Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Prepared by the
Introduction
The permanent and official location for this Cloud Security Alliance Domain 10 Guidance
for Application Security research is:
http://www.cloudsecurityalliance.org/guidance/csaguide-dom10.pdf
All rights reserved. You may download, store, display on your computer, view, print, and
link to the Cloud Security Alliance “Domain 10 Guidance for Application Security” at
http://www.cloudsecurityalliance.org/guidance/csaguide-dom10-v2.10.pdf subject
to the following: (a) the Guidance may be used solely for your personal, informational,
non-commercial use; (b) the Guidance may not be modified or altered in any way; (c) the
Guidance may not be redistributed; and (d) the trademark, copyright or other notices
may not be removed. You may quote portions of the Guidance as permitted by the Fair
Use provisions of the United States Copyright Act, provided that you attribute the
portions to the Cloud Security Alliance Domain 10 Guidance for Application Security
research Version 2.1 (2010).
Application Security
Contributors: John Arnold, Warren Axelrod, Glenn Brunette, Aradhna Chetal,
Jesus Luna Garcia, Arthur J. Hedge III, Georg Hess, Christofer Hoff, Dennis
Hurst, Scott Matsumoto, Alexander Meisel, Anish Mohammed, Scott Morrison,
Joe Stein, Michael Sutton, James Tiller, Greg Tipps, Joe Wallace, Colin Watson
INTRODUCTION ........................................................................................................................................ 2
OVERVIEW ................................................................................................................................................. 5
APPLICATION SECURITY ARCHITECTURE ..................................................................................... 7
MANAGING PLATFORM ACCOUNT TOKENS/KEYS ...................................................................................... 7
SOFTWARE DEVELOPMENT LIFECYCLE ......................................................................................... 8
ECONOMICS ............................................................................................................................................... 9
METRICS ....................................................................................................................................................11
TOOLS AND SERVICES ...........................................................................................................................12
INFRASTRUCTURE AS A SERVICE (IAAS) SPECIFICS ..................................................................13
APPLICATION SECURITY ARCHITECTURE ..................................................................................................13
SOFTWARE DEVELOPMENT LIFECYCLE .....................................................................................................14
TOOLS AND SERVICES ...............................................................................................................................14
PLATFORM AS A SERVICE (PAAS) SPECIFICS ................................................................................15
APPLICATION SECURITY ARCHITECTURE ..................................................................................................15
SECURING MESSAGE-LEVEL COMMUNICATION .........................................................................................16
ADDITIONAL REQUIREMENTS FOR HANDLING SENSITIVE INFORMATION ..................................................16
MANAGING APPLICATION KEYS ................................................................................................................16
SOFTWARE DEVELOPMENT LIFECYCLE .....................................................................................................16
TOOLS AND SERVICES ...............................................................................................................................17
SOFTWARE AS A SERVICE (SAAS) SPECIFICS ................................................................................17
APPLICATION SECURITY ARCHITECTURE ..................................................................................................17
SOFTWARE DEVELOPMENT LIFECYCLE .....................................................................................................18
SOLUTIONS AND RECOMMENDATIONS...........................................................................................18
APPLICATION SECURITY ARCHITECTURE ..................................................................................................18
Addressing Changes in Trust Boundaries ............................................................................................18
Metrics .................................................................................................................................................19
Tools and Services ...............................................................................................................................19
Economics ............................................................................................................................................19
INFRASTRUCTURE AS A SERVICE (IAAS) SPECIFICS ...................................................................................20
Application Security Architecture ........................................................................................................20
Trusting the Virtual Machine Image ....................................................................................................20
Hardening Hosts ..................................................................................................................................21
Securing Inter-host Communication ....................................................................................................21
Managing Application Keys .................................................................................................................21
Additional Requirements for Handling of Sensitive Information .........................................................22
Software Development Lifecycle ..........................................................................................................22
Overview
Organizations that plan to use cloud computing to run their in-house developed
applications need to review and potentially modify their software development
approach. Application architecture and design, programming standards and
security capabilities need to be adapted to account for the inherent multi-tenant
environment of cloud platforms, the lack of control over the physical network and
computing infrastructure and the ability of the cloud provider to monitor and
access their customers’ data in transit and at rest. At the same time, existing
standards continue to be valid and organizations that have deployed in-house
applications into Internet facing environments will find that the solutions
developed directly benefit them, as they required addressing many of the same
architectural and design challenges.
