Organizations that migrate to cloud environments often assume that the cloud provider handles security tasks. This is partially true, but the cloud consumer still has a vital role to play, especially if a cloud environment is used for developing or hosting applications. Often, security focuses only on the controls associated with identity and access management (IAM), networking, and infrastructure components. But if the application software running on these components is insecure, then the organization's data is also insecure. This chapter will discuss the processes needed to secure the software through the application development lifecycle.
Secure software development begins with the development of a culture of security and the implementation of a secure software development lifecycle (SSDLC). The SSDLC is similar to governance documents like security policies and should define requirements and processes for the organization to securely develop software. A secure culture is not developed through occasional efforts but through regular, deliberate action. The three parts identified by the Software Assurance Forum for Excellence in Code (SAFECode) are executive support and engagement, program design and implementation, and program sustainment and measurement. Training and awareness are important parts of developing a security culture and of developing secure cloud applications.
According to the Cloud Security Alliance (CSA) and SAFECode, the development of collective responsibility is essential but can be challenging when building a safety-conscious application development program. This effort can be broken down into three parts.
Each of these basic concepts requires a clear understanding of organizational culture, security vulnerabilities, and organizational vision and goals. Without an organization-wide understanding of security and proper resources, software development and application security in the cloud are unlikely to be successful.
One of the most common pitfalls related to cloud security is a lack of understanding the responsibility for securing the cloud. Even though major cloud service providers (CSPs) publish their shared security model, it is common to find cloud consumers who believe that all aspects of IT are outsourced to the cloud provider—including security. Ensuring that organizational leaders are aware of what responsibility the organization retains is a crucial step in avoiding a dangerous mentality of ignoring security risks.
Once leaders are aware of the need for proper security, another pitfall awaits. Inadequate support from senior management for cloud application security initiatives will lead to inadequate resources and wasted effort. Efforts to instill a security culture are unlikely to be successful unless senior leadership supports these efforts—through their approval and adherence to security policy as well as funding and staffing security initiatives that are part of organizational goals.
The next pitfall is failing to understand organizational culture. Even companies in the same industry have very different cultures. Building and sustaining a security culture requires careful planning that recognizes an organization's existing culture and employs sound change management tactics to introduce security into the culture. In addition, program-level efforts must be reviewed regularly to ensure that they remain aligned with business objectives and cultural realities. For example, a culture that places high value on speed and efficiency is unlikely to embrace security processes, like approval of new cloud services, that add significant delays.
Another resource-related pitfall is staffing. The size of an organization may limit the number of security experts due to competing hiring needs or even resources available for security practitioner salaries. These experts may then serve as resources to multiple development processes rather than as a member on one team. If the organization is large, development teams may use security experts as resources or may include security experts as team members. In either situation, it can be challenging to ensure that the development of security-aware applications will be consistent across the organization.
Organizations that do not implement a framework for secure software development will also cause difficulties. A mature organization will have a well-defined process that integrates security as part of each step. The lack of a framework or process leads to ad hoc security and does not support a security-aware organization.
Finally, in times of budget constraints, the training budget is often a first target for budget cuts. It is easy to cut training without immediate impact; however, a security-conscious organization should find ways to continue security awareness training and secure development practices. Switching from instructor-led training (ILT) to computer-based training (CBT) is one such strategy. CBT may be somewhat less effective, but it still provides useful training at a reduced cost and helps achieve a better cost-benefit outcome than eliminating training entirely.
Additional security training options include subscriptions to online security courses, as well as online asynchronous and synchronous training. Each of these options eliminates travel expenses and is typically lower cost than live, in-person training. One other option is to bring the trainer to the work location. If a large number of people need the same training, bringing the trainer to you rather than sending the people to training can be cost-effective. These options can keep training active while trimming the budget.
Common cloud vulnerabilities include data breaches, data integrity, insecure application programming interfaces (APIs), and denial-of-service (DoS) attacks. The broadly network-accessible nature of the cloud and need to exchange data between networked systems introduces some specific vulnerabilities into cloud computing. Any time an application is accessed or transmits data over the Internet, it is doing this in a hostile environment.
There are several organizations that provide information on security threats, including the Cloud Security Alliance (CSA), the SANS Institute, and the Open Web Application Security Project (OWASP). They publish research on top threats in cloud computing and related technologies, and offer routinely updated content on general, cloud, and application security topics. The following sections contain examples of the risks from each organization and further reference materials.
For the past several years, the CSA Top Threats Working Group (cloudsecurityalliance.org/research/working-groups/top-threats
) has published the top threats to cloud computing. The number of threats varies, and the publications are entertainingly named based on the number of threats. In 2016 to 2018, it was the Treacherous 12, and from 2019 to the present it is the Egregious 11. These lists provide security practitioners with a framework for reviewing cloud computing and cloud application security risks. Here is an example of the top four threats identified in 2020's Egregious 11:
None of these threats should be surprising. Protection of data, which may be put at risk through misconfiguration, poor access control, and other failures, tops the list. The top items on the list also suggest that cloud security needs to become more mature in many organizations. For organizations utilizing other CSA resources, like the cloud controls matrix (CCM), this can be a useful resource for identifying and mitigating cloud security risks.
The OWASP Top 10 (owasp.org/www-project-top-ten
) is a periodically updated list and features the top threats in web application security. The most recent version was released in 2021, and the list is updated approximately every three years. The top 10 security risks lead to a variety of issues that include data breach, data integrity, and DoS attacks, and the list is ideally suited for developers, engineers, and architects who need to account for these threats when designing systems. Essentially, each item of the CIA triad can be affected by one or more of these risks. The following were the top four in 2021:
The most disturbing thing about this list is that the items on the list rarely change—many of the items have been on the list for many years and simply change order over time. This indicates that the prevalence of these vulnerabilities remains high, although new items have entered the list as technology evolves. For example, some vulnerabilities like cross-site scripting (XSS) have been combined into broader categories such as injection vulnerabilities.
New categories have also been created to mirror technology trends like the increased use of distributed system components. The OWASP Top 10 is especially useful for organizations that design or build their own applications in cloud environments. With a focus on shifting security activities into the software development lifecycle (SDLC), engineers should be aware of these vulnerabilities and ensure that system designs avoid them whenever possible.
The Top 25 (cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html
) is a list of the most dangerous software weaknesses. It is similar in scope to the OWASP Top 10 and is designed for a highly technical engineering audience. The list has been updated annually for the past several years and pulls data from the common vulnerabilities and exposures (CVEs) reported to the national vulnerability database (NVD).
The NVD captures data about known vulnerabilities in information systems and software products. Because these are real-life, existing flaws, the CWE Top 25 is a measure of the actual weaknesses that are prevalent in software products. The top four in 2021 were:
The Top 25 list is useful when architecting secure software and provides a good starting point for designing testing methodologies. Because it is broadly measuring reported software vulnerabilities, it also includes legacy, noncloud systems. Organizations that are entirely cloud-native may find that some weaknesses are less applicable to cloud applications, but the general principles of secure software development remain largely the same.
A software development lifecycle (SDLC) refers to all the activities necessary to identify what requirements a system must meet and then design, build, test, and operate the system. Security is not inherently a part of the SDLC, so the concept of a secure SDLC (SSDLC) evolves the lifecycle to incorporate security activities throughout the entire process. When looked at on a timeline, system development moves from left to right over time, so the concept of an SSDLC is often known as “shifting left.” Rather than security activities occurring at the end of the lifecycle, key security activities are incorporated from the very beginning.
An SDLC has several phases, and there are different models with more or fewer phases. In general, the steps of an SDLC include requirements, design, development, testing, deployment, and operations and maintenance (O&M). In the SSDLC, these phases are enhanced to include specific security-focused tasks relevant to each phase to allow security by design. For example, during requirements gathering, specific security requirements should be documented, such as the need for the system to support encryption of data at rest.
There are many resources for implementing an SSDLC. These include the Microsoft security development lifecycle (SDL), which can be found here: microsoft.com/en-us/securityengineering/sdl
. Other frameworks include the NIST Secure Software Development Framework and the OWASP Software Assurance Maturity Model (SAMM), detailed in this section.
