What does it mean to secure your cloud application?
There are several answers to this questions, but lets start with the four principles of security.
Confidentiality
States that the sensitive data stored in the Web application should not be exposed under any circumstances.
Integrity
States that the data contained in the Web application is consistent and is not modified by an unauthorized user.
Availability
States that the Web application should be accessible to the genuine user within a specified period of time depending on the request.
Nonrepudiation
States that the genuine user cannot deny modifying the data contained in the Web application and that the Web application can prove its identity to the genuine user.
Now lets look at what this means for your application
Security is a process, not just a patch applied at the end of the project. This process should be transversal to the application. It starts at the design phase and follows through development, testing and on into enhancements.
There is an international non-profit organization with a focus on software security improvements, Open Web Application Security Project (OWASP). They have identified the top 10 vulnerabilities:
- Injection flaws
- Injection is an entire class of attacks that rely on injecting data into a web application in order to facilitate the execution or interpretation of malicious data in an unexpected manner.
- Broken authentication and Session Management
- This is a vulnerability associated with the complex process of User’s authentication. This can happens in all web servers, application servers, and web application environments.
- Cross site scripting (XSS)
- XSS occurs when an attacker is capable of injecting a script, often Javascript, into the output of a web application in such a way that it is executed in the client browser.
- Broken access control
- Broken access control allows attackers to bypass authorization and access resources directly. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.
- Security misconfiguration
- This is set of potential flaws can be caused by a wrong configuration of a web server or application server. There are a wide variety of server configuration problems that can plague the security of a site.
- Sensitive data exposure
- This web security vulnerability is about crypto and resource protection. Sensitive data should be encrypted at all times, including in transit and at rest. No exceptions.
- Insufficient attack protection
- This vulnerability is currently influx and will be removed for something more actionable. The concept is insufficient methods to detect manual and automated attacks is a vulnerability.
- Cross site request forgery (CSRF)
- This is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
- Using components with known vulnerabilities
- This flaws usually happens when 3rd party code is included in a system even when there are some vulnerabilities reported by the developers or a relevant community.
- Underprotected APIs
- Securing APIs and API access is key to a safe application. Attackers may reverse engineer the API by examining the client code or monitoring communications. This one is also under review.
Securing applications ran in cloud is critical for any modern business. Steps should be taken to ensure the above vulnerabilities are handled and that the architecture does not leave holes for potential attackers.
There are multiple vendors that can help to secure your servers. Two of note are Anchore and Black Duck Software. Anchore is one of our partners and great solution for inspecting and monitoring the vulnerabilities of the numerous layers of software running inside modern containers.