Chapter 5: Cloud Application Security

Minimum Viable Product ( MVP )

A preliminary version of a product designed to ensure that product vision and strategy are on of aligned with market needs .

API

A set of routines , standards , protocols and tools for building software applications to access a web based software application or web tool

Maintenance

After the software is deployed into production , the application is maintained and updated as required .

Release Management

Agile methodologies speed up the development cycle and leverage automated CI / CD pipelines to enable frequent releases Release management processes ensure that software has passed required tests and manages the logistics of the release ( scheduling , post - release testing etc. )

ATASM Model

Architecture, Threats, Attack Surfaces, Mitigations. A threat modeling approach that highlights the importance of structural understanding of a system for the purpose of threat modeling

Common Challenges for app migration

Are the applications built to drive economic benefits using cloud elasticity? Is there a performant persistence layer abstracted from the rest of the app? For the approach taken to persistence , will it enable the solution to scale up and down with demand ? Can the cloud's elasticity be used to shrink the horizontal scale without losing data and transactions ? That is , can savings promised by the cloud be delivered by scaling down infrastructure , when demand is low , until demand grows again ?

Insecure Interfaces and APIs

Because they serve as a " front door , " they are highly likely to be attacked and thus , they require security by design . Practicing good API hygiene is imperative , including inventorying auditing , testing and abnormal activity protection

Interactive Application Security Testing ( IAST )

Best suited for web applications and web APIs, aims to perform behavioral analysis, uses both SAST and DAST

Insufficient identity , Credential , Access and Key Management

Breaches can occur due to the following : Inadequate protection of credentials; Lack of regular automated rotation of passwords , certificates and cryptographic keys; Lack of scalable credential , identity and access management systems; Failure to implement multifactor authentication; Failure to enforce strong passwords

Continuous Integration

Build + test

Define

Business and security requirements and standards are determined . All relevant and any ambiguities resolved . When requirements are final , software requirements specification ( SRS ) is created as guidance to application developers .

The seven touchpoints of software security

Code review Architectural risk analysis Penetration testing Risk-based security tests Abuse cases Security requirements Security operations

Life Cycle Stages

Concept, Development, Production, Utilization, Support, Retirement

Organizational Relevance

Cybersecurity, internal audit, architecture team, software development team, operations, legal/privacy, GRC team, supply chain management, HR

Egregious Eleven

Data Breaches; Misconfiguration and Inadequate Change Control; Lack of Cloud Security Architecture and Strategy; Insufficient Identity , Credential , Access and Key Management; Account Hijacking; Insider Threat; Insecure Interfaces and APIs; Weak Control Plane; Metastructure and Applistructure Failures; Limited Cloud Usage Visibility; Abuse and Nefarious Use of Cloud Services

PASTA Stages

Define objectives, define tech scope, application decomposition, threat analysis, vulnerability and weakness analysis, attack modeling, risk and impact analysis

SDLC

Define, Design, Test, Develop, Deployment, Maintenance, Disposal

Develop

During this phase , software architecture design is translated into source code . All components of the software are implemented in this phase . Code review , unit testing and static analysis are used to ensure a secure design .

Insider Threat

Employees should be trained in good practices and made aware of the consequences of noncompliance . Automated tools should be used to fix misconfigured cloud servers and access to critical systems should be restricted .

Code and branch coverage

Ensures each possible branch from each decision point is executed at least once .

Microservice

Fits well with Agile, deliver single capability , run in container ( can run as service products). Each delivers a single capability which communicate using APIs. Form an architecture that segregates functions of an application into discrete, decentralized and business objective-driven processes.

Functional Testing

Functional testing ensures that end - user requirements are properly satisfied by the application

Data Breaches

Hackers target sensitive data for exfiltration , and ransomware attacks seek to deny an organization access to its own systems and data. Any unintended access to confidential information.

Lack of Cloud Security Architecture and Strategy

Implementation of appropriate security architecture for the cloud is essential to withstand cyberattacks . Data is exposed to a range of threats when organizations assume that cloud migration is a " lift - and - shift " endeavor

DevSecOps

Include security in every phase; best to have implemented at the beginning: BUILD CODE OPERATE TEST RELEASE PLAN MONITOR

benefits of FaaS

Increased developer productivity and faster development time; Not responsible for server management; Easy to scale and horizontal scaling is managed by the platform; Only pay for or consume resources when necessary and as needed; Functions can be written in almost any programming language.

Limited Cloud Usage Visibility ( Shadow IT )

Individuals can weaken the security posture of the organization in several ways for example , they may use free applications , or they may buy cloud application services on a credit card .

Common pitfalls

Lack of training/awareness, encryption dependencies (wide range of solutions), lack of documentation and guidelines, complexities for integration, multitenancy, 3rd party admin, security tools reliant on deployment and service models (tiers)

Waterfall Model

Linear sequential model, outcome for one phase is input for next phase. Requirements, Design, Implementation, Testing, Deployment, Maintenance

Account Hijacking

Malicious attackers may gain access to accounts that are highly privileged or which contain sensitive data . This could potentially result in full compromise of the affected accounts . IAM controls and Defense in Depth are crucial for mitigating.

Abuse and Nefarious Use of Cloud Services

Malware that is unintentionally hosted by a cloud service can appear more legitimate because the malware arrives from the CSP's domain. Cloud - native tools to monitor cloud use should be used

Deployment

Once the application has been deployed , the application enters a secure operations phase

Kubernetes

Orchestration for Docker and containers; an open source container orchestration system for automating application deployment , scaling and management .

Architectural Relevance

Physical, network, compute, storage, application, data

Problem Management

Problems are the root causes of incidents and problem management involves identifying and addressing these issues to prevent or reduce the impact of future incidents . The organization should track known incidents and have steps documented to fix them or workarounds to provide a temporary fix

Life Cycle Processes

Recursive , Iterative , Concurrent , Parallel , Sequenced Execution

Design

Requirements documented in the SRS document inform the software architecture ______ , which is used for software development and implementation . Threat modeling used to drive secure ____ .

STRIDE Threat Model

Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege

ISO 15288

Standard that details the security that should be built into a device to safeguard it during its life cycle . It included the following processes : Agreement Processes, Organizational Project-Enabling Processes, Technical Management Processes, Technical Processes

Systems and Software Engineering (SSE)

System security is achieved by completely understanding the stakeholder - defined problems , related security concerns , protection needs and security requirements . One important aspect includes the trustworthiness context , which is decision based and results in evidence - based demonstrations of trustworthiness . The trustworthiness context generally consists of developing , maintaining and actioning assurance cases .

Black - Box Testing

The application under test ( AUT ) is validated against its requirements considering the inputs and expected outputs , regardless of how the inputs are transformed into outputs. Tester has no prior knowledge of internal workings.

Cloud Readiness Assessment

The extent of preparedness for adoption of the cloud can be measured based on the organization's mission (motivation, business case) , its people (sponsors, interest) , processes (fit with current processes, understand current state), platforms (landing zone in cloud, hybrid cloud most common), operations (understand who has what responsibilities, BCDR, policy) and security (ensuring tools can meet security requirements, may require new tools).

NIST SP 800-218

This document recommends the Secure Software Development Framework ( SSDF ) - a core set of high - level secure software development practices that can be integrated into each SDLC implementation; reduce vulnerabilities in software; mitigate exploitation; provides a common vocabulary for secure dev

NIST SP 800-160 Vol . 1

This document starts with and builds upon a set of well - established International Standards for systems and software engineering published by the International Organization for Standardization ISO the International Electrotechnical Commission ( IEC ) and the Institute of Electrical and Electronics Engineers ( IEEE ) , and infuses systems security engineering methods , practices and techniques into those systems and software engineering activities . The objective is to address security issues from the perspective of a stakeholder's protection needs , concerns and requirements; designed to be used in conjunction with ISO 15288

Test

This phase starts once the coding is complete and the modules are released. Any defects are remediated; results are evaluated for adherence to the SRS . Functional, user acceptance( UAT ), and quality assurance processes are also completed

Software Composition Analysis ( SCA )

Using code with vulnerable components can be avoided through this, gain visibility into open-source inventory, sunset old libraries, identify existing security and support issues

ISO 27034

Using reusable software security controls or functions across multiple applications is more efficient than bespoke efforts. Assists organizations to integrate security throughout the application life cycle by : • Providing concepts , principles , frameworks , components and processes . • Providing mechanisms that establish security requirements , assess risks , assign a Targeted Level of Trust and more . • Providing acceptance criteria guidelines for outsourcing the application development or operation , and for purchasing from third - party applications . • Providing mechanisms to collect , determine and generate evidence that applications can be securely used in a defined environment • Supporting specified ISO / IEC 27001 concepts and assisting with the satisfactory implementation of information security based on a risk management approach . • Providing a framework that helps implement the security controls specified in ISO / IEC 27002 and other standards • Applicable to application software and contributing factors that impact security . • Applicable to all organizations exposed to application security risks .

Disposal

When an application is no longer required , it is disposed of.

Metastructure and Applistructure Failures

_____ is the amalgamation of applications and technological infrastructure . Typically , an API call discloses this information , and the protections that it discloses are incorporated in the ______ layer, which is the line of demarcation between the CSP and the consumer.

Extreme Programming ( XP )

a lightweight methodology best suited for developing software when the requirements are vague or tend to change frequently .

Docker

a set of coupled SaaS and PaaS products that use operating system level virtualization to develop and deliver software containers

DNS

a stateless microservice

ASVS Level 1

adequately defends against application security vulnerabilities that are easily discoverable and are included in the OWASP Top 10 and other similar checklists; minimum standard

Level 2

adequately defends against most of the risks associated with software today; appropriate for applications that handle significant business - to - business transactions

Dynamic Application Security Testing ( DAST )

aims to identify potential security vulnerabilities of web applications and their infrastructure; run in prod for accuracy; suitable for identifying configuration issues and certain types lf software vulnerabilities (XSS, SQL injection)

App - V

allows an application to be deployed virtually , running in an isolated memory bubble on the endpoint without having to be physically installed

REST

architectural easy to learn , needs to be secured with SSH HTTPS etc. Key value pairs (long URLs are usually SOAP , shorter are REST)

Use Case Testing

are closely bound to requirements , describing user - focused scenarios that represent what a system does when system is used in ways in which it was designed to be used

Abuse Case Testing

cases are not reflections of the end - user views ; as such , their development requires thinking with the perspective of malicious subjects who are aiming to inflict damage .

Continuous Delivery

code movement from one environ to another

Application Virtualization

creates a virtual environment in which to run an application; main goal is to test applications while protecting the operating system and other applications of a particular system

Information Security Management

define a consistent company - wide method for managing cybersecurity risks and ensuring the confidentiality , integrity , and availability of corporate data and systems Relevant frameworks include the ISO 27000 series , the NIST Risk Management Framework ( RMF ) , and AICPA SOC 2 .

Change Management

defines a process for changes to software , processes , etc. , reducing the risk that systems will break due to poorly managed changes . A formal change request should be submitted and approved or denied by a change control board after a cost benefit analysis . If approved , the change will implemented and tested . The team should also have a plan for how to roll back the change if something goes wrong

Static Application Security Testing ( SAST )

describes a set of technologies used to analyze application source code , byte code and binaries for coding and design conditions that can indicate security vulnerabilities

Secure Code Review

formal process usually involves a software inspection process that uses trained teams , assigned roles and responsibilities and a formal metric and quality tracking program . Integration into the system development life cycle can yield dramatic results in the overall quality of the code developed

Misuse testing

has intent; not fat - fingering a password or something

SOAP

highly extensible , Secure , hard to learn

Vulnerability Assessments

identify and report on known vulnerabilities in a system

Quality control

internal facing

Continuity Management

involves managing events that disrupt availability . After a business impact assessment ( BIA ) is performed , the organization should develop and document processes for prioritizing the recovery of affected systems and maintaining opérations throughout the incident .

Deployment Management

involves managing the process from code being committed to a repository to it being deployed to users In automated CI / CD pipelines the focus is on automating testing , integration , and deployment processes . Otherwise , an organization may have processes in place to perform periodic manual deployments

Continual Service Improvement Management

involves monitoring and measuring an organization's security and IT services . This practice should be focused on continuous improvement , and an important aspect is ensuring that metrics accurately reflect the current state and potential process .

sandbox

isolates and utilizes only the intended components while having appropriate separation from the remaining components; typically used to run untested or untrusted code in a tightly controlled environment

Cloud native

means a container based environment They often use API gateways container registry and a messaging layer that supports publish - subscribe .

Misconfiguration and Inadequate Change Control

occurs when assets are provisioned with insecure configurations , leaving them vulnerable to attack . Data storage elements or containers may have default credentials and configuration settings left unchanged , excessive permissions may be given and standard security controls may be disabled .

Quality Assurance

outward facing

Threat Modeling

performed once an application design is created . The goal is to determine any weaknesses in the application and the potential ingress , egress and actors involved before is introduced to production

Weak Control Plane

prevents full control of the infrastructure and its security . If stakeholders do not know how the security configuration works and what the data flows are , then architectural blind spots and weak points will exist

Penetration Testing

process used to collect information related to system vulnerabilities and exposures , then to actively exploit the vulnerabilities in the system

OWASP ASVS

provides a set of application security verification criteria and may also be used as a catalog and a standard source of security requirements that are categorized and placed into various buckets

Incident Management :

refers to addressing unexpected events that have a harmful impact on the organization . Most incidents are managed by a corporate security team which should have a defined and documented process in place for identifying and prioritizing incidents, notifying stakeholders and remediating

continuous integration / continuous delivery ( CI / CD )

relies on the automation of much of the routine work of transforming code changes into working software , including delivering tested code production. Cl and CD typically go hand in hand and the same CI server will likely also handle CD .

Nonfunctional Testing

requires synthetic transactions and test harnesses , to prove volumetric requirements .

Level 3

reserved for applications that require significant security verification , such as those that may be found within areas of military , health and safety and critical infrastructure

PASTA Model

risk - centric threat modeling framework; contains seven stages , each with multiple activities

Function as a Service ( FaaS )

serverless architecture, is native to the cloud; event driven execution model that runs in stateless containers and those functions manage server side logic and state using services from a provider. Composed of two elements, microservices and containers.

Continuous Security Validation

shifts the security team's responsibility from approving each release to approving the CI / CD process and having the ability to monitor and audit the process at any time

White - Box Testing

validates how the business logic of the application is implemented . Testers can see how the code and system is constructed, has full visibility into code/design