I've been asked to create application security standards for cloud applications. However, I am at a bit of a loss as to how those standards would differ from existing standards for web applications and general application security.
When I consider cloud native services, such as logic apps, azure functions, or lambda functions, they are very similar to APIs in that we can invoke them via an endpoint.
Our security controls for access to cloud resources don't really fall into "application security" as I see it. Besides, we have other teams and polices for that work.
Do you guys treat cloud application security differently?
Chris
@cclements wrote:I've been asked to create application security standards for cloud applications. However, I am at a bit of a loss as to how those standards would differ from existing standards for web applications and general application security.
I think this really depends on your service provider and what you do with them, but I tend to lean toward your thinking. What we call "cloud applications," especially anything SaaS, are just web applications from days gone by. You might be able to clear a lot off your plate just by inserting the OWASP Application Security Verification Standard.
One of the pitfalls we've seen with cloud (SaaS) applications is that the development model can sometimes be build one web application and then for end-users roll out some sort of client that's really just a hacked together browser. The end users might have a better experience than going through their browser, but from a security standpoint, all the protection that we have been baking into browsers can be shortcut. I'm not sure that is a cloud specific issue, though.
Obviously, APIs are a big factor and if you're on the provider side, the management plane is everything, but again, I lean toward your observation - it's not that the cloud encourages a different security model; it just underscores the hazard of making mistakes.
There is an International Standard for your requirement:
ISO 27017 provides both service providers and cloud service consumers with the ability to implement security controls for cloud services. ISO 27017 is an extension to ISO 27002 to address cloud-specific security issues.
Cheers
ISO/IEC 27017 is designed to assist in the recommendation and implementation of controls for cloud-based organizations. This is not only relevant to organizations which store information in the cloud, but also for providers which offer cloud-based services to other companies who may have sensitive information. This standard is built upon the ISO 27002 standard, but allows for specific controls to be added for the needs of cloud organizations and their end-users.
The standard extensively covers topics like asset ownership, recovery action if the CSP gets dissolved, disposal of assets with sensitive information, segregation and storage of data, alignment of security management for virtual and physical networks and others. ISO/IEC 27017 standard allows organizations to commit to a long-term goal.
Probably the best place to start would be to consult with those developing or purchasing cloud based applications to understand the range of current and anticipated future software, in order to make the security guidance relevant to your specific organisation. You potentially have a couple of distinct use cases; purchasing SaaS and developing your own applications that are deployed to cloud. In order to make the standard most useful you'd also need to consider which clouds i.e. AWS, Azure, GCP, Oracle etc, as application at likely to be built on top of different services in the IaaS and PaaS layers which also need securing appropriately.
In that case you may simply need to carry out a gap analysis on what current standards do not cover adequately and then address that. There could be a range of ways to focus in on that; like what are the common pen test findings for applications or what does your SAST tooling most frequently report or even what does threat modelling indicate that developers most often overlook when designing applications. So I'd focus on plugging any gap in order to deliver improvement.
in that case, twelve-factor methodology is a good fit, have a look at the the site
The twelve-factor methodology can be applied to apps written in any programming language, and which use any combination of backing services (database, queue, memory cache, etc.).
Cheers