Cloud Computing infrastructures are still maturing and adding new capabilities,
but their flexibility, openness and public availability challenge many fundamental
assumptions about application security. An example: if the application processes
data of a sensitive nature, the lack of physical control over the networking
infrastructure might mandate the use of encryption in the communication
between servers of the application to ensure the confidentiality of the data
passed.
The three main layers of cloud computing relevant to application security are
Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as
a Service (SaaS). Each of these layers has the potential to add new threats to
the application’s runtime environment. Without development organizations taking
into account the changes introduced by the *aaS layers, applications will face
exposure to threats they were never designed to defend themselves against.
The remainder of this paper will focus on discussing the challenges that IaaS,
PaaS and SaaS hold for application developers.
Some of the challenges are well known and organizations have encountered
them before when outsourcing network infrastructure and designing and
deploying in-house applications facing the Internet in classic DMZ scenarios or in
collocated shared environments. An upfront analysis, covering the traditional
aspects of managing information confidentiality, integrity and availability, is
central to documenting the classification of data handled by the application and
will influence many of the design decisions. For existing applications, which are
migrated to the cloud, the process can be an opportunity to address outstanding
fundamental problems that have been overlooked or underrepresented during
their development. A cloud application developed using these guidelines will
often be as secure as an internal application.
The remainder of the paper will focus on the following areas and their impact on
application security:
Even basic services like local storage are affected because of the modifications
imposed on an application by a cloud platform. Cloud computing platforms
typically separate all storage resources from computing resources to gain
scalability and improve manageability and implement local storage through the
network. The implication for the application security architecture is that debug
and audit logging which typically go to local storage in non-cloud environments
need now to be considered remote. The security requirements for these
application components are further affected if these applications handle sensitive
data.
Cloud computing platforms change the trust boundary relationships between the
development environment and the application's runtime environment. The exact
nature of this change depends on the deployment model of the cloud computing
platform, which will be addressed later.
Cloud computing platforms are still maturing and in constant evolution. As such,
changes to the platform may occur with greater frequency than with a mature
legacy platform. Changes in the infrastructure architecture, such as the multi-
tenancy of most public clouds, can affect the trust assumptions of most traditional
applications.
Economics
There are two aspects of cloud application security that must be evaluated with
respect to their costs and benefits. One is the use of cloud service providers for
the development and/or testing of applications being built by or acquired and
modified by customers. The other is the running of cloud-based applications
which were built by or acquired by the customer organization or the service
providers to support customers’ businesses.
Risks and Economic Impact of Cloud Computing for Phases of the SDLC
Phase of Security Risks from Cloud Economic Benefits from Cloud Economic Impact
Lifecycle Computing Computing
Business Risks relate to the criticality of Cloud computing might offer Cloud computing may result in a
Requirements the application to the faster “time to value,” lower significant reduction in costs of
and Project business, and the sensitivity development and testing costs developing and testing
Justification of the data to be processed. and lower computing costs applications and of running the
Risks from cloud computing during full production. system in production. These
result from issues relating to savings need to be offset against
data protection and system the costs of ensuring an
availability. acceptable level of security and
availability.
Functional When specifying what specific Often the most critical The cost reductions need to be
Specifications applications will actually be applications, handling the most balanced against any
and Design doing, systems analysts must sensitive data, are more cheaply vulnerability increases with
consider that some functions run in the cloud. For example, respect to security and
are more security sensitive for many organizations, the availability. The risks may be
than others and may not be biggest resource hogs are mitigated by increasing security
viable candidates for running precisely those applications that measures, but the costs of doing
in the cloud. process sensitive information. so must be deducted from
processing cost savings.
Development There is a risk in the cloud, as Because of the compelling Cloud service providers offer
(Coding) and in other environments, that financial benefits of using cloud security services, such as access
Testing proprietary information and resources, particularly when management, multiple copies of
intellectual property might be computing resource systems and data, and
stolen, even without requirements may exhibit encryption, which the customer
customers’ knowledge. extreme peaks and valleys, can invoke in order to raise the
there are often big economic security level and reduce risks of
While there is usually policy incentives to use cloud data compromises and
against using live data for computing for development. exploitation for fraudulent
testing, realistic data must purposes. There are additional
often be used, raising security Sometimes there is a benefit in costs related to invoking these
issues. The risk of data developing applications in- services and the customer has to
compromise and the cost of house, but using cloud determine whether any
potential security incidents, resources for testing, particular security measure is
encourages customers to not particularly if large volumes of worthwhile or whether the cost
use live data for testing data and significant computing of increased security outweighs
purposes. resources are needed to the economic benefits of cloud
conduct the tests. computing.
