Security has traditionally been an afterthought in the software development process. But publicity of the recent...
heartbleed vulnerability and associated patching difficulties has moved security to the forefront. And a secure software development lifecycle approach using security operations management, or SecOps, can help improve security for AWS applications.
A SecOps approach mirrors DevOps principles of better communication between developers and operations in the security realm, said Todd Vernon, CEO of VictorOps, a DevOps tool provider. DevOps allows IT teams to make quick changes to cloud applications prior to deploying them into production. But this can also introduce significant security problems.
"In the past, you would get a security audit once in a while. But how can that help now?" Vernon asked. Security operations management is the process of continuously developing, testing and monitoring systems for threats. It also provides checks and balances to DevOps.
Put security into the design
"It's critical to design-in security from the start," said David Eads, CEO of Mobile Strategy Partners, a security consultancy. "If security is an afterthought, there's no hope to be secure." This is amplified for cloud-based environments, he added.
In the cloud, new vulnerabilities can be patched quickly. Cloud configuration scripts can ensure fixes are propagated quickly to all other affected environments so vulnerabilities don't return. The cloud also makes it possible to look for similar issues, patch those scripts, and the secure environments that might have related but different issues.
"There's no way IT staff could do this in a traditional environment," said Eads. If the organization has a reactive software development culture, it likely will take a near disaster before they take security seriously -- and that's sometimes just too late.
"Code Spaces is a good example of this," said Sirish Raghuram, CEO of Platform9, a private cloud infrastructure provider. "They were missing some fairly basic security precautions to their Amazon [Web Services] account, and they never got a second chance. You need to have someone influential within the organization who will not wait until it’s too late to instill change."
Stay ahead of new vulnerabilities
Organizations that weave secure coding practices throughout their process are more likely to think about security correctly, said Zulfikar Ramzan, CTO of Elastica, a cloud based SecOps provider. While security testing after the fact has value, it will never uncover underlying issues.
The Heartbleed bug, for example, was alarmingly severe. Yet, it was hiding in plain sight for years. Part of the challenge is that various development processes are interlinked in a fairly complex patchwork. Making one change -- even if that change seems innocuous -- can wreak havoc on downstream processes. In addition, customers demand evidence of secure coding practices from cloud services, said Ramzan. Enterprises that entrust vendors with processing their data must increase levels of assurance that the vendor is doing so in a reasonably safe and sane fashion. The Cyber Supply Chain Management and Transparency Act of 2014 mandates that cloud service providers, such as AWS, disclose known vulnerabilities to government clients.
Improving security engineering
There is no substitute for engineering vulnerabilities out of the design first. Handling security issues while they're still in code is better for preventing cross-site scripting attacks, SQL injections, and other known vulnerabilities, said Mark Patton, vice president of engineering at Malwarebytes, an anti-malware vendor. And knowing best practices for cloud-based systems versus on-premises systems is often a challenge.
Organizations that adopt secure coding practices after design should follow these tips to ensure the environment is better protected from vulnerabilities:
- Consider the security of the API surface is as important as securing Web pages
- Look at cloud platform security, AWS Virtual Private Cloud layout and use AWS security groups
- Discuss the techniques for authentication (username and password, tokens, two-factor authentication, etc.)
- Do not embed credentials into code – this could leak them out to users
- Architect the access of cloud resources using role-based "need-to-know" or "need-to-access" bases
A successful and secure organization will provide incentives for teams around security, as well as features and schedules. Business should define success to include security as first-class citizen that is everyone's project from day one.
Identify tactical hurdles to secure development
Making the transition to a secure development lifecycle is not trivial. According to security-based security provider Veracode, companies must overcome a number of tactical hurdles to create a security-conscious culture.
- Create testing methods that scale. As organizations move to Agile and continuous deployment, they need testing methods that are automated and that can be integrated with existing processes.
- Provide results that are useful to developers. One drawback of manual testing (and some automated testing results) is that it's difficult to make information accessible so developers can fix the issues. Line-of-code reports are more useful than vulnerability type reports that don't include diagnostic information about what went wrong.
- Hire enough talent. It takes specialized skills to apply security to software development and to bring developers along in the process. For most organizations, there aren’t enough people with the right skills in the market to make a program work at scale.
Plan for a secure architecture
Organizations need to incorporate security architecture, design reviews, code reviews and security testing, along with vulnerability management and environment hardening, said Sachin Agarwal, vice president of product marketing and strategy at SOA Software. There are several tools in the market that enforce Agile governance to ensure best practices across design, development and operation of application and services.
Relying on tools alone is not enough; tools can give IT teams a false sense of security, said Patton. Using tools to analyze and audit code on a consistent and regular basis is an important part of secure coding. But using tools such as AWS, VPC, and AWS security groups has no effect on vulnerabilities that can be exploited over ports that must be open for the application to function, Patton added. Coders also need to keep in mind that they write software that runs on a customer's computer, which can be targeted directly.
Code Spaces suffers after AWS cloud security hack
AWS beefs up cloud security