Cloud application security is where things get really interesting in the CCSP journey. We're moving beyond the nuts and bolts of infrastructure and platforms, and diving into the heart of what many organizations care about most: their applications.
In this complex world of cloud environments, securing applications isn't just about writing good code. It's a multifaceted challenge that touches on everything from development practices to user authentication to involving security from the beginning. We'll navigate these waters together, exploring how to build a robust security posture that can stand up to modern threats.
Ready to take your cloud security skills to the next level? Let's dive into CCSP Domain 4 and unpack the essentials of cloud application security.
4.1 Advocate training and awareness for application security
Those in charge of cloud application security must have a solid awareness of all of the moving parts that they are responsible for. They need to be well-trained in everything from the basics to the highly complex aspects of their roles.
Cloud development basics
Cloud development overlaps significantly with traditional application development. However, since you aren’t building on top of your own hardware infrastructure, the underlying cloud infrastructure is different, as are the abilities, limitations, security strengths and weaknesses.
One of the main benefits is in terms of efficiency. You can sign up to a PaaS (platform as a service) service and get started straight away with your code. You don’t have to worry about setting up your hardware or configuring your servers. If you opt to build on top of IaaS (infrastructure as a service) instead, it gives you a lot more control, but there is a lot more work required in setting up and managing your systems.
However, this pales in contrast to building on top of your own hardware. In both cases, scaling is a lot easier than traditional development, so you can get up and running without having to worry too much about forecasting usage.
While there are tremendous benefits associated with cloud development, there are also some complications. One aspect is that cloud services can quickly become incredibly complex. Another is that you must share some level of control and responsibility with cloud providers. Employees need to be trained and aware of the many cloud-related pitfalls that they can fall into when working under the cloud paradigm. They also need to be especially careful when moving applications from traditional environments to the cloud.
Common pitfalls
Organizations that use cloud services must have a clear understanding of the various development pitfalls that they can fall into. Some of the major pitfalls include:
- On-premises systems may not transfer to the cloud easily.
- Confusion over who is responsible.
- Lack of a secure development framework.
- Interoperability and vendor lock-in.
- Insufficient support or budget from senior management.
- Lacking skills, knowledge and training.
- Misunderstanding the different risk profiles.
- Complexity.
- Multitenancy.
Common cloud vulnerabilities
Due to the complexity of cloud development, there are many different vulnerabilities and security risks that cloud developers need to be aware of. The OWASP Top 10 web application vulnerabilities are:
- Broken access control
- Cryptographic failures
- Injection
- Insecure design
- Security misconfiguration
- Vulnerable and outdated components
- Identification and authentication failures
- Software and data integrity failures
- Security logging and monitoring failures
- Server-side request forgery
OWASP also keeps track of mobile application security risks in its OWASP Mobile Top 10 , which are:
- Improper credential usage
- Inadequate supply chain security
- Insecure authentication/authorization
- Insufficient input/output validation
- Insecure communication
- Inadequate privacy controls
- Insufficient binary protections
- Security misconfiguration
- Insecure data storage
- Insufficient cryptography
The SANS Institute’s Top 25 Software Errors are:
- CWE-787 Out-of-bounds write
- CWE-79 Improper neutralization of input during web page generation (cross-site scripting)
- CWE-89 Improper neutralization of special elements used in an SQL command ('SQL Injection')
- CWE-416 Use after free
- CWE-78 Improper neutralization of special elements used in an OS command ('OS command injection')
- CWE-20 Improper input validation
- CWE-125 Out-of-bounds read
- CWE-22 Improper limitation of a pathname to a restricted directory ('path traversal')
- CWE-352 Cross-site request forgery (CSRF)
- CWE-434 Unrestricted upload of file with dangerous type
- CWE-862 Missing authorization
- CWE-476 NULL pointer dereference
- CWE-287 Improper authentication
- CWE-190 Integer overflow or wraparound
- CWE-502 Deserialization of untrusted data
- CWE-77 Improper neutralization of special elements used in a command ('command injection')
- CWE-199 Improper restriction of operations within the bounds of a memory buffer
- CWE-798 Use of hard-coded credentials
- CWE-918 Server-side request forgery (SSRF)
- CWE-306 Missing authentication for critical function
- CWE-362 Concurrent execution using shared resource with improper synchronization ('race condition')
- CWE-269 Improper privilege management
- CWE-94 Improper control of generation of code ('code injection')
- CWE-863 Incorrect authorization
- CWE-276 Incorrect default permissions
4.2 Describe the Secure Software Development Life Cycle (SDLC) process
The software development life cycle (SDLC) is a process for developing high-quality software in an efficient and cost-effective manner. The secure SDLC brings security into the picture, integrating it from the earliest stages to ensure that the software meets its functional requirements while providing adequate security.