Implement- The bulk of cloud computing One of the biggest benefits of The overall economic impact
ation and is for running production running production applications sought in the use of cloud
Production systems, which involves the in the cloud is lower costs. computing is to reduce costs and
transference of intellectual Large cloud services providers increase flexibility in use and
property (such as the can use economies of scale and payment for resources. However,
application code and the purchasing power to lower their organizations need to be aware
operational procedures) as costs, and they may pass on that the above goals may not
well as the use of live data. some of those savings to always be realized. For example,
There are risks that the customers in the form of lower it may be more costly to incur
systems and procedures prices. Also, the pay-as-you-use communications costs between
might be hijacked by the charging model allows cloud service providers and their
service provider or other customers to avoid excess customers, and to the
organizations and that capacity and reduce financial customers’ customers, business
sensitive data are commitments usually required partners and suppliers, than
compromised. There are also in setting up and running from in-house facilities, so that
risks related to availability of internal data centers. In this other cost reductions may be
systems and networks and the way, capital expenses are negated. In some cases, the use
relative performance, converted into operational of a hybrid cloud, with some
including network latency, of expenses, which is beneficial functions performed in the cloud
running applications in the when capital markets are tight. and others in-house, may be the
cloud versus internally. most cost-effective approach.
Application Planning for the It is possible that applications The degree to which economic
Retirement or decommissioning or retiring running in the cloud have better benefits can be realized for
Transfer of applications and systems is demarcation than internally run retiring systems or transferring
often neglected. It is and managed applications, if for them is very much a function of
important to realize that, no other reason than specific the type and complexity of the
when a system or an resource usage is monitored system and the degree of
application has outlived its and charged for by the service customer lock-in, which is
usefulness and is being provider. sometimes termed “stickiness.”
replaced by another system, The provider usually has strong
the program code and data, In addition, the customer does incentives to make the service as
which may reside somewhere not usually have to be sticky as possible so that
in the cloud, should be concerned with the disposal or customers will continue with the
disposed of through a formal redeployment of dedicated provider. This works against
process, which was preferably resources, as they might with customers if they wish to
predetermined and included internal systems and networks. transfer the system or if the
in the services agreement.. provider goes out of business or
otherwise ends the service.
Furthermore, it is likely that, for
Similarly, customers may wish the transfer costs, the time to
to transfer applications or convert and costs of parallel The issues that arise include
entire systems from one cloud operations may be less for contractual terms as well as
service to another, to an in- transferring from cloud portability and interoperability
house facility, or to a computing, although this very issues, the latter two of which
combination hybrid cloud. In much depends on particular are addressed in Chapter …
such cases, there should be circumstances. Portability is the ease with which
predetermined procedures an application can be moved
for the transfer of the from one platform to another
applications, systems and without the need for significant
networks and the retirement reworking. Interoperability
of those resources held with relates to the degree to which
the original provider. data used by applications in one
environment can be accessed
and handled in different provider
and in-house environments.
Metrics
The four groups of metrics that apply to cloud computing and cloud application
environments are: Compliance and Governance, Identity and Access,
Vulnerabilities and Patching, and Data Security.
Static and dynamic code analysis tools can add great value in cloud-based
application security by providing a security baseline. However, as with all tools,
they come with limitations. Some of the limitations that are shared by all
scanning tools are:
requiring an advanced level of training on the proper use of the tool and
an understanding of the vulnerability and its consequences.
In IaaS environments, the local data storage is typically not persistent across
machine restarts, so most applications use some form of external and persistent
storage. Many IaaS environments provide additional components for persistent
storage, but that storage is always remote.
When the test and production environments are moved to an IaaS platform, the
trust relationship between internal and external environments is similar to
operating an application at a Managed Service Provider (MSP). In both cases,
the software and data are running outside of the trusted environment created
within the enterprise and therefore additional security considerations need to be
evaluated.
Even though the PaaS platform’s application building blocks are similar to their
traditional enterprise counterparts, the multi-tenant nature of the cloud computing
environment requires the application’s assumption about trust to be re-
evaluated. For example, securing the messages on the ESB becomes the
responsibility of the application because controls, such as segmenting ESBs
based on data classification, may not be available in PaaS environments. PaaS
providers may also offer built-in application security controls within their
programming environment to help developers avoid known application
vulnerabilities.
The specific building blocks offered by PaaS providers are platform dependent,
but range in abstraction from the programming language to high level
components such as work flow engines.