Similar to the popular NIST Cybersecurity Framework (CSF), the NIST Secure Software Development Framework (SSDF) defines and describes secure software development practices (csrc.nist.gov/publications/detail/sp/800-218/final
). This framework is useful for developing secure traditional IT systems, as well as Industrial Control Systems (ICS), IoT systems, and cyber-physical systems (CPS).
The SSDF can be adapted to existing SDLCs, supports the use of modern software development techniques such as agile, and leverages guidelines and standards from other organizations.
The SSDF is organized into these four groups:
The OWASP SAMM can be used to assess the current state of secure development using an existing SDLC and to identify improvements that increase the maturity of these practices. It is ideal for organizations with well-established SDLC methodologies and processes and is useful for defining the current state as well as key activities to move to a desired state within the existing SDLC practices.
The SAMM (owaspsamm.org
) consists of domains subdivided into security practices, which are used to measure software security maturity and develop actionable plans to improve the SSDLC capability. The domains and practices include the following:
SAMM provides assessment tools and guidance to improve an organization's security posture and supports the development of secure software and systems.
Mature software development shops utilize an SDLC because it saves money and supports repeatable, quality software development. Studies have been conducted that show that the later in the development phase issues are found, the more expensive it is to fix those issues. Adding security to the SDLC benefits secure software development, because security issues that are discovered after a system is developed can be costly or even impossible to fix. Minimizing the number of flaws that make it into a final system is a more cost-effective approach than trying to mitigate security risks after the system goes live.
While the SSDLC adds some up-front cost to the development of new software applications and the modification of existing applications, identifying security vulnerabilities early will lower overall development costs. The expected return is software solutions that are more secure against attack, reducing the exposure of sensitive business and customer data. Bolting on security after the coding or deployment phases simply increases the cost of that security while limiting its effectiveness.
However, an SSDLC is fully successful only if the integration of security into an organization's existing SDLC is required for all development efforts. Only when secure development is a requirement of a business will security by design occur consistently.
Business requirements capture what the organization needs its information systems to do. Functional requirements can include parameters like supporting up to 1,000 concurrent users logged in, which in turn support business requirements like all users being able to access a system during the workday to perform their assigned duties. In addition to these functional requirements, the organization must also consider security, privacy, and compliance objectives that must be met.
For example, a system that processes healthcare data is likely to have legal and regulatory requirements for protecting data. This will drive system requirements such as encryption of data at rest and in transit, role-based access control to ensure that only authorized users can view information, and data retention schedules and supporting infrastructure such as cloud backups. Requirements are an essential part of all SDLCs, and ensuring that these requirements include security objectives is a key trait of a more mature SSDLC.
There are many models for SDLCs, from linear and sequential approaches, such as waterfall, to interactive and incremental approaches, such as spiral, agile, and most recently DevOps, which increase the speed and frequency of deployment.
There are several primary stages to any SDLC. If these stages incorporate explicit security-focused practices, like documenting security requirements and documenting acceptance criteria for security testing, the organization has created an SDLC that considers security from the very beginning, creating an SSDLC. The generally accepted SDLC stages are as follows:
Each phase of the SDLC can be divided into ever finer phases with associated security activities to make an SSDLC. The steps presented here capture the general flow of most SDLC methodologies. Organizations may choose a predefined methodology, such as the NIST SSDF, or choose to build one customized to their specific operations. At each step, security tasks and practices are an important part of the overall solution. Following these steps leads to a consistent and repeatable process for designing and delivering secure software.
Different SDLC methodologies exist, from traditional models like the waterfall to more modern approaches like Agile and DevOps. The choice of a methodology, similar to the choice of an SSDLC framework, may be dictated by an organization's existing development practices as well as the types of products or services the organization delivers.
The waterfall methodology mimics a stepped waterfall, where the development project moves along once all processes have been completed within each step. Traditional waterfalls are very rigid regarding this—all requirements must be documented before system design begins. A modified waterfall methodology allows for some flexibility if the project needs to step back to an earlier phase. Although waterfall was not initially designed to be iterative, organizations can iterate system development using a waterfall methodology by focusing only on a subset of requirements during each cycle of the development lifecycle.
Waterfall traditionally contains phases for requirements, design, implementation, testing, deployment, and maintenance. The rigor of the waterfall can be a security benefit, as all requirements must be documented before development begins. However, the inflexibility of the model can make it difficult to make changes to the software once development has begun. Iterative and more flexible models, like Agile, have evolved to address the complex and dynamic nature of requirements by facilitating faster and more flexible development.
Agile software development emerged in the early 21st century and focuses on key principles designed to increase the speed and consistency of software delivery. The Agile Manifesto lays out these principles (agilemanifesto.org/principles.html
), which provide organizations with a framework for designing development processes.
Although not a development methodology itself, Agile software development practices aligned with the principles follow similar SDLC phases as discussed previously. Instead of gathering all requirements before development can begin, Agile development can begin on the existing documented requirements. Once the system is delivered, additional requirements are elicited, and the development lifecycle iterates to incorporate new or changed functionality to meet those requirements.
This iterative approach is a great security benefit offered by Agile development. As requirements change, the organization can change a system to meet those with more flexibility. Given the speed of change and evolving cyber threats, this agility can be beneficial to security, as updates to address new vulnerabilities or flaws can be delivered faster. Agile also prioritizes speed and efficiency, with a focus on automation. This offers an excellent opportunity to inject security into the SDLC; as code moves through the development pipeline, automated testing is performed. If the testing includes security tests such as static code analysis, then this automated process can be run repeatedly, providing more frequent security testing.
Because of its iterative nature, Agile focuses on a smaller set of requirements for each development cycle or sprint. With limited developer resources, this can lead to prioritization issues when addressing requirements. High-profile user requirements may be prioritized over security requirements, meaning the system is at increased risk until a future development cycle occurs to address the security requirements.
The SSDLC is a collection of best practices focused on embedding security practices throughout each stage or phase of a standard SDLC, with the goal of ensuring that security is not treated as an afterthought. Applying an SSDLC process requires dedicated effort to identify appropriate security activities at each phase of the SDLC, starting with requirements gathering and continuing through to deployment and maintenance. An SSDLC requires a change of mindset by not only development teams but also the entire organization. A true SSDLC does not treat security as a one time activity performed when a system has been developed.
Identifying security requirements and potential issues or flaws early on in the process can reduce the resources needed to address these flaws. Building a system that meets security requirements is almost always more cost effective than adding security to an already-designed system. For example, ensuring that a system is designed with a database that supports encryption is likely to be less expensive than designing controls like complex monitoring strategy for a system with sensitive data that does not support encryption.
Having an SSDLC is beneficial only if it is implemented and used consistently. The SSDLC should be complemented by traditional security activities, such as penetration tests and internal audit or compliance reviews. The SSDLC shifts security activities away from the security team, which usually lacks direct responsibility for system development. Instead, developers and engineers responsible for designing and building information systems must address security concerns as part of the activities they perform. Additionally, some standards and regulations, such as the General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), ISO 27001, and others mandate data security safeguards that must be incorporated in the development process.
Cloud-specific vulnerabilities identified by the CSA Egregious 11 can lead to violations of one of more of the CIA triad requirements of confidentiality, integrity, and availability. Breaches, compromises, or unauthorized exposure of data can lead to legal and regulatory violations. For example, a breach of payment card data can lead to an organization losing its ability to process payment card transactions, which is likely to have a catastrophic effect on revenue. At the least, a well-publicized data breach can lead to a loss of reputation, loss of new business, and market share. Loss of data integrity and availability can have similar consequences.
Risks beyond those discussed by the CSA will exist for specific companies at different levels of security maturity, in various industries, and in different geographic locations. Security practitioners should work to identify the organization-specific requirements that they face, such as specific geographic privacy legislation or industry-specific requirements for the type of data they are processing. Cloud-specific challenges that can cause issues include the easy cross-border transfer of data in cloud environments, as well as the issues associated with the organization losing direct control over their infrastructure when it is provided by a CSP.