Business requirements
You need to consider the business requirements before you start developing your application. If you don’t start by thinking about what the business actually needs, it’s unlikely that the software you produce will adequately fulfill its requirements. We often refer to the process of considering business requirements as validation.
Phases and methodologies
The Cloud Security Alliance developed three “meta-phases” as a descriptive model to help us understand the secure software development lifecycle:
Secure design and development | This meta-phase ranges from training and developing organization-wide standards to actually writing and testing code. |
Secure deployment | This meta-phase includes security and testing activities when moving code from an isolated development environment into production. |
Secure operations | This meta-phase includes securing and maintaining production applications, including external defenses such as web application firewalls (WAF) and ongoing vulnerability assessments. |
There are many different methodologies and models you can use for secure software development. The ideal one is dependent on what you are trying to achieve and what your priorities are. In the subsequent sections, we will be discussing two of the most common choices, waterfall and Agile.
Looking for some CCSP exam prep guidance and mentoring?
Learn about our personal CCSP mentoring
The waterfall model
An adjusted version of the waterfall model is:
- Initiation (planning and management approval)
- Requirements analysis
- Design
- Development
- Testing
- Deployment
There are two further phases that can be added on to form the system life cycle (SLC). These are:
- Operation
- Disposal
Both the software development life cycle and the system life cycle are shown in the following diagram:
The Agile model
In contrast to the discrete steps of the waterfall model, the Agile model is a set of 12 principles:
The 12 Agile principles | |
---|---|
Our highest priority is to satisfy the customer through early and continuous delivery of valuable software. | |
Welcome changing requirements, even late in development. Agile processes harness change for the customer's competitive advantage. | |
Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale. | |
Business people and developers must work together daily throughout the project. | |
Build projects around motivated individuals. Give them the environment and support they need, and trust them to get the job done. | |
The most efficient and effective method of conveying information to and within a development | |
Working software is the primary measure of progress. | |
Agile processes promote sustainable development. The sponsors, developers, and users should be able to maintain a constant pace indefinitely. | |
Continuous attention to technical excellence and good design enhances agility. | |
Simplicity—the art of maximizing the amount of work not done—is essential. | |
The best architectures, requirements, and designs emerge from self-organizing teams. | |
At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly. |
Immutable infrastructure
Immutable infrastructure is infrastructure that can’t be changed. Immutable infrastructure can include virtualized components such as boundary firewalls, routers, switches, and various workloads. These immutable workloads include virtual machines and containers that have been configured so that no changes are possible. Both immutable infrastructure and immutable workloads are often created by building systems that don’t allow changes, or by enforcing automated processes that overwrite any unauthorized changes.
If we wanted to deploy a server as an immutable VM (virtual machine), we would take the server configuration files and source code and build them into an image. We would then store that image in the repository, as seen in the diagram above.
Once it has been built, it would need to be tested. Upon completion of testing, it’s termed a master image, which is also stored in the repository. You can then deploy copies of the master image into production. If these immutable servers required changes, you would have to rebuild an image with the appropriate changes, put it into testing, deploy it, and then throw out the old immutable VM.
