Comments
yourfanat wrote: I am using another tool for Oracle developers - dbForge Studio for Oracle. This IDE has lots of usefull features, among them: oracle designer, code competion and formatter, query builder, debugger, profiler, erxport/import, reports and many others. The latest version supports Oracle 12C. More information here.
Cloud Expo on Google News
SYS-CON.TV
Cloud Expo & Virtualization 2009 East
PLATINUM SPONSORS:
IBM
Smarter Business Solutions Through Dynamic Infrastructure
IBM
Smarter Insights: How the CIO Becomes a Hero Again
Microsoft
Windows Azure
GOLD SPONSORS:
Appsense
Why VDI?
CA
Maximizing the Business Value of Virtualization in Enterprise and Cloud Computing Environments
ExactTarget
Messaging in the Cloud - Email, SMS and Voice
Freedom OSS
Stairway to the Cloud
Sun
Sun's Incubation Platform: Helping Startups Serve the Enterprise
POWER PANELS:
Cloud Computing & Enterprise IT: Cost & Operational Benefits
How and Why is a Flexible IT Infrastructure the Key To the Future?
Click For 2008 West
Event Webcasts
Capturing the New Frontier
How software security unlocks the power of cloud computing

Here's a question: Which IT sector accounts for 25% of the industry's year-over-year growth and, if the same growth trajectories continue, will generate about one-third of the IT industry's net new growth by 2013? The answer is cloud services, according to research firm IDC. Cloud computing is garnering its fair share of industry buzz as well. Its promise of revolutionary cost savings and agile, just-in time capacity has driven IT organizations at enterprises of all sizes to build Cloud deployment strategies into their plans. (Source: Worldwide IT Cloud Services Spending, 2008-2012, IDC, October 2008)

Realizing the Cloud's benefits, however, is greatly determined by the trustworthiness of the cloud infrastructure - in particular the software applications that control private data and automate critical processes. Cyber-threats increasingly target vulnerable cloud applications, leaving IT organizations forced to sub-optimize their Cloud deployments in fear of insecure software. Ensuring the inherent security of software, therefore, is a key factor to unlocking the power of Cloud Computing and realizing its ultimate flexibility and cost benefits.

  • So what are the security challenges organizations are facing when they move applications to the Cloud?
  • Exactly how should organizations secure their applications for the cloud environment?
  • What do Cloud service providers need to know about securing their infrastructure software?
  • What constitutes a smart Cloud implementation?

The Security Challenges of the Cloud

Key to protecting services in the cloud is a proper understanding of what the challenges are and why software in the cloud is particularly susceptible to attacks:

  1. Software is the primary target of threats: Software has become the primary target of hackers and malicious users for good reasons: software controls the flow, storage and use of data, therefore it's often easily exploited. Some industry analysts have estimated that as much as 75% of attacks today enter at the application layer rather than the network or hardware.
  2. Software is complex: Today's software is the next great security frontier and the least understood as it is extremely complex. Also the process of securing it during development, deployment and in production is not as mature as network or hardware security methods.
  3. Cloud brings "sharing": Software's inherent complexity only grows as applications are placed within shared cloud environments, putting additional pressure on the weakest link in online security. Moving to the cloud gives organizations less visibility to their applications and reduced control of risk.

The need to secure cloud software infrastructure applies equally to software that the provider is using to provision cloud services as well as applications that customers move to the cloud. Before taking on the increased risk inherent in cloud computing, every organization needs to ensure that the software applications that run their business are "cloud-ready."

As enterprises move applications into cloud environments, common assumptions made by software developers need to be examined given a cloud context. A few examples help illustrate potential problems:

  1. Communication protocols: An application that used to run on an internal network may not be vulnerable using HTTP, but using the same protocol when the cloud relies on public networks introduces new risks. Software that is written securely makes transitioning from HTTP to HTTPS easier. Poorly written software can make it impossible.
  2. Network infrastructure: The typical data center provides resources under direct IT control. For example, a DNS server provides a "yellow pages" for computers to find each other easily. When software code is moved to the cloud, it now relies on public DNS servers. Result: cybercriminals have a new vector of attack.
  3. Data Protection: If a software application writes personally identifiable information to log files, the level of exposure can be easily managed by in-house data operations. In the cloud, the operations team is not your own. More tight control is required over where personally identifiable information is written.