Data exchanged through the SaaS platform’s external APIs is subject to existing
security policies and standards for any type of external data exchange. The data
can either originate from, or be destined for, applications within the enterprise or
applications running on another cloud platform. The data exchange should be
secured using appropriate controls for the classification of data exchanged.
Federating identity between two sites is a common best practice. The section on
IAM describes solutions and recommendations for federating identity for a SaaS
platform. For sensitive data, the exchange should be protected using
Figure 8 – Shared Secure SDLC Between the Enterprise and SaaS Vendor
An enterprise must have a way to verify that the vendor’s development lifecycle
provides sufficient security assurance activities for the risk-level of the
application. The challenge in SaaS environments is determining which security
software development activities need to be implemented by the application owner
and which ones should be left to the cloud provider.
The Service Level Agreement (SLA) negotiated with the vendor is another
mechanism for addressing changes in the trust boundaries for a cloud platform.
Application security must be represented as a clearly articulated set of actions
and guarantees within the SLA. This can include providing documentation of
security measures taken by the vendor, as well as allowing for reasonable
security testing related to ongoing activities such as logging, audit reports and
periodic validation of security controls.
Metrics
Enterprises must ensure that needed metrics are available from the cloud
platform selected. Whether they are provided directly from the cloud provider or
via a third-party solution is a choice made by the entity requiring the metrics.
Web application security in the cloud should be scalable, flexible, virtual and
easy to manage. A Web Application Firewall (WAF) is commonly used to provide
additional security for web applications. In a cloud environment a WAF must not
be limited by the hardware, must dynamically scale across CPU, computer,
server rack and datacenter boundaries, and must be customizable to the
demands of individual customers. Resource consumption of the WAF must be
minimal and scalable from a small-usage scenario to highly-loaded web
applications. As clouds come in all shapes and sizes, WAFs must be adaptable
to all possible configuration scenarios.
The new type of WAF, described above, namely a distributed Web Application
Firewall (dWAF), must be able to operate in conjunction with a wide variety of
components to be effective, and must not add undue complexity for cloud service
providers. Today’s providers use a variety of traditional and virtual technologies
to operate their clouds, so an ideal dWAF should accommodate this mixed
environment either as a virtual software appliance, a plug-in, SaaS or should
integrate with existing hardware. Flexibility with minimal disruption to the existing
network is central.
Economics
The service provider has direct control over implementing application security for
the cloud applications deployed, whether developed by the cloud service provider
or by another entity. The level of security of these applications reflects providers’
beliefs that making application security changes is beneficial in both terms of
lowered risk of compromise and better quality of service.
The benefits to customers of secure applications are more direct because better
security improves the relationships of the provider’s clients with their customers,
business partners and suppliers. Better security also reduces breaches and
outages due to security events, and avoids the costs of such incident handling,
such as responding to and resolving the breach, notifying customers, and
providing ID theft assurance services. Additional costs to include are damages to
reputation, customer defections, loss of potential customers, and increased
future customer acquisition costs.
Similar reasoning applies to effective platform security. It enhances the
reputation of the cloud provider and attracts customers who care about the
platform security on which they run their applications.
The overall security of both applications and platforms is particularly important in
the cloud environment because of heavy use of virtualization and concerns about
the security of virtual machines. The concerns include the opportunity for
successful attacks on the virtualization layer which may compromise all the
applications running on the servers supporting the virtual environment.
Measures can be taken to improve virtualization security, but implementing such
measures is a maturing discipline and their implementation should be subject to
platform audits to assure correct implementation.
Hardening Hosts
IaaS platforms provide the ability to block and filter traffic based on IP address
and port, but these facilities are not equivalent to the network security controls in
most enterprise networks. Hosts running within an IaaS infrastructure are in a
similar position as are hosts running in the DMZ of an enterprise’s network. All of
the same precautions used to harden hosts running in the DMZ should be
applied to the virtual images. If the IaaS platform does not offer the capabilities
needed, IaaS customers should look for equivalent resources on the virtual
machine/host level.
It is a best practice for DMZ and cloud-based applications to build custom
operating system implementations (i.e. installing only required OS components
when configuring the system) and application platform images which only have
the capabilities necessary to support the application stack. By limiting the
capabilities of the underlying application stack, the overall attack surface of the
host, and the number of patches necessary to keep the application stack secure
are reduced.
IaaS platforms often use a “secret key” to identify a valid account. The account
key must be passed on all of the calls to make use of the services provided by
Copyright © 2010 Cloud Security Alliance 21
Domain 10: Guidance for Application Security V2.1
When a SaaS application handles sensitive data, part of the due diligence in
choosing a vendor should include an analysis about how enterprise’s sensitive
data is isolated from other tenants’ data. This analysis includes data at rest and
data in transit within the vendor’s SaaS environment, as well as in transit across
other untrusted networks.