Infrastructure as code (IaC)
Infrastructure as code allows us to deploy infrastructure using software commands. Instead of using interactive configuration tools and commands, IaC allows the usage of machine-readable definition files to make changes to architectures and their configurations. Since cloud customers are using virtualized forms of their provider’s underlying physical resources, customers can configure their infrastructure through code. We use configuration files to specify the details.
With just a few lines of code, a cloud customer can launch the infrastructure they need. When they need to instantiate a new load balancer or create a new VM, all the customer needs to do is send API calls, because it’s all virtualized. This infrastructure can be made immutable, which is a good way to lock it down and secure your environment.
DevOps and DevSecOps
DevSecOps is based on the DevOps approach, which involves integrating software development (Dev) and IT operations (Ops). This can make the software development lifecycle more responsive, resulting in the delivery of quality software at a faster pace, with more frequent releases. DevSecOps brings in security (Sec) as well, decentralizing security practices and making delivery teams responsible for security controls in their software. DevSecOps brings security practices into the entirety of the software development lifecycle, relying heavily on automation to secure code from the initial stages all the way through to testing, deployment, and delivery. The following diagram provides a visualization of the DevOps approach, while the DevSecOps manifesto is included in the table.
The DevSecOps Manifesto principles | |
---|---|
Leaning in over always saying “no” | |
Data & security science over fear, uncertainty and doubt | |
Open contribution & collaboration over security-only requirements | |
Consumable security services with APIs over mandated security controls & paperwork | |
Business driven security scores over rubber stamp security | |
Red & blue team exploit testing over relying on scans & theoretical vulnerabilities | |
24x7 proactive security monitoring over reacting after being informed of an incident | |
Shared threat intelligence over keeping info to ourselves | |
Compliance operations over clipboards & checklists |
Continuous integration, continuous delivery (CI/CD)
CI/CD stands for continuous integration, continuous delivery, although sometimes sources switch out “delivery” for “deployment”. Continuous integration involves automating many of the steps for committing code to a repository, as well as automating much of the testing. This allows code changes to be frequently integrated into the shared source code and ensures that a bunch of testing gets done easily.
Continuous delivery also involves automating the integration and testing of code changes, but it includes delivery as well, automating the release of these validated changes into the repository. Continuous deployment takes things a step further and automatically releases the code changes into production so that they can be used by customers. With continuous deployment, code changes can be automatically put into production without further human intervention, as long as they pass through all of the testing and there are no issues. If there is an error in any of these steps, the changes will get sent back to the developer. The diagram highlights how these three processes overlap:
4.3 Apply the Secure Software Development Life Cycle (SDLC)
Now that we have outlined the software development life cycle, we can dive into some of the security considerations in more depth.
Cloud-specific risks
he huge contrast between traditional architectures and the cloud means that there are a range of cloud-specific risks. Some of these include:
- Due to the shared responsibility model, cloud customers will share both control and responsibility with their provider.
- Under the cloud model, customers generally have less visibility.
- The management plane offers centralized control that isn’t available under traditional architectures. However, because it has so much access and power, it must be carefully secured.
- Public clouds have multitenancy. Although cloud providers should enforce logical isolation between tenants, this is still a risk that doesn’t exist in on-premises infrastructure.
Threat modeling
Threat modeling involves systematically identifying, enumerating and prioritizing the threats that relate to an asset. This allows us to assess the risk to a given asset, as shown in the diagram below. There are many different threats that can impact assets with wide-ranging value and sensitivity. We need a systematic way to identify and prioritize threats so that we can effectively allocate our limited resources toward mitigation.