Any organization using computing should analyze cloud-specific risks that affect the organization's data and information systems. As discussed in the previous section, the choice of a framework for the SSDLC will be guided by other standards already in use. For a cloud-native organization, the CSA Egregious 11 can be useful when addressing cloud-specific risks in software development. In an organization with a mix of cloud and legacy, on-premises infrastructure, frameworks like the OWASP Top 10 may be more appropriate as they contain less cloud-specific guidance.
While there are many risks present in cloud computing, the CSA Egregious 11 (cloudsecurityalliance.org
) is a good summary of cloud-specific risks. The CSA Top Threats working group has published the Egregious 11 as well as a deep dive that provides additional examples, clarifications, and mitigation options for each of the identified threats. A high-level explanation of each of the 11 is presented here, along with specific examples of flaws or vulnerabilities in cloud applications that highlight these vulnerabilities.
Threat modeling allows security practitioners to identify potential threats and security vulnerabilities and is often used as an input to risk management. When applied to software development, threat modeling can help with prioritizing secure development activities. For example, an Internet-facing application will face different threats than one only used internally by an organization—any attacker in the world can reach the first one, while a much smaller number of users will have access to the second.
There are numerous frameworks for threat modeling, but they all share similar characteristics. As with many aspects of application security, OWASP has a reference page that details how these models can be applied to achieve an SSDLC: owasp.org/www-community/Threat_Modeling
. All threat models allow security teams to identify potential threats and break them down into different elements, which can be used to assess the threat and design mitigations.
The process of conducting threat modeling will vary based on the framework chosen. No single model is appropriate for all organizations, as the business processes, geographic locations, and risks faced will vary based on the organization's unique circumstances. When designing a threat modeling program, it is important to choose a model that aligns to the organization's specific operations. For example, the PASTA model can be applied to organizations with blended computer- and human-based information processing, while STRIDE includes elements that are more applicable to electronic information systems. Once a model has been chosen, a security practitioner should seek out adequate training, reference material, or consulting applicable to the specific model to ensure that it is properly applied.
The STRIDE name is a mnemonic for the categories of threats it identifies and was originally developed by Microsoft to identify and classify security threats against software. The categories are as follows:
The DREAD model provides a quantitative threat assessment to assist with prioritizing remediation based on the numeric value associated with each threat. Once threats have been identified, the DREAD mnemonic provides a series of questions to ask that help rank the threat.
PASTA is an acronym for Process for Attack Simulation and Threat Analysis, and it presents a set of seven steps for performing risk-based threat analysis. PASTA focuses on integrating security and business objectives when performing threat modeling and provides security teams with a way to leverage some existing work such as business impact analysis (BIA). The following are the steps of the PASTA methodology:
ATASM is an acronym for a series of process steps to perform threat modeling, rather than a threat model itself. As such, it can be used in combination with a threat model like STRIDE, DREAD, or PASTA when analyzing threats, and it provides a framework for developing or maturing the process of threat modeling inside the organization. The steps that make up ATASM include the following:
The ATASM framework was developed by security professional Brook Schoenfield, who has blogged about the framework, applications to system and cloud application security, and other topics. Additional details about ATASM can be found here: brookschoenfield.com/?page_id=341
.
Common cloud vulnerabilities are well-known and documented in lists like the OWASP Top 10 and CSA Egregious 11. Avoiding them can be achieved in several ways. Like all risk mitigations, a layered approach combining multiple types of controls is a best practice. These controls include the following:
The practice of designing systems and software to avoid security risks is a proactive risk mitigation step. As in many areas of security, there are standards and organizations designed to mature these practices, such as OWASP. Since these security practices are designed by external parties, they may not be a guaranteed fit for an individual organization, but by tailoring the practices identified in one of these standards, any organization can build a secure coding capability.
The OWASP project contains a wide variety of secure coding resources, including a series known as “Cheat Sheets” that are targeted to developers and engineers: cheatsheetseries.owasp.org
. These provide quick, targeted guidance for specific security practices related to development and span topics like access control, HTML security, and cloud-specific topics like container and API security.
There are also technology-agnostic quick-reference guides that provide guidance on topics like building and implementing secure development. This includes a Secure Coding Practices reference with 13 practices that organizations need to achieve for secure coding, such as addressing input validation, cryptographic practices, and database security.
OWASP publishes an Application Security Verification Standard (ASVS), which is useful for testing activities related to secure coding. The ASVS contains guidance for performing tests of application security, as well as categories of control objectives. It is frequently used by security testers as a way to categorize their findings; e.g., a lack of SSDLC documentation is a security failure of Control Objective 1, Architecture, Design, and Threat Modeling.
The ASVS contains 14 of these control objectives, which cover topics ranging from development processes to system configuration and handling of user-supplied data. The standard and supporting materials are available on the OWASP website: owasp.org/www-project-application-security-verification-standard
.
SAFECode is an industry forum devoted to software security and includes organization partners like Adobe, Microsoft, VMware, and Veracode. Its purpose is to facilitate sharing best practices and lessons learned with a goal of publishing information that any organization can use to improve secure software development. This includes providing information on processes and practices needed to achieve secure software development.
Organizations can take advantage of a number of different resources published by SAFECode. These range from secure development practices like building a DevSecOps function and hardware-based security tools to the tools and resources needed to build a secure development culture as well as a software security program.
Like other standards, the SAFECode resources are designed to be broadly applicable, so organizations should identify standards that are relevant to their businesses and then apply tailoring to modify the standard guidance to apply specifically to the organization's unique activities and development practices. The full list of resources can be found at safecode.org
.
The purpose of software configuration management (SCM) and versioning is to manage software assets, and it focuses on maintaining the integrity of critical information system components. A loss of integrity could result in unexpected or unwanted system behavior, such as an access control module failing to adequately restrict access, which could in turn lead to a loss of data confidentiality if unauthorized users gain access to sensitive data. This practice can be challenging as software is almost always developed by teams, whose members may be geographically dispersed and work asynchronously. Multiple people may be making changes to both the config and source code files. Properly managing all of this is essential to ensure that changes are current and accurate, and the final software product contains the correct versions of all source code.
Properly managed SCM can make rolling back changes possible, so if a loss of integrity does occur, it is possible to restore the system to a known good state. Versioning can also maintain copies of the configuration and software for deployment to different machines and operating system versions, which can be useful in a disaster scenario if manual recovery is needed. Version control can also be a critical element of a compliance program, as system configurations may be unique to meet various customer, geographic, or regulatory framework requirements.
A key role of SCM occurs at deployment and during O&M release management for system updates and patches. Without formal SCM tools and processes, it is possible for incorrect software versions to be released. This can be a costly error, exposing the organization to reputational, operational, regulatory, and contractual issues.
SCM also allows for configuration audits and reviews by providing the artifacts necessary to verify whether processes are being followed. Compliance with requirements may be related to an organization's policies, regulatory requirements, or contractual obligations. The evidence generated during SCM processes, such as version checking before deployment and well-documented rollback plans, supports the ability to quickly and accurately perform audits.
SCM and versioning should be common practices in all software development environments and can be implemented along with other configuration management processes and tools like a configuration management database (CMDB). It may be possible to federate the CMDB with both on-premises and cloud-based solutions, which enables tracking of SCM regardless of where the software is deployed. Organizations that are cloud-native may not require a federated CMDB if their entire infrastructure is in the cloud.
Similar to SSDLC choices, each organization will need to decide how to implement configuration management. It is as important to perform configuration management on premise as it is for software development in the cloud, and each organization's mix of on-premises and cloud infrastructure will be different. In general, the SCM program must support versioning, provide assurance that the correct versions of various software modules are being deployed during a release, and allow for auditing of the entire lifecycle to support the implementation of an SSDLC.
Software assurance defines the level to which software is free from vulnerabilities and operates as intended. This assurance is a level of confidence and not an absolute measurement, as the absence of errors cannot be proven. We can also test how well the application or software meets the defined requirements. Regardless, there is always a possibility that a software solution will exhibit unintended behaviors as well, so methods like an SSDLC are useful. They help organizations with a number of tasks related to producing quality software, such as designing security into the software solution from the beginning and testing to ensure that security goals are met, the software functions as designed, and the system is capable of meeting the defined requirements.
