The rise in popularity of hosted, cloud and Software-as-a-Service (SaaS) applications has made the task of securing these applications and the critical data they use more difficult for developers. Advanced stateless applications, multi-tenanted and redundant cloud based architectures need to be taken into account at the earliest stages of design and throughout the development process. All the while, security processes must be adhered to and implemented on platforms that are rapidly evolving.
To find out more about the challenges faced by developers in an increasingly cloudy world, we spoke with Dr. Johannes Ullrich, Dean of Research and a faculty member of the SANS Technology Institute. Dr. Ullrich has over a decade of experience within IT security and in November of 2000, he started the DShield.org project, which he later integrated into the Internet Storm Center. His work with the Internet Storm Center has been widely recognized and in 2004, Network World named him one of the 50 most powerful people in the networking industry. In 2005, Secure Computing Magazine named him one of the Top 5 influential IT security thinkers.
“One of the challenges is exercising controls over the remote infrastructure, especially in multi tenant environments,” explains Dr. Ullrich. “Each development environment will place restrictions on how data is stored and handled by the applications and developers need to educate themselves on the platform before committing to projects.”
In many cases, developers assume that the underlying infrastructure is secure and will mitigate the potential for a successful cyber-attack. Weaknesses in the layers from the OS up through the App Server and any supporting libraries can lead to vulnerabilities. However, understanding the baseline security processes and validation for new cloud platforms is still a challenging task. Dr. Ullrich points to emerging industry standards such as the not-for-profit Cloud Security Alliance best practice and guidance documents as a good checklist for developers to use when selecting a base platform.
But even within a platform that has good baseline security validation, Security Misconfiguration is still an issue and an emerging threat on the Open Web Application Security Project (OWASP) Top 10 Most Critical Web Application Security Risks. Dr. Ullrich recommends that developers verify the system’s configuration management and if verification is not possible, the assumption must be that it’s not secure.
Even with the move to cloud, old threats still linger and according to OWASP, the number one issue is still injection flaws. Injection is essentially tricking an application into including unintended commands in the data sent to an interpreter. In an attack, these strings are then interpreted as commands and although SQL is the most common, the threat can extend to OS Shell, LDAP, XPath and Hibernate. “Many of the developers who learnt their skills a decade ago are still not aware how to protect against SQL injection,” he explains.” In most cases, this is relatively simple but often overlooked.”
In some cases, it is best to avoid the interpreter entirely, or if that is not possible Dr. Ullrich recommends an interface that supports bind variables to allow the interpreter to distinguish between code and data.
Dr. Ullrich believes a key focus for developers should be gaining an understanding of new programming techniques that offer better security models for developing in a cloud centric world.
For example, the practice of tokenisation, a process that replaces some piece of sensitive data with a value that is not considered sensitive in the context of the environment that consumes the token and the original sensitive data. “This is useful for areas like credit card data as it takes the valuable assett at risk of the table so it can no longer be stolen,” he explains.
Developers are often not able to see the operational environment and controls that will support an application after it goes live. However, the development process can still provide a foundation for best practice on-going security.
Dr. Ullrich highlights several good practical steps that every developer should always follow. One of the most critical is encryption. If developers live with the assumption that no application can ever be 100% guaranteed unbreakable, then the next logical step is that all sensitive data should be securely stored. But this extends past the database and into oblique areas that can be overlooked such as directories, log files and backups.
For example, an error handler that logs credit card details that have been refused because a merchant gateway is unavailable could become a vulnerable collection point for lots of sensitive information. Unless the developers explicitly include these logs or temporary data stores within encryption schemas, the security of the application is weakened. Encryption also extends to communication security over the Internet and developers should insist that SSL be used for everything requiring authentication.
In March, Dr. Ullrich will be teaching the SANS DEV522: Defending Web Applications Security Essentials in Stuttgart, Germany. The session is the first time this course has been offered in EMEA and is intended for anyone tasked with implementing, managing, or protecting Web applications. Although the course touches on elements related to new software development areas like cloud and SaaS, Dr. Ullrich urges that senior developers about to start projects which are likely to be impacted by shared data from third party clouds or SaaS to consider attending. “The next few years are going to see major changes for developers as the landscape moves from on-premise, to web and ultimately cloud – the level of education around application security also needs to make that same progress,” he adds.
About Dr. Ullrich
Dr. Johannes Ullrich is the Dean of Research and a faculty member of the SANS Technology Institute. In November of 2000, Johannes started the DShield.org project, which he later integrated into the Internet Storm Center. His work with the Internet Storm Center has been widely recognized. In 2004, Network World named him one of the 50 most powerful people in the networking industry. Secure Computing Magazine named him in 2005 one of the Top 5 influential IT security thinkers. His research interests include IPv6, Network Traffic Analysis and Secure Software Development. Johannes is regularly invited to speak at conferences and has been interviewed by major publications, radio as well as TV stations. He is a member of the SANS Technology Institute's Faculty and Administration as well as Curriculum and Long Range Planning Committee. As chief research officer for the SANS Institute, Johannes is currently responsible for the GIAC Gold program. Prior to working for SANS, Johannes worked as a lead support engineer for a Web development company and as a research physicist. Johannes holds a PhD in Physics from SUNY Albany and is located in Jacksonville, Florida. He also maintains a daily security news summary podcast and enjoys blogging about application security.