The components of risks
The STRIDE model
Threat | Violation | Definition |
---|---|---|
Spoofing | Authentication | Spoofing of user identity involves an attacker circumventing authentication by leveraging a user’s personal information or replaying steps of the authentication process. |
Tampering | Integrity | Tampering with data involves making unauthorized changes to user or system data. |
Repudiation | Non-repudiation | Repudiation refers to the ability to deny something. If a system is designed with adequate non-repudiation controls a user cannot take an action and then plausibly deny their activity later on. |
Information disclosure | Confidentiality | Information disclosure involves exposing information to unauthorized parties. |
Denial of service | Availability | Denial of service involves making a system unusable or unavailable. |
Elevation of privilege | Authorization | Elevation of privilege is where someone escalates their privileges to access systems and resources that they are unauthorized to access. |
The DREAD model
The STRIDE model helps you to identify and categorize threats, while the DREAD model aims to help you determine the severity of a threat:
Damage potential | The maximum amount of damage that the threat could pose. |
Reproducibility | This measures how difficult an attack is to reproduce. |
Exploitability | This is a measure of how much skill, energy and resources are required for the attack. |
Affected users | This is the portion of users that would be affected. |
Discoverability | This metric is an estimation of the likelihood of an attacker discovering it. |
The PASTA model
The Process for Attack Simulation and Threat Analysis (PASTA) model is a more recent development. Its steps are outlined in the following table:
Define objectives | This stage involves identifying business and security objectives as well as conducting a business impact analysis. |
Define technical scope | This includes:
|
Application decomposition | This step involves analyzing the use cases, actors, assets, data sources and trust boundaries. It also involves creating data flow diagrams. |
Vulnerability mapping | This stage involves mapping vulnerabilities to assets. |
Attack modeling | This phase is where you build an attack tree, as well as map attack nodes to vulnerability nodes. |
Risk and impact analysis | In the final stage, you both quantify and qualify the business impact, analyze the residual risks, identify mitigation strategies and develop countermeasures. |
The ATASM model
The ATASM model is a high-level process for threat modelling highlighted in the following table:
Architecture | This step involves understanding:
|
Threats | The threats step involves:
|
Attack Surfaces | Attack surfaces provides both the A and S of the acronym. This stage of the process involves:
|
Mitigations | The mitigations step involves:
|
Avoid common vulnerabilities during development
We introduced many of the most common vulnerabilities when we discussed the OWASP Top 10 and the SANS Top 25 in 4.1 Common Cloud Vulnerabilities. Now we will delve into some of the most important ones in more depth.
Cross-site scripting (XSS)
There are three major types of cross-site scripting (XSS):
Stored (persistent) | Injected code is stored on the server and sent to subsequent website visitors. |
Reflected (non-persistent) | Injected code is passed to a vulnerable server via URL and reflected to the victim. The URL is often sent to the victim through phishing emails. This is the most common type of XSS attack. |
DOM (Direct Object Model) | The DOM environment in the victim’s browser is modified and malicious code is injected. DOM attacks are pretty rare, so we won’t bother delving into them any further. |
Stored XSS Attack
Reflected XSS Attack
Cross-site request forgery (CSRF)
The core of a CSRF attack is illustrated in the following diagram. It involves:
- An attacker tailoring a link that can direct a user into submitting an unwanted action.
- The attacker sending a link to the victim.
- The victim clicking on the link which sends a request to the website.
- The website processing the request. It assumes that the request is legitimate because it originates from the victim’s web browser. However, the victim must be logged into their account at the time in order for this to work.
Below are the important differences between XSS and CSRF attacks:
Cross-site scripting (XSS) | Cross-site request forgery (CSRF) |
---|---|
An unwanted action is performed on the user’s browser. | An unwanted action is performed on a trusted website. |
The user’s browser runs malicious code. | The website’s server executes a command from the user’s browser. |
The user’s browser is exploited. | The website’s server is exploited. |
Insecure direct object referencing
Insecure direct object reference vulnerabilities occur when applications do not check authentication against user-supplied inputs. The following image shows an example of a malicious user exploiting an insecure direct object reference vulnerability on a website.
SQL injection
To comprehend SQL injection, you first need an understanding of Structured Query Language (SQL), which is a language used for communicating with databases. SQL injection is a method of attack that utilizes SQL commands and can be used for modification, corruption, insertion, or deletion of data in a database.
The image above illustrates what SQL injection looks like. In this case, imagine a webserver with a database residing behind it. The website associated with this configuration is a dynamic website, meaning that web pages can be created dynamically using data from the database, based upon user requests and interaction with the website.