There are multiple types of testing designed to determine if various aspects of the software fulfill requirements. There are also different approaches to testing, which can be used at various phases of the SSDLC or to test specific aspects of a system, like how new changes impact existing functionality. Some aspects of testing are unlikely to involve security teams, but security-specific testing is an area where security practitioners will need to work closely with development teams. It is also important to remember that even if all tests pass, the result is only a confidence level as to the security of the software system—new vulnerabilities or flaws are always possible, so other controls like ongoing security monitoring are necessary to further reduce these risks.
Functional testing is used to test that the functional specifications of the system, linked to system requirements, are met. The execution of a robust set of test cases, linked to functional requirements, will create a level of confidence that the software operates as intended.
There are many ways to test software, but there are some well-defined categories of testing that are defined by the goal of the tests performed. The primary categories of testing that lead up to functional testing are unit testing, integration testing, and usability testing.
As the modules are tested and then are integrated (and tested) and the user's feedback is obtained and incorporated into the system, we get to the point where we are ready to perform functional testing on the entire system. When conducting functional testing, there are important considerations that include the following:
Once the system passes functional testing, it is ready to follow a QA process to deploy the system. Once deployed, enhancements and bugs will lead to further development, which should follow the organization's SSDLC processes. This leads to another form of testing, which is regression testing.
Regression testing is done during the maintenance phase of software development to ensure that modifications to the software application (for example, to fix bugs or enhance the software) do not reduce current functionality, add new vulnerabilities, or reintroduce previous bugs and vulnerabilities that have been fixed.
By contrast, non-functional testing covers aspects of the system that are not directly related to the system's primary functions. For example, an online shopping application would undergo functional testing for features like user search, shopping cart management, and purchasing, since these are the main functions of a shopping app.
Non-functional requirements for the system might include support for encrypted connections, so users can safely share payment card information. This would be part of a system's security testing. The ability of the system to handle anticipated traffic volume is also important and is often done as part of load or capacity testing. Other non-functional testing can include compatibility testing across different platforms, as well as documentation testing to ensure that system documentation is properly updated when new functions or modules are released.
Testing is the way we obtain the confidence or assurance that our software is free of vulnerabilities and functions as required and designed. Testing allows for quality assurance. Adequate testing is important. This requires that adequate time be allocated to conduct testing to find, fix, and test again in an iterative process. In addition, automated testing tools can improve the efficiency and completeness of testing. In a continuous integration/continuous deployment (CI/CD) environment, automated testing becomes a required feature.
Security testing is conducted to provide assurance that the organization's security strategy and architecture are followed and that all security requirements have been met. There are various methodologies for conducting software testing, and the approach will depend on several factors. The type of applications used by an organization will be one factor, as analyzing source code for entirely COTS-based software is likely impossible. Similarly, an organization utilizing only software as a service (SaaS) will be restricted from performing certain types of tests by the CSP, as the testing activity could disrupt other customers of the SaaS platform.
Testing is usually one of three types. The key difference between them is the amount of knowledge available to the tester, which can be used to simulate different threat types. For example, a complete outsider is unlikely to have access to source code for a custom-built application, but a developer employed by the organization would have such access. The types of testing are as follows:
There are common tests used in security testing. These happen at different stages of the development process and perform testing on different targets. Application testing methods include the following:
Another tool often discussed with SAST, DAST, and IAST is Runtime Application Self-Protection (RASP). RASP is less a test and more of a security tool but is often integrated with IAST tools. RASP runs on a server and works whenever the application is running. RASP intercepts all calls to and from the application and validates all data requests. The application can be wrapped in RASP, which provides autonomous capabilities to respond to unusual application behavior. If the RASP agent detects suspicious activity, it can take actions like terminating an offending user's session or shutting down the application. In a layered defense, this is an additional layer and should not replace secure development and testing.
Security testing provides assurance that the software has been developed securely. While SAST and DAST may have their place, if you could use only one security testing tool, IAST would be the best choice. Many evolving cloud-based computing options, such as microservices and serverless architectures, face testing-related challenges. If there is no traditional server on which to install an agent, performing some security tests is impossible. In these cases, compensating controls must be deployed, such as a web application firewall (WAF) that can intercept and block suspicious requests to the application.
Code review is a form of testing that can be useful before software is finished and ready for more robust, automated testing tools. Code peer reviews are performed by peer developers who read through the code looking for mistakes, like asking another writer to proofread an essay. Some automation is built into developer tools as well to spot common mistakes, similar to spell-check functions in a word processor. As the developer writes code, incorrectly used functions, missing punctuation marks, and the like are highlighted for the developer's awareness. Depending on the programming language and development tools, these automated reviews may even be able to highlight security issues, such as the use of insecure or deprecated functions, API calls, etc., and suggest more secure or up-to-date options.
Code reviews may be performed at various stages of the development process but are best used when the code to be reviewed is of manageable size. Peer reviews are often performed when a developer finishes their assigned work and the trigger for review can be automated by the tools in the CI/CD pipeline. When Kathy checks in her code, the ticket she is working on progresses to Raj for review. If the code contains errors, the ticket is reassigned to Kathy with notes for correcting the issues; otherwise, the code progresses to the next step of the pipeline.
Manual testing refers to any type of testing that is not performed by an automated platform. This can include both security and nonsecurity testing. Performing tests manually is typically more expensive than automated testing, but it also has advantages. An automated tool might identify an individual module that does not properly implement user authentication, but if the system relies on a single sign-on (SSO), then this missing functionality may not be an actual security risk. Manual testing can also help overcome limitations of automated platforms, such as deviating from programmed workflows to test application functionality in unique circumstances.
While more expensive, manual testing can be a vital part of both application security and application quality assurance. As with other tools, the costs must be balanced against the benefits offered. In most cases, a combination of automated and manual testing allows the organization to get the benefits of each, such as performing manual penetration testing once a year along with automated vulnerability scanning weekly to identify known vulnerabilities.
Modern software relies on a number of components to function, many of which come from open source software (OSS) projects. One of the OWASP Top 10 items deals with software components that have known vulnerabilities—known as dependencies, these components can introduce vulnerabilities into the finished application.
Software Composition Analysis (SCA) aims to provide visibility into software dependency risk. SCA tools identify all dependencies in the application and provide an inventory. Most offer some additional capabilities, such as identifying out-of-date dependencies or those with known vulnerabilities. Manual investigation may be required to determine if a dependency vulnerability translates to a vulnerability in a finished application.
For example, if an online transaction module accidentally exposes credit card numbers, most organizations would hurry to apply updates. However, if an organization is only using the module to collect customer shipping information and not credit cards, then the vulnerability has no impact on that organization.
An emerging concept in the field of tracking software dependencies is known as the software bill of materials (SBOM). As the name implies, this is a bill of materials that lists all the components in a finished software product. There are standard formats for exchanging this data, some of which include the ability to include authenticity information such as a digital signature. For systems with high integrity requirements, this allows for verification that the software has not been maliciously altered. More information on SBOM can be found here: cisa.gov/sbom
.
In a traditional development process, quality assurance (QA) was the testing phase. Separate from the development team, QA was the check before deployment that ensured that requirements were met and that the code was bug-free. QA was also part of the configuration management process, testing patches prior to deployment. In many organizations, that remains the role of QA.
The role of QA is significantly expanded in a DevOps or DevSecOps team, where QA is part of the process and is embedded throughout the development process. QA at this point isn't about the application service developed. Instead, QA is centered on service delivery of the software development function. QA occurs at each phase, ensuring continuous improvement and quality tracking. Testing is tied to both functional and security requirements developed in the requirements phase and specified by the security architecture and strategy. Because of the speed of modern DevOps, automated testing is heavily used, providing more frequent but potentially limited security testing capabilities.
For QA to be effective, further functional and requirements testing should be performed. QA should be involved in load testing, performance testing, stress testing, and vulnerability management. They may be a key part of tracking any identified security flaws from testing activities like SAST, DAST, or penetration testing.
