Throughout this blog series, we will break down iVision’s prescriptive cloud security approach by covering each area individually: infrastructure, network, applications and data. In this blog, we’ll be sharing tips for securing your cloud applications, with a focus on secure coding practices for app development.
As organizations either migrate their applications to the public cloud or develop greenfield in the public cloud, they experience the benefit of faster feature function build and release. Though this allows organizations to respond to user feedback and market opportunities faster, it also increases the risk of vulnerabilities and unwanted exposure being introduced to their technical estate. Knowing that a perimeter defense alone is not enough to combat this risk, companies are adopting a defense in depth strategy that brings a greater focus on security at the application layer. Application security starts at no place other than the beginning, with the code. Unfortunately, it is not as simple as just introducing additional vulnerability scans of the source code through off the shelf tools. Proper development practices are the genesis to securing an application.
To promote secure and modern development practices, iVision recommends organizations adopt The Twelve-Factor App. The Twelve-Factor App is a well-accepted methodology for application development that corresponds with writing secure code. This methodology relies on 12 principles (or “factors”) to guide developers in achieving optimally developed applications. While using these 12 factors, iVision recommends the accompanying security practices (listed below) be applied.
- Enforce frequent reviews of the codebase
- Use a least privilege approach when granting access to source code repositories
- Ensure no secrets are permitted in the codebase
- Track open source and third-party dependencies by employing Source Composition Analysis (SCA)
- Leverage industry benchmarks (such as CIS Benchmarks) to harden the environment
- Ensure environment configs are secured and use a least privilege approach when granting access
4. Backing Services
- Secure all connections with backing services
- Use a least privilege approach when authenticating with backing services
5. Build, Release, Run
- Track all builds against security policies, stopping all builds that fail one or more of the policies
- When decomposing large components, keep security in mind, as this can increase the attack surface
7. Port Binding
- Employ port forwarding
- Run applications in a least privilege approach by binding to unprivileged ports
- Be aware of APIs vulnerable to denial–of–service attacks that can lead to memory exhaustion
- Employ fast startups and graceful shutdowns to enable the use of life limits for applications, thus providing security via obviation through the regular termination and recreation of potential intrusion points (limiting the time intruders have to make the next hop)
10. Dev/Prod Parity
- Secure and operate each environment like it is production
- Employ security through obfuscation be separating secrets between environments
- Aggregate security logs in a distinct, dedicated and separate location
- Use a least privilege approach when granting access to security logs
- Ensure no sensitive data finds its way into logs using Data Loss Prevention
12. Admin Processes
- Assess the business value to security risk of introducing any one–off admin processes, and track all additions
Leveraging these security practices will allow you to confidently run your applications in the cloud with significantly less risk of cyber threats. In the next blog for this series, we will finish delving into the remaining focus areas of cloud application security. Learn more about iVision’s cloud security capabilities, and consider one of our Cloud Application Migration Workshops to assess your organization’s preparedness for a successful migration.