Due to the dynamic nature of these websites, a persistent connection to the database is required, but a web user should never be able to directly interact with the back-end database. However, SQL injection makes this possible.
A simple login screen is used so that when a person enters their username and password, the database will be queried for the corresponding information, and if it is valid, the user should be authenticated. Using SQL injection, however, neither a correct nor incorrect username is entered into the “Username” field. Instead, SQL code is entered as shown in the image above.
The first part of this code—aaa—is just text and could be replaced by any other text, as can the bbb entry in the password field. However, everything else following the aaa in the username field (‘ OR 1=1 --) constitutes the SQL injection string.
Once this information is entered, the web server will formulate the request into SQL code and send it to the database server, asking if this username and password exist in the database. The first SQL statement below the login box shows how this request will be perceived by the back-end SQL database. Because of the apostrophe (‘) at the end of aaa, the database server treats aaa as the end of the username and then searches for the username aaa, which probably does not exist. Next, OR 1=1 is treated as an SQL statement, which when analyzed yields “true.” In essence the interpreter executes a logical OR query, which is true if either of the conditions accompanying it are considered true. aaa doesn’t exist (resulting in a false state); however, 1 always equals 1, so that returns a true state. Finally, within SQL, the use of “--” signifies that everything that follows it is a comment and would be ignored by the SQL interpreter.
Because of the above SQL command, the attacker can successfully authenticate and gain access to the system behind the login screen. This example highlights one very important thing: the web server passed unvalidated information directly to the database server. Unvalidated data should never be passed directly from a web server to a database server.
Buffer overflow
A buffer overflow happens when information sent to a storage buffer exceeds the capacity of the buffer. At a high level, applications accept input, process it, and provide output. When designing applications, buffers—temporary memory storage areas—are included to handle the input, processing, and output functionality. Buffer sizes are often determined ahead of time and don’t dynamically change. If an application somehow sends more information than a buffer can handle, it results in an overflow condition.
The fact that buffers can’t dynamically change size can be exploited. An attacker could create a situation where overflow data that contains executable code is placed into a storage area where the code is then executed. The first image shows two buffers, with one allocated to program A and another allocated to program B. The attacker then exploits a buffer overflow vulnerability and the data for program A overflows into the buffer for program B, as shown in the second image. If this overflow data contains malicious code, it could be executed in program B.
Two Buffers Storing Programs and Instructions
An Attacker's Data Overflows into Buffer B
Secure coding
Two common resources for secure coding are the OWASP Application Security Verification Standard (ASVS) and the Software Assurance Forum for Excellence in Code (SAFECode).
OWASP Application Security Verification Standard (ASVS)
The Open Worldwide Application Security Project (OWASP) publishes the Application Security Verification Standard (ASVS). It aims to help organizations build and maintain secure applications, as well as help consumers and vendors align their security requirements with security offerings. It sets out three separate application security verification levels:
- ASVS Level 1 – This is completely penetration testable by humans, and it is for low assurance levels.
- ASVS Level 2 – This is the recommended level for most apps that contain sensitive data and require reasonable protections.
- ASVS Level 3 – This level is for applications that require a very high level of trust, such as those that contain medical data or that process high-value transactions.
Software Assurance Forum for Excellence in Code (SAFECode)
The Software Assurance Forum for Excellence in Code (SAFECode) is a body made up of some of the biggest tech players like Microsoft and Dell. It provides a venue for tech experts and business leaders to share their insights on programs for effective software security. SAFECode’s publication, Fundamental Practices for Secure Software Development aims to help organizations begin or improve their software assurance programs.
Software configuration management and versioning
Software configuration management (SCM) is critical for managing software changes. Good SCM helps to maintain the integrity of software, reducing the chances of bugs and other undesired behavior. Version control is a critical part of the SCM process. If errors occur in updates, it allows us to roll back to the last known functional configuration.
