Security is a key consideration for enterprises rolling out new applications on AWS. Security should be a forethought,...
deployed early instead of leaving enterprises fighting fires after a breach. Some of the best practices for a secure software development process include conducting security reviews earlier in the software development lifecycle, auditing application libraries and Amazon Web Services, and evaluating security logs after applications have been deployed for suspicious behavior.
Review early and often when securing software
The earlier companies can detect potential security issues, the less they cost to fix. Traditionally, organizations had application developers work with analysts to define new requirements and implement new application capabilities. The developers then coded the new functionality, handed the resulting code off to the testing group and passed the code to the operations team for deployment. At this point, the security team ran vulnerability analysis to assess any potential flaws. When vulnerabilities were detected, the development team fixed the flaw, and the code had to go back through the entire software development lifecycle (SDLC) to fix the problem and eventually release the app.
A much better process brings the security team into the process of gathering requirements; security teams work in parallel with the development and testing team to detect and report back any known vulnerabilities. This reduces the time and effort required to generate new code.
Securing the SDLC
Development teams can use static and dynamic code analysis tools to identify potential security bugs. This makes it easier to identify and fix potential problems as part of the development cycle itself. Leading static code analysis tools for AWS include Alert Logic, Klocwork and Veracode.
Another good practice for securing software is to analyze dynamic code on application logic after it has been compiled. These tools tend to be more complex, but can find problems that static analysis misses. Leading dynamic code analysis tools for AWS include SensioLabsInsight and CAST Code Analysis Tools. The U.S. Department of Homeland Security has also established the Software Assurance Marketplace to provide a comprehensive assessment platform for testing new code.
Modern applications are generally built by assembling software libraries together to speed the development process. This allows developers to focus on new capabilities rather than reinventing the wheel. But software vulnerabilities are sometimes found after applications have been released. In some cases, the latest versions of these libraries contain vulnerabilities not found in earlier versions.
Leading enterprises like Dell are turning to the use of software library auditing tools like Sonatype to help inventory software libraries used throughout the SDLC. These can eliminate the use of insecure libraries and help remediate vulnerabilities discovered in existing libraries. For example, Dell was able to respond and repair the Heartbleed vulnerability in only five minutes, while other organizations struggled for months.
Securing application code is only part of the equation of securing software for AWS. Modern applications often rely on dozens of supporting services, servers and networking components, which each come with multiple configuration settings. Security vulnerabilities can creep in when these settings are configured manually.
Deployment automation tools like Chef, Puppet, Salt and Ansible can help to automate the configuration and deployment of new applications in a reliable and consistent manner. These tools provide consistency between the development, testing and security analysis teams across the SDLC.
In addition, AWS includes a number of tools for automating the provisioning of new code in a secure manner, including AWS CodeDeploy, AWS CodeCommit and AWS CodePipeline. AWS CodeDeploy automates code deployment to AWS and on-premises infrastructure and eliminates the need for error-prone manual operations. AWS CodeCommit is a secure managed source control service. This can help secure code from malicious or accidental changes.
AWS CodePipeline is a continuous delivery and release automation service that helps to streamline application deployments. It supports the use of third-party tools and secure configuration validation services to ensure that applications are deployed with the appropriate configuration settings. It also helps to ensure that development teams, testing teams and security teams are working against applications with the same configurations settings across the SDLC.
Despite the best efforts at creating a secure software development process, security breaches may occur. Application security can be compromised by a variety of weak links including zero-day vulnerabilities, social engineering and insiders with malicious intent. As a result, organizations should incorporate tools for analyzing the behavior of applications, servers and networks after the fact to respond to security breaches in a timely manner.
Secure SDLC best practices
Sharing the burden of AWS security
Security-conscious AWS customers turn to CloudHSM