Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity
    • Development
    • IT Management

    Application Development Security Considerations for the Cloud

    By
    Brian Prince
    -
    January 5, 2011
    Share
    Facebook
    Twitter
    Linkedin

      In their list of predictions for 2011, application security specialists at the Denim Group predicted software development teams will start to shift their focus to building extensions to software-as-a-service applications instead of writing custom software from the ground up.

      In the company’s crystal ball, business-to-business providers will lead the way in this, though extensions to consumer-oriented applications will increase as well. As could be predicted however, this kind of shift would bring with it its own set of challenges for developers looking to integrate their creation securely, experts told eWEEK.

      “The overarching problems with securely integrating with SAAS [software-as-a-service] applications is that the systems involving these integrations have more complicated threat models than normal Web applications and the integration patterns between custom code and SAAS services are not as standardized or well-understood,” said Dan Cornell, CTO for the Denim Group. “This creates a situation where developers do not necessarily understand how to build these interactions securely, and it also makes it challenging to provide standardized guidance to developers because, in the absence of specific platforms and desired features, this guidance is often ‘it depends’ or ‘it’s complicated.'”

      The dependency on SAAS components they don’t control poses a challenge for enterprises as well, Forrester Research analyst Mike Gualtieri told eWEEK.

      “Enterprises become more vulnerable because of the dependency created by SAAS ‘Franken-apps,'” he said. “If you find a vulnerability in a component and cannot fix it yourself, then you are now at the mercy of the SAAS provider to fix it. What do you do in the meantime? Take the application down? Architects must threat model the entire application and provide contingency plans in case a vulnerability surfaces during runtime.”

      The approach to security requires a number of things, Cornell said. For one, developers need to validate data coming from the SAAS applications to prevent injection and other attacks from being propagated between portions of the system, he said. In addition, data sent to the SAAS provider needs to be properly encoded. Then there is the issue of authentication.

      “Depending on the characteristics of the system, some sort of credentials for access to the SAAS provider must be used,” Cornell said. “If these are provided by the user, then proper management might only require them to be encrypted while in transit. However, if all access to the SAAS provider is anonymized behind a single account, the credentials for that account must be stored in a secure manner while at rest and proper logging must be maintained in order to determine what users attempted what actions.”

      The prospect of an attacker getting past the authentication page by being a customer of the SAAS application means the entire application functionality is the attack surface, noted Chris Wysopal, CTO of Veracode.

      “Many app developers downplay the insider threat and feel protected just because their Web app has authentication and only authorized employees can log in,” he said. “With a multitenant SAAS application, this is not the case anymore as attackers can be other customers of the SAAS app provider. This increases the need to get application security right for cloud-based applications.”

      A further risk for SAAS is the fact that the administration of the systems housing the customer data is typically performed by the SAAS developer and the hosting provider, which makes building in data encryption at rest and in transit a must, Wysopal said. Good auditing and logging are also requirements, he added.

      “So in summary, the threat space and the attack surface have increased greatly for SAAS apps,” he said. “This makes application security features like encryption, auditing and two-factor authentication much more necessary. Vulnerabilities are much more exposed in a multitenant world, so secure coding, security testing and vetting of third-party components are requirements.”

      Brian Prince

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×