Current Approaches to Cloud Software Security
According to the Cloud Security Alliance, a not-for-profit organization promoting security assurance best practices in cloud computing, the ultimate approach to software security in this unique environment must be both tactical and strategic. Some of their detailed recommendations include the following:

  • Pay attention to application security architecture, tracking dynamic dependencies to the level of discrete third-party service providers, making modifications as necessary
  • Use a software development life cycle (SDLC) model that integrates the particular challenges of a cloud computing deployment environment throughout its processes
  • Understand the ownership of tools and services such as software testing, including the ramifications of who provides, owns, operates, and assumes responsibility
  • Track new and emerging vulnerabilities, both with web applications as well as machine-to-machine service-oriented architecture (SOA), which is increasingly cloud-based

Unlocking the Benefits of the Cloud with Software Security
The key to achieving the benefits of the cloud are found in a new approach to software security called Software Security Assurance, or "SSA." SSA is a risk-managed, cost-effective approach to software security that can be practiced by enterprises, government agencies and cloud providers alike to ensure the security of software in the cloud. There are three fundamental steps to putting SSA into practice:

  1. Make current applications "cloud-ready" - find and fix cloud-specific vulnerabilities in existing applications before they are moved into a shared infrastructure
  2. Audit new code/applications for resiliency in the target cloud environment
  3. Establish a remediation/feedback loop with software developers and outside vendors to deal with ongoing issues and remediation.

A key part of the SSA concept is to establish "security gates" to systematically accept or reject software applications according to their risk profile. Because the risk profile is determined by the assets controlled by the software and the context or environment in which it will operate, organizations can clearly determine the appropriateness of deploying particular applications into various cloud environments. Cloud providers can assist their customers by offering services that help assess the "cloud readiness" of their applications, and then guide them to the appropriate deployment configurations. The cloud providers also benefit by not allowing vulnerable applications to taint their shared infrastructure. Through SSA, both cloud consumers and providers can confidently make use of cloud computing.

To be an effective program, SSA must unite information security, risk management, and software development in a cross functional program. To realize the full benefits of cloud computing, organizations must assess and mitigate the risk posed by application vulnerabilities deployed in the cloud with equal vigor as those within their own data center.

Resources

About Michael Armistead
Michael Armistead is the Founder & Vice President of Corporate Development at Fortify Software. He co-founded Fortify Software in 2003 with a conviction that information security and software development could work together in unison to secure applications at the source from common threats to the data they contain. With an extensive career in development tools and various leadership roles, Mike is a driving force of the overall strategy and has been instrumental in the aggressive market penetration of Fortify to date. Mike holds a BS and MS in Management Science & Engineering from Stanford University.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

Latest Cloud Developer Stories
DevOps promotes continuous improvement through a culture of collaboration. But in real terms, how do you: Integrate activities across diverse teams and services? Make objective decisions with system-wide visibility? Use feedback loops to enable learning and improvement? With tec...
"Digital transformation - what we knew about it in the past has been redefined. Automation is going to play such a huge role in that because the culture, the technology, and the business operations are being shifted now," stated Brian Boeggeman, VP of Alliances & Partnerships at ...
The past few years have brought a sea change in the way applications are architected, developed, and consumed—increasing both the complexity of testing and the business impact of software failures. How can software testing professionals keep pace with modern application delivery,...
"WineSOFT is a software company making proxy server software, which is widely used in the telecommunication industry or the content delivery networks or e-commerce," explained Jonathan Ahn, COO of WineSOFT, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 201...
"Evatronix provides design services to companies that need to integrate the IoT technology in their products but they don't necessarily have the expertise, knowledge and design team to do so," explained Adam Morawiec, VP of Business Development at Evatronix, in this SYS-CON.tv in...
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021



SYS-CON Featured Whitepapers
ADS BY GOOGLE