The paper, titled ‘Practices for the Secure Development of Cloud Applications’, was issued by SAFECode today in conjunction with the CSA. Its co-authors come from tech industry giants that include Microsoft, Adobe, EMC, Intel and Symantec.
The guidance “aims to provide practical secure development recommendations in the context of critical threats specific to cloud computing”, according to a joint statement issued by the CSA and SAFECode.
Said Tabet, senior technologist at EMC, and one of the co-authors, told Infosecurity that the paper was the result of six months of development, as the collaborative effort “tried to figure out the pain points that were specific” to the area of cloud-based application development. Not meant to be a replacement of previous guidance on software security issued by SAFECode and the CSA’s top cloud-based threats, Tabet said this new paper is simply a “complement to our previous research”, adding that the focus was squarely on specific application threats related to cloud computing.
Among the secure development guidance topic areas addressed in this paper: multi-tenancy, trusted compute pools, tokenization of sensitive data, data encryption and key management; authentication and identity management; shared-domain issues; compliance issues; and securing APIs.
The new guidance document is specific to the cloud environment as opposed to traditional software security issues. “The cloud is built on tried-and-tested paradigms”, said John Howie, the CSA’s chief operating officer. “As we go through these cycles in the industry, much of the developers’ knowledge has been lost, as we move from on-premise to the cloud. It’s about re-educating people about how to develop software, for an environment that is different than on-premises, but not necessarily altogether new.”
EMC’s Said agreed, calling the joint paper “a live document” that is just the first in what will certainly be a series of updates, as the cloud computing industry continues evolving. “In the cloud, it is a different threat landscape. This is about resuscitating best practices, and examining current threats known to cloud computing. The cloud is multi-dimensional…developers, designers and managers need to be brought up to speed.”
Tabet further explained that while application developers are definitely a target audience for this publication, the authors intended for its recommendations to be consumed by a wider audience, including enterprise architects, managers, and any other stakeholders (i.e., compliance and risk officers)
“The target audience will only increase as more work is done in this area”, Howie added. “All business functions will be impacted by the cloud” – marketing, sales, as well as developers.
“The greatest threat [to applications] is the lack of education awareness among developers when it comes to the tools that are available”, Howie concluded. “Developers are not necessarily aware of what they should be doing. You can trace a lot of infosec failures back to lack of education; we often rely too much on technology.”