In some DevOps environments, it is the QA team that pushes out the code once testing is completed. That team is responsible for ensuring that the code delivered to the customer through the cloud environment is quality code, defect-free, and secure. The QA team then takes a pivotal role in developing and delivering secure software and systems and is the final gate in the process of developing and delivering software.
Use cases are designed to test whether a system meets a defined requirement; e.g., a user logs in and must provide a username, password, and MFA code to gain access. Abuse cases are used to test the opposite of expected behavior. For example, what if a user put a SQL statement into the “password” field instead of their legitimate password? Would the application reject the input, maintaining security, or would it execute the SQL query and potentially lose confidentiality, integrity, or availability?
Abuse cases, sometimes known as misuse cases, are a key part of penetration testing and application security testing. Legitimate users may only perform functions in the expected manner, but attackers are unlikely to follow rules, since their objective is to circumvent those rules. Abuse case testing helps determine whether an application maintains security and responds correctly to unexpected inputs, behaviors, or attack attempts.
The only type of software that a security-conscious organization should use is software that has been verified as secure. Verification generally comes from a third party that will perform testing on software and validate that it has no discernable vulnerabilities. When there are no verified secure options, a customer must do their own due diligence to ensure security. In this section, we will discuss some major components of secure software.
APIs provide a standardized way to access features or capabilities that a system offers. Unlike the user interface, which is accessed by an end user, APIs are typically accessed by other systems, some of which may be requesting data on behalf of an end user. These functions are exposed as endpoints, and many modern APIs are web-based and use standard HTTPs to communicate. Their modularity makes them popular in modern web and cloud applications, so securing them is important as they are likely to handle critical data.
API development and deployment in custom applications requires the same SSDLC as other software development projects. API functionality should be well documented in requirements, including security requirements such as supporting encryption. The requirements should also specify the methods used in the API to monitor access. API access monitoring is often done through authentication or keys. If not securely developed, a custom API can be vulnerable, leading to the compromise of the system it fronts. Deployment should focus on API configuration and automate the monitoring of that configuration.
APIs can control access to software or application services in a SaaS solution, to back-end services in a PaaS solution, or even to computing, storage, and other infrastructure components in an IaaS solution. For each of these, an approved API is important to ensure security to the system components with which we are interacting. In addition, when possible, enforcing the use of APIs to create a minimum number of methods for accessing an application service simplifies monitoring and protection of these application services.
A CSP or other vendor will provide an API or services that allow the use of an API. It is important to use the APIs as defined and to configure them carefully. An organization can develop approved configurations for APIs used commonly within that customer's organization, and policy can enforce the use of those standard configurations. Just as with cloud solutions, there is often shared responsibility for the security of APIs, so part of an SSDLC should include testing the configuration of any dependency applications and verifying the system configuration properly enforces API security.
In addition, vulnerability scanning of APIs can test the adherence to standards and can provide assurance that known vulnerabilities do not exist. It is impossible of course to ensure that unknown vulnerabilities such as zero-day vulnerabilities do not exist, so API testing should be supplemented with logging and monitoring to detect these threats.
There are two parts to supply chain risk management. First, it can refer to the needs of a CSP and potentially the customer to use third parties to provide services. For example, the CSP may rely on other vendors to provide services used by their customers. Management of this supply chain is a form of vendor risk management. When creating relationships with these vendors, both operational and security concerns should be addressed.
Additionally, traditional supply chain management is moving increasingly to the cloud. As the life of many organizations is tightly coupled with their supply chain management, the risks of cloud computing are important to consider. However, as the supply chain becomes increasingly global and sourcing of goods requires primary and secondary sources, cloud computing increases the reach and benefit of supply chain management. Cloud computing can optimize infrastructure to provide operational and financial benefits.
In recent years, supply chain risk has become an increasingly common theme. An earthquake in one country will affect the availability of a resource in another. Large-scale cyberattacks like the SolarWinds hack can impact critical infrastructure. A global pandemic leads to shortages worldwide. Even a simple problem, like a ship blocking the Suez Canal, can interrupt the global supply in unexpected ways.
One crucial part of supply chain risk management is assessing risk, which is similar to performing internal security risk assessments. Vendors may be assessed directly, where the organization performs a direct audit or assessment of the vendor's security posture. This is often done by sending the supplier a questionnaire, and several cloud-based SaaS providers exist to facilitate this information-gathering process.
Organizations with hundreds or thousands of customers may be incapable of supporting that volume of work. A third-party audit report is one solution. The audit report can be shared with customers as a method of assuring the security of data and systems that the organization provides. Common audits for this type of assurance include the Service Organization Controls (SOC) 2, Type II report, as well as ISO 27001 certifications.
The use of third-party software adds additional risk. A third party may have limited access to your systems but will often have direct access to some portion of your data. If this is sensitive data, a careful review is necessary and should involve the vendor management office (VMO) if your organization has one. Specific language regarding security should be part of every vendor contract.
The typical issues that are addressed include the following:
In addition to basic security questions, a review of the third-party SOC-2 report, recent vulnerability scans and penetration tests, and security and privacy policies will provide an assessment of the security maturity of the organization and whether you should entrust them with your sensitive data. While you may delegate some processes, you cannot delegate responsibility for your data.
Licensing is another risk present to an organization using third party-supplied software. Software is typically licensed for use, and the terms of the license specify how the organization may utilize the software. One example is how many users can use the software. Some licenses apply to a “site,” which is often the entire organization; all users at the “site” can use the software. Other licenses are based on the number of users, such as one license per user or bands like 100–500 users.
Licenses may also specify how software may be used. Some software can be freely used and integrated into other software products, but some free and open-source software (FOSS) licenses prohibit the use of free tools in any for-profit system. License management may be integrated with the organization's SCA process to ensure that any software dependencies are being used in accordance with their license terms.
All software, including open-source software (OSS), must be validated in a business environment. Some argue that open-source software is more secure because the source code is available to review, and many eyes are upon it. However, large and complex solutions are not simple to review, and the way OSS is integrated into any new application can introduce new vulnerabilities. Adequate validation testing is required and may be achieved through sandbox testing, vulnerability scans, and third-party verification.
While it is true that more eyes on a problem can result in better security outcomes, the transparent nature of OSS code is not an absolute guarantee of security. Well-known OSS projects like OpenSSL and Apache have contained serious vulnerabilities, and any systems that depended on these projects were impacted by the vulnerabilities. OSS must follow the same risk-based steps of verification that commercial software undergoes.
When using OSS, there are steps you can take to validate this resource. The easiest method is to use well-known and well-supported products in the OSS space. For example, there are many versions of Linux available for use, but not all versions are equal. A well-supported version with a proven track record is preferable to a less known and less supported version.
One method for validation that can be used would be to perform code analysis on the open-source code. The advantage of OSS is that the code is available, so SAST tools can be used to find security vulnerabilities in the code. Since not all vulnerabilities are tied to code flaws, IAST can be used in conjunction with SAST to identify other issues like system misconfiguration. An agent runs on the application server and analyzes traffic and execution flow to provide real-time detection of security issues.
These methods can also be utilized together. You can use a well-known and well-supported OSS, perform SAST to reveal initial vulnerabilities, and then implement IAST for real-time detection of additional security issues.
One element of SBOM is the ability to verify the integrity of software dependencies incorporated into a final system. This may be useful in deploying secure systems, as it provides assurance that the dependencies deployed in a system match the authentic copies distributed by the authors. A security breach in any part of the software supply chain can cause vulnerabilities in applications, so validating that authentic OSS modules are incorporated into an application is important.
The traditional application architecture is a three-tier client-server module. In cloud computing, we have some additional choices. These include microservices, serverless, cloud-native, and cloud-based architectures.
The microservice application designs a complex architecture as a collection of services and data. This follows an old software engineering principle of cohesion. Each microservice performs a single business function. Each microservice uses the appropriate language and tools for development and can be combined as needed to provide a complex system. Microservices application architectures are a natural for containers running on virtual machines or physical machines, so they are well suited to the cloud. Container management is managed through services like Kubernetes (K8s) or Docker.