If the SaaS vendor has a secure software development lifecycle, reviewing the
addressed threat model is recommended. The threat model should list the threat
actors, possible attack vectors and software, and the compensating controls
Application security adds another layer of security management with a unique set
of concerns. Before selecting a vendor to host your applications, data and
services in the cloud an enterprise should incorporate these concerns into their
due diligence. Domain 9 of the CSA Guide covers the operational issues in
providing a secure operational environment for the application and Domain 10
covers security incident response. Combining the question from these two
domains with the questions below covers the layers of the Cloud Reference
Model.
Infrastructure as a Service
• What mechanisms does the platform provide against DoS and DDoS
attacks at the infrastructure and network layers?
Copyright © 2010 Cloud Security Alliance 25
Domain 10: Guidance for Application Security V2.1
Platform as a Service
• Where is the line of responsibility drawn between security of the platform
and application components?
• What facilities does the platform provide for application level logging?
• Is application log data integrated with other platform-provided logging and
reporting?
• Are there any real time intrusion detection systems deployed for detecting
issues related to security at the application layer?
• What mechanisms does the platform support for isolating message data
on the client’s service bus?
• What mechanisms does the platform support for securing communication
between two application components? What mechanisms does the
platform support for isolating data at rest and in use?
Software as a Service
• What Web application security standards (input validation, encoding
output, preventing request forgery and information disclosure) are being
followed by the vendor?
• What application and infrastructure controls are in place to isolate the
enterprise’s data from that of other tenants?
• Data at rest
• Data in transit
• Data in use
Outlook
This section examines the prospects for the future development of application
security and defines the distinction between:
Both of these have been considered in depth by the Jericho Forum which
proposes the Collaboration Oriented Architecture as the most appropriate
response to pressures to remove perimeters, such as cloud computing. Our
description here incorporates ideas from the Collaboration Oriented Architecture.
Application Integrity
Application integrity requires the following:
Application as Enforcer
Most of the existing security approaches focus on protecting a perimeter; a
References
• [AWS1] Amazon Elastic Compute Cloud Developer Guide,
http://docs.amazonwebservices.com/AWSEC2/2009-03-
01/DeveloperGuide/
• [AWS2] Amazon Simple Storage Service Developer Guide,
http://docs.amazonwebservices.com/AmazonS3/2006-03-01/
• [AWS3] Amazon SimpleDB Developer Guide,
http://docs.amazonwebservices.com/AmazonSimpleDB/2007-11-
07/DeveloperGuide/
• [AWS4] Amazon Simple Queue Service Developer Guide,
http://docs.amazonwebservices.com/AWSSimpleQueueService/2008-01-
01/SQSDeveloperGuide/
• [AZURE1] Azure Services Platform, http://msdn.microsoft.com/en-
us/library/dd163896.aspx
• [AZURE2] Windows Azure SDK, http://msdn.microsoft.com/en-
us/library/dd179367.aspx
• [SAVVIS] Savvis Symphony Cloud Services, http://www.savvis.net/en-
US/infrastructure-services/Cloud/Pages/Home.aspx
• [PYT] Python Runtime Environnent,
http://code.google.com/appengine/docs/
• [FORCE1] Force.com Web Services API Developer’s Guide,
http://www.salesforce.com/us/developer/docs/api/index.htm
• [FORCE2] The Force.com Workbook,
http://wiki.developerforce.com/index.php/Forcedotcomworkbook
• [SAS70] www.sas70.com
http://en.wikipedia.org/wiki/Statement_on_Auditing_Standards_No._70:_S
ervice_Organizations
• [QWASP] OWASP Top Ten Project,
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
• [BSIMM] Building Security In Maturity Model, http://www.bsi-mm.com/
• [NIST] P. Mell and T. Grance, "Cloud computing definition," June 2009.
[Online]. Available: http://csrc.nist.gov/groups/SNS/cloud-
computing/index.html
• [BUR] "Cloud computing vocabulary ?(cloud computing wiki)?." [Online].
Available: http://sites.google.com/site/cloudcomputingwiki/Home/cloud-
computing-vocabulary
• [USEC] "Cloud computing use cases whitepaper," August 2009. [Online].
Available: http://www.scribd.com/doc/17929394/Cloud-Computing-Use-
Cases-Whitepaper