configuration, hardware and software changes should all prompt a review of security controls, and the application should be pen tested at least once a year as new threats emerge that can breach existing defenses. It's not possible to prove that an application is 100% secure, but taking the time to review and stress test it prior to it going live is a worthwhile upfront investment.
Ask the Expert!
Want to ask Michael Cobb a question about application security? Submit your questions now via email! (All questions are anonymous.)
Dig Deeper on Secure SaaS: Cloud application security
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading
The popular port scan is a hacking tool that enables attackers to gather information about how corporate networks operate. Learn how to detect and ... Continue Reading