A cloud-native architecture is for applications deploying to the cloud. The applications exploit the cloud computing delivery model and can be run in any type of cloud (public, private, community, or hybrid) and allow organizations to focus on specialized development tasks rather than generalized IT management. A cloud-native architecture can deploy in a DevOps and a CI/CD process and can use microservices and containers.
Serverless environments use an event-driven architecture. Events trigger and communicate between decoupled services. Unlike traditional environments that remain running even when no processing is happening, serverless computing activates only the needed functions when they are triggered. This can present a security challenge, since a nonrunning service cannot be monitored. Because they are serverless, these architectures scale well using a REpresentational State Transfer (REST) API or event triggers. Security controls discussed in this section, such as an API gateway, can be used to perform security monitoring of the system activity.
Cloud-based architectures are well suited to building and deploying web applications. Using an API Gateway, a secure API is a front door to web applications that provide access to data and business logic. These may be utilized by other systems for communicating or can be used in other user-facing applications to provide access to data and functions across different systems.
Considering these cloud architectures, there are a number of tools and services that can support the security needs of both new software solutions and legacy devices. These services provide enhanced security and deal directly with common security issues. They are key ways to implement security protections for common risks, such as encryption services that protect data at rest or in motion to ensure the confidentiality of the data or network security services that provide traffic monitoring and alerting.
Supplemental security components provide service to your cloud environment, and most are designed to solve specific security concerns. For example, database monitoring works to ensure the integrity of databases by blocking malicious transactions, while XML firewalls support application services by analyzing XML messages. Organizations must have an accurate inventory of cloud functions or features in use and select these supplemental components based on the security risk analysis for each.
A web application firewall (WAF) protects HTTP/HTTPS applications from common attacks. A WAF can protect any web application, whether deployed to users over the Internet or accessed internally on an intranet. The WAF can be a physical hardware device, a software device, or a virtualized device suitable for deployment in a cloud network. Some cloud service offerings incorporate a WAF in their service offerings, which can simplify configuration as applications deployed to that cloud can also configure their own WAF rules as part of deployment.
A WAF monitors HTTP requests, such as GET and POST, and compares them to predefined rules that describe normal, allowable system functions. A WAF may look for specific signatures or apply heuristics. By filtering HTTP/HTTPS traffic, a WAF helps protect against SQL injection, cross-site scripting (XSS), cross-site forgery, and other attacks. The WAF specifically addresses attacks on application services and external sources.
The WAF differs from an intrusion detection system (IDS), which monitors specific traffic patterns on a network. A WAF works at the application level and focuses on specific web application traffic and is often employed as a proxy, with one or more websites or web applications protected behind the WAF.
Database activity monitoring (DAM) refers to a set of tools that supports the identification and reporting of fraudulent or suspicious behavior in a database. Applications and users typically follow routine patterns when accessing a database, such as accessing one record at a time. Unusual or unexpected requests can be detected and generate an alert for investigation, or the DAM may even block suspicious transactions to prevent an attack. As with any automated system, false positives can occur, so ensuring that the DAM is properly tuned and does not interfere with normal system operations is important.
The real-time monitoring may use, but is independent of, native DBMS auditing and logging tools. DAM analyzes and reports on suspicious activity and alerts on anomalies, and database audit logs provide information needed to detect such anomalies. In addition to monitoring applications and protecting from web attacks, DAM also provides privileged user monitoring. DAM tools can be deployed inline to monitor traffic like a WAF or IDS and may be used as a tool for detecting operational issues by generating alerts when services are disrupted.
Like other services, there are third-party vendors that provide DAM services, and CSPs provide services that are configured for their database offerings. These monitor database usage, privileged or administrative use, data discovery, data classification, and other database needs. Some DAM toolsets also provide assistance in compliance to contractual and regulatory requirements such as PCI DSS, HIPAA, and GDPR, by monitoring and controlling access to the regulated data.
Like all services provided by third parties and CSPs, the tools change over time, adding breadth and functionality. As with other tools, not all DAM solutions will provide optimum support for cloud-based architectures. Similarly, cloud-native DAM solutions may not offer any support for on-premises applications, so it is important to properly document the use case and select a tool that offers appropriate coverage.
While beneficial for application integration, security is a concern when deploying Extensible Markup Language (XML) services. XML provides a standard way to exchange data between applications and provide context. XML tags define what each data element is, and a schema is used to define what data elements are supported by the system.
XML firewalls work at the application layer to protect XML-based applications and APIs over HTTP, HTTPS, and other messaging protocols. XML messaging and APIs between these services are an area of security concern, and XML-based vulnerabilities have appeared in the OWASP Top 10 in the past. An XML firewall can solve this problem, by monitoring all requests made. As an XML firewall must inspect traffic, they are generally implemented as proxies and stand in front of the web application or API server. An XML firewall can implement complex security rules and may perform its scanning when XML requests are translated from the sending system to the receiving system utilizing Extensible Stylesheet Language Transformations (XSLT).
A number of common web-based attacks can be launched through XML. These attacks include SQL injection and cross-site scripting (XSS). This is done through misuse of input fields and can be prevented through data validation and verification on input fields and schema verification. The use of an XML firewall can support the security needs of an application but should not be a substitute for developing secure software and systems. Instead, it should be an added level of protection. An XML firewall can benefit legacy code that was not designed with security. This becomes a compensating control until the development and deployment of a secure system. By dropping inappropriate traffic, it can also decrease the likelihood of DoS attacks.
An API gateway monitors traffic to your application backend services, which are exposed as API endpoints. The services provided by an API gateway include rate limiting, access logging, and authorization enforcement. For secure computing, there should be limited doors into your application service. For example, some SaaS providers provide an API to access your account from your PC, Apple device, or Android device. These gateways control the way a user accesses and interacts with the SaaS solution, and they allow securing and monitoring traffic to the SaaS tool. API gateways provide authentication and key validation services that control who may access the service, enforcing confidentiality and integrity of data.
Amazon Web Services (AWS) provides this service through Amazon API Gateway. AWS provides both RESTful for serverless computing and WebSocket APIs for real-time communication. Google Cloud provides an API gateway for REST APIs to provide serverless computing and a consistent and scalable interface, while Azure API management provides a REST-based API for legacy systems. Essentially, all CSPs provide an API to allow the customer to monitor and control access to data and services to their workforce, partners, and customers in a way that provides a layer of protection and access control.
There are numerous commercial WAF solutions in addition to the CSP offerings, and it is common to find WAF bundled with other solutions or services. For example, network proxy providers like Cloudflare and Akamai provide an API gateway, since their proxy solutions provide an ideal chokepoint for implementing security monitoring. Organizations with a multi-cloud strategy or mix of different SaaS providers should investigate whether distributed WAFs or a single WAF support their risk mitigation needs.
Cryptography is a key technology for protecting sensitive data in the cloud. Encryption is the first line of defense for data confidentiality and provides a method of access control data crucial in cloud environments. Encryption requires the use of keys, and only users or systems with keys can read data. In the cloud, where physical control over IT infrastructure is given up, this allows users of cloud services to prevent other cloud tenants or the CSP from accessing their data.
There are three primary data states where encryption can be implemented: data at rest, data in motion, and key management.
Encryption for data at rest is a standard practice for all sensitive information. Many CSP services offer encrypted storage as a standard option. Some CSPs provide APIs that allow encryption to be added to any CSP service or customer application, and CSPs generally provide encryption options for their storage and database services. Some of these offerings utilize a CSP-managed key, but for high-security applications a user-generated and controlled key is needed.
Data-in-motion encryption is accomplished in standard ways including TLS, HTTPS, and VPNs. The ability to work with standard secure data transmission methods is supported across major CSPs and software like operating systems and web browsers. For securing data in transit between CSP data centers, the larger CSPs can accommodate data transfer without ever transiting the public Internet. However, this promise of not transiting the Internet does not necessarily mean that data is transiting a trusted network. Even when staying off the Internet, encrypted data transmission should be expected and may require proper configuration under the shared responsibility model.
