Do you have security standards for "cloud applications" apart from web applications or other types
I've been asked to create application security standards for cloud applications. However, I am at a bit of a loss as to how those standards would differ from existing standards for web applications and general application security.
When I consider cloud native services, such as logic apps, azure functions, or lambda functions, they are very similar to APIs in that we can invoke them via an endpoint.
Our security controls for access to cloud resources don't really fall into "application security" as I see it. Besides, we have other teams and polices for that work.
Do you guys treat cloud application security differently?
One would expect slight differences as one has less control of the underlying resources. For example, you are much more likely to use PAAS SQL, which would render "keep the database up-to-date" inapplicable.
That said, most things probably apply to both (e.g. "Validate input"). You might start by marking up a copy of your current standards and let management decide between one or two documents.
Although it is their call, I personally would have one "app development standard" with appendices covering the unique aspects of each language, platform or hosting location.
ISO 27017 provides both service providers and cloud service consumers with the ability to implement security controls for cloud services. ISO 27017 is an extension to ISO 27002 to address cloud-specific security issues.