cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cclements
Newcomer II

Do you have security standards for "cloud applications" apart from web applications or other types

I've been asked to create application security standards for cloud applications.  However, I am at a bit of a loss as to how those standards would differ from existing standards for web applications and general application security.  

 

When I consider cloud native services, such as logic apps, azure functions, or lambda functions, they are very similar to APIs in that we can invoke them via an endpoint.  

 

Our security controls for access to cloud resources don't really fall into "application security" as I see it.  Besides, we have other teams and polices for that work. 

 

Do you guys treat cloud application security differently? 

 

Chris

10 Replies
JoePete
Contributor III


@cclements wrote:

I've been asked to create application security standards for cloud applications.  However, I am at a bit of a loss as to how those standards would differ from existing standards for web applications and general application security.  


I think this really depends on your service provider and what you do with them, but I tend to lean toward your thinking. What we call "cloud applications," especially anything SaaS, are just web applications from days gone by. You might be able to clear a lot off your plate just by inserting the OWASP Application Security Verification Standard.

 

One of the pitfalls we've seen with cloud (SaaS) applications is that the development model can sometimes be build one web application and then for end-users roll out some sort of client that's really just a hacked together browser. The end users might have a better experience than going through their browser, but from a security standpoint, all the protection that we have been baking into browsers can be shortcut. I'm not sure that is a cloud specific issue, though.

 

Obviously, APIs are a big factor and if you're on the provider side, the management plane is everything, but again, I lean toward your observation - it's not that the cloud encourages a different security model; it just underscores the hazard of making mistakes.

Essie
Viewer

I am also not quite sure what they are asking for, as a cloud standard will be specifically for cloud regardless of the deployment model. In regard to web applications , I tend to see more application security standards or secure development standards. Probably they want you to specifically focus web apps hosted on the cloud and i would have combined web app and cloud. Hope this helps https://www.w3.org/2015/09/HTMLApps-D3.4/cloud but i would have gone back to clarify.
iluom
Contributor II

 

There is an International Standard for your requirement:

ISO 27017 provides both service providers and cloud service consumers with the ability to implement security controls for cloud services. ISO 27017 is an extension to ISO 27002 to address cloud-specific security issues.

 

Cheers

 

Mouli, CISSP
iluom
Contributor II

ISO/IEC 27017 is designed to assist in the recommendation and implementation of controls for cloud-based organizations. This is not only relevant to organizations which store information in the cloud, but also for providers which offer cloud-based services to other companies who may have sensitive information. This standard is built upon the ISO 27002 standard, but allows for specific controls to be added for the needs of cloud organizations and their end-users.

 

The standard extensively covers topics like asset ownership, recovery action if the CSP gets dissolved, disposal of assets with sensitive information, segregation and storage of data, alignment of security management for virtual and physical networks and others. ISO/IEC 27017 standard allows organizations to commit to a long-term goal. 

Mouli, CISSP
Steve-Wilme
Advocate II

Probably the best place to start would be to consult with those developing or purchasing cloud based applications to understand the range of current and anticipated future software, in order to make the security guidance relevant to your specific organisation.  You potentially have a couple of distinct use cases; purchasing SaaS and developing your own applications that are deployed to cloud.  In order to make the standard most useful you'd also need to consider which clouds i.e. AWS, Azure, GCP, Oracle etc, as application at likely to be built on top of different services in the IaaS and PaaS layers which also need securing appropriately.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
cclements
Newcomer II

Mouli, thank you for your response. However, the thrust of this question is specific identifying secure software development practices that are unique to a cloud environment as opposed to how we implement controls on cloud services. My challenge is that I don't see any.
cclements
Newcomer II

Thanks Steve. In this case we I was asked to write "application security standards for cloud applications". We already have standards for applications and also specifically for web applications. I am struggling to see how a "cloud application" (whatever that is) differs significantly from those standards.
Steve-Wilme
Advocate II

In that case you may simply need to carry out a gap analysis on what current standards do not cover adequately and then address that.  There could be a range of ways to focus in on that; like what are the common pen test findings for applications or what does your SAST tooling most frequently report or even what does threat modelling indicate that developers most often overlook when designing applications.  So I'd focus on plugging any gap in order to deliver improvement.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
iluom
Contributor II

in that case, twelve-factor methodology is a good fit, have a look at the the site

 

The twelve-factor methodology can be applied to apps written in any programming language, and which use any combination of backing services (database, queue, memory cache, etc.).

 

Cheers

 

Mouli, CISSP