Since encryption relies on keys, the generation, management, and secure sharing of those keys is a crucial practice. The major CSPs all provide key management services (KMS) as do some third-party vendors. Organizations must make a risk-based decision regarding a KMS. Solutions exist to allow the CSP to manage the keys, but for sensitive data it is preferable that the customer use their own KMS to improve key security. This can be achieved using an on-premises KMS solution, or utilizing a cloud-based KMS that is under the control of the customer and can be integrated with the CSP's solution, typically leveraging an API. This provides a separation of duties between the service managing the encrypted data and the service managing encryption keys.
A sandbox is an environment with restricted connectivity and restricted functionality. Sandboxes provide security benefits by isolating potentially dangerous workloads, such as development environments, malware research, or untrusted applications. Cloud computing offers relatively simple sandboxing functionality, as new virtual instances can be created and isolated from all other services.
Sandboxes can be crucial in the SSDLC, by allowing developers to perform needed activities that might damage systems or data if done in a production environment. Code testing also benefits from an isolated environment like a sandbox. Any problems generated, such as a vulnerability that leads to a denial of service, will not impact anything outside the sandbox. This is also a suitable environment for developers new to cloud application development to try or test services provided by cloud providers without interfering with data integrity or confidentiality in the production application. This is a safe way to learn about and test cloud tools and services.
Sandboxes provide an environment for evaluating the security of code without impacting other systems. For example, many email security solutions open attachments in a virtual sandbox environment to perform security checks and scans. If the attachment is malicious, the sandbox contains the damage, but if it is benign, the user is allowed to open the attachment locally. Sandboxes can also be used for security testing activities like malware analysis or system security tests that could be harmful if performed in a live production environment.
Sandboxing is a common application security approach. Most desktop and mobile operating systems implement sandboxing for local applications, and many cloud-native architectures implement the concept as part of virtual machine (VM) isolation. When a new VM instance is created, it is isolated from communicating with anything else unless explicitly authorized, and network sandboxes can be created with virtual private clouds (VPCs), which isolate resources created inside them from other resources in the CSP.
Virtualization of infrastructure is an essential core technology for cloud computing, and there are several approaches to application orchestration and virtualization. One approach is microservices, which are small and independent services that communicate to share and handle data. Communication is typically API-based, and the microservices are specialized to perform a limited set of functions.
An application that is broken down into microservices is not truly virtualized, but deploying the various microservices needed requires coordination and orchestration. The microservices that make up an application can be updated independently, but orchestrating those updates is critical to ensure that needed functionality is not broken or removed.
Application virtualization through containers allows an application to be packaged with all dependencies together and deployed on any system that supports the container technology used. This makes applications more portable since they are not specifically tied to the underlying system architecture and may be useful for implementing a multi-cloud strategy.
Containers provide a method for implementing security control, since they can be subject to strict configuration management and patch management and offer an automated and repeatable build process.
Container technology and orchestration typically require a combination of tools. Docker is one popular containerization platform, while Kubernetes is a popular orchestration platform. The orchestration tool provides the ability to manage container resources, manage configurations, and monitor the configuration of containers to ensure that they align with organization policies.
Containers do not come without a cost. The containerization technology used must be properly configured, and as a software system it is important to ensure that it is properly patched. If the technology is compromised, so is the container; while the container platform provides a single point of implementing security controls, it can also be a single point of failure if a vulnerability exists. Any orchestration software must also be configured and patched.
Separate from container orchestration, cloud orchestration allows a customer to manage their cloud resources centrally in an efficient and cost-effective manner. This is especially important in a multi-cloud environment. Management of the complexity of corporate cloud needs will only increase as more computing workloads move to the cloud. Cloud orchestration allows the automation of workflows and management of accounts and the deployment of cloud applications, containerized applications, and services in a way that manages cost and enforces corporate policy in the cloud. The major CSPs offer orchestration tools that work within their cloud environment, and third-party tools can be used for orchestrating complex, multi-cloud workloads.
Applications can be “containerized” as well, and this is often implemented as part of mobile device management (MDM). In this case, the container creates an isolated environment on a user's device where the application can run and over which the organization has control. This is often used for segregating organizational data from user data in a bring-your-own-device (BYOD) environment. The container can be configured to follow specific access controls like using a VPN, restrict transfer of data to nonapproved apps, and even provide the organization with remote data wiping capabilities for lost or stolen devices.
Identity and access management (IAM) solutions encompass a range of processes and tools designed for controlling access. IAM begins with the provisioning of users, including the creation of credentials like a username and password, as well as authorizing systems and data access for the newly created user. IAM solutions also support the ongoing maintenance of access, such as adding and deleting access when a user changes roles or auditing access granted to users to ensure that it follows principles of least privilege and minimum necessary access. Users who no longer require access, due to either a role change or leaving the organization, should have their access deprovisioned, which is another critical function of an IAM solution.
IAM solutions also perform identification and authentication functions for users and accounts, which is crucial to controlling access to systems. Once a user has asserted their identity and been authenticated, the IAM solution may also provide information about that user's authorization. Authorization determines which resources an authenticated user can access, and depending on the access controls, authorization decisions may be handled by the IAM or by the system the user is accessing. Access controls may be role-based or attribute-based, and the choice will be defined by what type of access is needed and what capabilities the IAM solution provides. Since passwords are commonly used as an authentication mechanism, some IAM solutions offer password management as part of the feature set.
There are a variety of options for cloud-based IAM. This section will discuss the methods of authentication available and the security issues that exist with each of these. In addition to these tools, a variety of protocols exist to facilitate IAM functions, including OAuth2, Security Assertion Markup Language (SAML), Lightweight Directory Access Protocol (LDAP), etc. Some protocols are more appropriate for specific types of applications and environments. For example, OAuth2 was developed to provide authorization with web applications and mobile devices, while SAML is an XML-based authentication service well-suited for authentication across systems. Both are appropriate for complex, distributed applications like cloud computing, whereas LDAP is designed to work well with directory services, like Active Directory (AD), which are typically associated with legacy or on-premises environments. Which protocol is used varies by authentication provider and use and is a choice determined by each organization.
Federated identity, sometimes known as federated identity management (FIM), is related to single sign-on (SSO). In a federated identity setup, a particular digital ID allows access across multiple systems—the various systems that rely on the digital ID provider are federated with that provider. In a FIM system, a user has a single digital ID and authentication credentials, which grant access to applications across both cloud and on-premises resources.
Federation allows SSO for systems across multiple organizations and is often used for sharing resources with partners or other organizations. These may be subsidiaries of the same company, multiple CSPs, cloud vendors, or multiple organizations.
Although it provides benefits, there are security risks to FIM. The primary issue is that once someone compromises a digital ID in a federated system, the ID is compromised on all systems that are federated. This makes the security of the IAM itself a critical concern, and typical controls include increased access control to the IAM itself, as well as robust monitoring for malicious use. Although a compromised FIM account can be a serious security risk, the ease of revoking access across federated systems is a security benefit. Instead of disabling access to multiple systems, security responders can simply disable an account in the FIM tool, cutting off an attacker's access across all federated systems.
Other drawbacks to identity federation are similar to SSO. The level of trust between systems owned by multiple organizations may not be the same as between systems of a single organization. Just as with any other system interconnection, the organization must assess the risk of federating identity management with another organization’s systems. Additionally, no organization controls the system protection across all organizations or the evaluation of all users in each organization, which can lead weak access controls in one organization to impact others.
An identity provider (IdP) can be a CSP service or a service acquired from a third party. Many identity as a service (IDaaS) providers exist, and in a multi-cloud environment these may be the best choice since they are platform agnostic and designed for easy integration across different CSPs. Identity providers do not replace other cloud security tools, such as a Cloud Access Security Broker (CASB), but work together to provide a layered security defense based on user, system, and account identity management. The IdP is a key part of the IAM solution, ensuring that users are identified and authenticated. Authorization and monitoring of access may be provided by other tools like a CASB or application-specific audit logging and a log analysis tool.
The major CSPs provide IAM services, including Azure Active Directory (Azure AD), AWS Identity and Access Management, and Google Cloud Identity and Access Management. There are also many third-party choices for identity management. Each organization should evaluate its cloud strategy and choose an IdP to match it. For example, an organization that is cloud native with multiple SaaS providers will likely benefit from an IDaaS solution, while an organization with on-premises Microsoft infrastructure and Azure-based cloud resources might find Azure AD to be the best tool, since it is well-designed for the existing infrastructure. As with all security tools, the choice of an IdP should be done with business objectives and requirements in mind.
Single sign-on (SSO) allows access to all authorized systems that fall under a single IAM system and only require users to assert an identity and authenticate once. The user can move freely between systems without having to reauthenticate each time, similar to a theme park where visitors can purchase a ticket to enter and move freely about the park without waiting in line to buy another ticket.
An SSO is a centralized resource and can be a single point of failure. It is important to monitor all access within an SSO system, since a compromised account can be used to gain access to all systems that integrate with the SSO. Availability is also a key concern for the SSO, since the system being unreachable will lead to users locked out of all integrated applications.
The primary advantage of an SSO is limiting the number of credentials a user must manage, which can be used to increase the strength of access controls like passphrases. Instead of remembering 10 passwords, a user is required to remember only one, so the organization can more easily ask for increased complexity. In the event of an account compromise, the centralized nature of an SSO also makes recovery easier—only one set of credentials must be changed to block an attacker from further access. The SSO allows for simpler central monitoring and access maintenance as well. When each system implements its own IAM functions, monitoring is more complex, and if a user's access must be modified or removed, the increased complexity can lead to errors or oversights.
SSO evolved with a focus on simplifying internal access management, but extending SSO across systems controlled by other organizations is an example of federation. Federation increases the risk caused by a compromised identity, as the number of systems that may be compromised is greater. However, it also offers a more powerful response to compromised accounts, with decreased complexity required in responding to the compromise. Just as with a FIM, an SSO should be a crucial part of continuous monitoring, and incident response procedures should be developed and documented for responding to malicious activity.
Multifactor authentication (MFA) adds a level of security to standard authentication, by requiring users to provide additional proof of their identity. Two-factor authentication (2FA) and MFA are often used interchangeably. 2FA requires two authentication factors, while MFA requires two or more, so 2FA is a subset of MFA.
Authentication is performed when users provide something that confirms their identity, known as factors. The factors are categorized by types:
A fourth authentication factor is beginning to emerge: characteristics of the user request. Factors such as signing in from a previously used device are part of this authentication decision. If a user signs in from the same trusted device every day, the use of that device provides some assurance of the user's identity. The same user credentials entered from a new device or different location, however, indicate a potential security risk. If the user has received a new laptop, the access is legitimate, but if the user's account has been compromised, then it is beneficial to deny access. These types of policy-based authentication schemes can be used to require additional MFA steps for suspicious access, providing a balance between irritating normal users with cumbersome logins and protecting sensitive accounts.
Some solutions described as MFA are simply multiple instances of the same factor, which is not true MFA. An example is when a system requires a user ID, a password, and the answer to a security question—these are all things you know. This is single-factor authentication since it relies on only Type 1 factors; to be true MFA, another factor such as the user's IP address (Type 4) or sign-in from a trusted device (Type 2) must be added.
One use of MFA is to limit the potential damage caused by a compromised account in an SSO or federated system, and MFA deployed here is a compensating control for the risk of a single compromised account granting access to multiple systems. If, when moving from one federated system to another or one federated resource to another, a token is required from something you have, then the ease of SSO or federation is decreased slightly while increasing security. The method chosen will be a balanced decision based on available options, the cost of available options, the value of the asset being protected, and the organization's risk tolerance.
Another approach would be to simply require a token from a device periodically throughout the day, for example, every two hours. This limits the time a compromised identity can be used. The additional burden of authenticating two to three times a day may be an acceptable price to pay to limit the damage of a compromised identity in a federated or SSO environment.
A CASB is an important addition to cloud security and helps to solve challenges related to multiple systems with varying access control models and abilities. A CASB sits between the cloud application or server and the users and may be software- or hardware-based. The CASB monitors activity, enforces security policies, and mitigates security events through identification, notification, and prevention. A part of a layered security strategy, a CASB is not meant to replace firewalls, IDS/IPS systems, or similar security systems. Instead, a CASB is meant to enhance the security provided by these other devices.
A CASB that provides security must be in the line of communication that users follow to reach the application. In on-premises architecture this type of task was easy, with a single network inside a facility where monitoring tools could be attached. Multi-cloud organizations with distributed teams will find this task more complicated, since a user in an office and a user working from home will take different paths to reach cloud-based resources. Architecting and deploying an appropriate CASB solution requires deep knowledge of the environment and use cases, such as support for remote work and need to access one or more cloud environments.
CASBs may be agent-based or agentless, referring to a software agent deployed on computing devices. In either case, they must be inline on the communications paths in order to function as a preventative control. There are also out-of-band CASBs that receive copies of cloud traffic for security analysis, which can be deployed as a reactive control since they do not have the ability to proactively block traffic. These are somewhat analogous to an IPS and an IDS. The inline CASB analyzes requests and enforces policy, like an IPS, blocking suspicious activity when detected. An API-based, out-of-band CASB monitors for violation and analyzes cloud traffic and can generate alerts once suspicious activity has occurred.
Agent-based CASBs may face pushback from users in BYOD organizations. When the user owns the device, it may not be possible to install an agent on the device, and not all CASBs support the wide variety of mobile devices and platforms. Similar to antimalware agents, an agent-based CASB may impact device performance such as speed or battery life. When the organization owns the devices, an agent-based approach can be more effective, and containerized apps may provide a way to implement security controls on BYOD without as much impact.
An agentless CASB typically uses an API on the cloud resources to inspect all traffic to and from that resource, granting the CASB access to logs of activity for analysis. This allows access to all cloud resources to be monitored regardless of endpoint ownership and regardless of cloud service, so long as an API is available. Agentless CASBs can be quickly deployed and more easily maintained but lack the proactive detection and response capabilities of an agent-based solution.
Secrets are a special subset of credentials, most often associated with nonhuman accounts, systematic access to systems, or privileged account credentials. Examples include API encryption keys, used for system-to-system communication, digital certificates used to verify the identity of a remote host, and SSH keys used by system administrators when performing their administrative functions.
Secrets can be used to gain access to systems, so protecting them is just as vital as providing robust control over user credentials like passwords. Since many of these secrets grant highly privileged access, additional controls may be necessary, similar to the practices of privileged access management (PAM). Just as with PAM, there are two fundamental areas of concern when managing risks associated with secrets.
The overall practice of secrets management deals with authenticating requests that use nonhuman credentials, such as API keys or digital certificates. It is a key element of an access control program, since most applications provide access capabilities for more than just human users. Modern distributed applications rely heavily on system-to-system communication using APIs, and cloud computing applications make extensive use of them as well, so proper generation, secure storage, and logging of secrets use are crucial.
Securing cloud applications requires security throughout the application's lifecycle, from the beginning of development to ongoing maintenance to final disposition. The first step is to choose to develop secure applications and implement appropriate policies, procedures, and job aids to support development teams. Without this focus on building security from the start, it will likely be more difficult and expensive to secure the resulting application.
Once the decision is made to build secure applications, an SSDLC must be adopted and training provided on secure software development, as well as the tools and processes used by the organization to implement the SSDLC practices. This begins with well-documented requirements for any system or application, proper development practices following secure coding guidelines, and finally assurance and validation activities to ensure that developed solutions are secure.
Once secure software is developed, it also requires mechanisms to ensure that the verified software is distributed securely. Integrity of the application code is essential to proper system security; otherwise, maliciously modified code could be distributed to users. Finally, the software solutions must be deployed using the organization's overall security architecture. Dependent upon the organization, this may include security tools such as API gateways, XML firewalls, web application firewalls, DAM, IAM, CASB, and other tools as necessary. These tools monitor the applications in use, with the ability to respond to potentially malicious behavior and potentially prevent malicious use.
18.218.118.150