Another important aspect is establishing baselines, which are formally reviewed and approved specifications. When effective software configuration management practices are followed, they can minimize mistakes and security issues, as well as increase overall productivity.
4.4 Apply cloud software assurance and validation
Whether we run our apps on-premises or in the cloud, we need to be able to assure our stakeholders that they are built with an appropriate level of security. Software assurance and validation are critical parts of demonstrating the security of our apps.
Before we implement a security control, we want to make sure that it meets its functional requirements and we also want a mechanism to grant us assurance that it delivers on these requirements. When we want to provide assurance to our stakeholders about the overall security of our software and architectures, we use security assessment and testing.
Functional and non-functional testing
Functional tests involve testing whether software functions as it is supposed to. These include things like basic functionality, usability, and accessibility.
Security testing methodologies
Before we deploy our software into production, it must be carefully tested. Proper testing can help us determine potential security issues before they are exploited.
Methods and tools
We should use both manual and automated testing when developing software. Manual testing means a person or a team of people are performing the tests. Automated testing means that test scripts and batch files are being automatically manipulated and executed by software. Thorough testing employs both manual and automated approaches to produce a multitude of outcomes and to achieve the best results.
Code review and access to source code
Code review and access to source code can be considered from two perspectives when testing:
- Without access to the source code (also known as black-box testing).
- With access to the source code (also known as white-box testing).
Static application security testing (SAST), dynamic application security testing (DAST) and fuzz testing
Static application security testing (SAST) is conducted when an application is not running. It involves examining the underlying source code, which makes it a type of white-box testing, because the code is visible.
Dynamic application security testing (DAST) involves testing a running application and it focuses on the application and system as the underlying code executes. In contrast to static testing, dynamic testing is a form of black-box testing, because the code is not visible.
Fuzz testing is a form of dynamic testing that is premised on chaos. Fuzz testing involves throwing randomness at an application to see how it responds and what might cause it to break.
There are two major types of fuzz testing:
Mutation (dumb fuzzers) | Generation (intelligent fuzzers) |
---|---|
|
|
Below are the key differences between static application security testing, dynamic application security testing and fuzz testing.
Static application security testing (SAST) | Dynamic application security testing (DAST) | Fuzz testing |
---|---|---|
|
|
|
Interactive application security testing (IAST)
Another type of testing known as interactive application security testing (IAST) combines elements of both SAST and DAST. Testing is performed as the application is running (DAST) with access to the code (SAST).
Software composition analysis (SCA)
Software composition analysis (SCA) uses automation to find open-source software within code. The aim is to gain insight into the quality of the code, evaluate its security and check that any relevant licenses are being complied with. Open-source software and licensing can be incredibly complex, and it’s easy to overlook critical issues.
Test types
When a system is running, it’s possible to test it as if a user was using it. The system can be tested a few different ways, such as by positive testing or negative testing, which are explained in the table below. Another type of testing is abuse (also known as misuse) case testing, which we cover further down the page under Abuse case testing.
Positive testing | Focuses on the response of a system, based upon normal usage and expectations. |
Negative testing | Focuses on the response of a system when normal errors are introduced. |
Vulnerability assessment and penetration testing
Purpose of a vulnerability assessment
Vulnerability assessments and penetration testing (better known as pen testing) are important topics when discussing vulnerabilities and threats. As a quick review, a vulnerability can be defined as a weakness that exists in a system, while a vulnerability assessment is an attempt to identify vulnerabilities in a system.
Before you can begin a vulnerability assessment or a pen test, you need to know which assets exist. Next, the threats these assets face must be identified.
Vulnerability assessment vs. penetration testing
The image above shows how vulnerability assessments and penetration testing compare. Vulnerability assessments are examinations that look for security weaknesses and evaluate security controls. Vulnerability assessments can be automated and are relatively fast. A report documenting the findings and recommendations is compiled at the end of a vulnerability assessment.
Penetration tests are similar to vulnerability assessments, but they tend to involve more manual work. They involve finding vulnerabilities and then trying to exploit them to prove they are exploitable. The steps of a penetration test are: