As we discuss in Learning Tree’s Cloud Security Essentials course, it is enormously difficult to design and implement secure systems.
Help is available! SAFECode or the Software Assurance Forum for Excellence in Code has the mission statement “”SAFECode is dedicated to increasing trust in information and communications technology products and services through the advancement of proven software assurance methods.”
They have published a very good document, Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today. It’s full of solid practical advice for designers and programmers. Technical details, not just overviews watered down for management as you often find in white papers on the web.
For example, minimize the use of unsafe string and buffer functions. Fully validate all input. Select appropriate shared libraries for strong cryptography, avoiding Cross-Site Scripting attacks, and canonicalizing data formats. Use current compilers, debugging tool sets, and static code analysis tools. Plus lots more — all of it really good advice.
So, I was very interested to see that SAFECode had partnered with the Cloud Security Alliance to publish a new document, Practices for Secure Development of Cloud Applications, available at the SAFECode website.
It’s good, check it out, but I was hoping for new good information. Everything it says is true, it’s all good advice, but there’s nothing really cloud-specific here.
The problem is that people use “Cloud” to mean everything, so it means nothing. USB-connected external drives are marketed as “Personal Cloud Storage”, and even larger-capacity USB sticks get that label. Now makers of wireless routers call them “Cloud Routers” to mean that they’re fast, and you (and possibly hackers if you’re sloppy) can monitor and control your home network remotely.
Much of this new SAFECode/CSA document talks about traditional colo or co-location hosting. The paper uses “multitenancy” to talk about a database containing data from multiple customers! No thanks, I’ll take strong virtualization at least, limit the multitenancy to shared hardware underneath a strong hypervisor.
I think this paper has a good use. Show it to your management, as it talks about high-level issues like legal compliance. It also is written at a rather introductory level, introducing and explaining things that your software developers should already know. And if they don’t, you need to upgrade your developers!
Management will like the bulleted lists titled “Action Items”.
Your developers will benefit from the earlier SAFECode report with its solid details of how to get things done.