Cloud application Security Domain 5

• The goal of The Cloud Application Security domain is to provide you with knowledge
as it relates to cloud application security
• You will gain knowledge in identity and access management solutions for the cloud
and the cloud application architecture
• You’ll also learn how to ensure data and application availability, integrity, and
confidentiality (AIC) through cloud software assurance and validation

Introduction
• it is important to recognize the benefits and efficiencies, along with the challenges and
complexities
• Failure to address inherent risks directly affects the organization, its software supply chain
(extended enterprise API management), and its customers
• Application for cloud deployment, you must remember that applications can be broken
down to the following subcomponents:
o Data
o Functions
o Processes
• The components can be broken up so that the portions that have sensitive data can
be processed or stored in specified locations to comply with enterprise policies, standards,
and applicable laws and regulations.

Determining Data Sensitivity and importance

• Applications should undergo an assessment of the sensitivity and importance of an
application that may be implemented in a cloud environment
• Independence and the ability to present a true and accurate account of information types
along with the requirements for AIC may be the difference between a successful project and
a failure

Understanding the API Formats

• APIs consume tokens rather than traditional usernames and passwords
• APIs can be broken into multiple formats, two of which follow
o Representational State Transfer (REST): A software architecture style consisting of
guidelines and best practices for creating scalable web services
o Simple object access protocol (SOAP): A protocol specification for exchanging
structured information in the implementation of web services in computer networks
 CCSPs should familiarize themselves with API formats as they relate to cloud services

Common pitfalls of Cloud Security application Deployment

• The ability to identify, communicate, and plan for potential cloud-based application
challenges prove an invaluable skill for developers and project teams
• Failure to do result do so can result in additional cost
• On-Premises Does not always transfer (and vice versa)
o Current configurations and applications may be hard to replicate on or through
cloud services.
▪ First, they were not developed with cloud-based services in mind
▪ Second, not all applications can be forklifted to the cloud
• Forklifting an application is the process of migrating an entire
application the way it runs in a traditional infrastructure with
minimal code changes
o Transferring or utilizing cloud-based environments may introduce additional change
requirements and additional interdependencies
• Not all apps are cloud Ready
▪ Many high-end applications come with distinct security and regulatory
restrictions or rely on legacy coding project
▪ Requirement for such system to developed, tested, and assessed in on
premises to a level where confidentiality and integrity have been verified

• Lack of training and awareness

▪ New development techniques and approaches require training and a
willingness to utilize new service
o Lack of Documentation and Guidelines
▪ Given the rapid adoption of evolving cloud services, this has led to a
disconnect between some providers and developers on how to utilize,
integrate, or meet vendor requirements for development.
 ▪ CCSP needs to understand the basic concept of a cloud software
development lifecycle and what it can do for the organization

Complexities of integration

▪ When developers and operational resources do not have open or

unrestricted access to supporting components and services, integration can
be complicated, particularly where the CSP manages infrastructure,
applications, and integration platforms.
▪ It can prove difficult to track or collect events and transactions across
interdependent or underlying components
▪ In an effort to reduce these complexities, where possible (and available),
the CSP’s API should be used.

overarching challenges

▪ Two major risk

• Multitenancy
• Third-party administrators
▪ It is also critical that developers understand the security requirements based
on the following:
• Deployment model
• Service model
▪ These two models will assist in determining what security your provider will
offer and what your organization is responsible for implementing and
maintaining.

Awareness of encryption Dependencies

▪ Staff must be aware about the development environment their application will be running in
and the possible encryption dependencies
o Encryption of DAR
▪ Addresses encrypting data as it is stored within the
CSP network (such as hard disc drive [HDD], storage area network [SAN],
Network attached storage [NAS], and solid-state drive [SSD])
o Encryption of DIT
▪ Addresses security of data while it traverses the Network (such as CSP
network or Internet)
▪ When encryption provide by CSP, understanding of encryption types, strength algorithm key
management should be documented
▪ According to industry standard, relevant certifications or criteria may be required for the
relevant encryption being used
▪ Beyond encryption aspects of security, threat modelling, must address attacks from either
other cloud tenants or attacks from one organization application
Understanding the Software Development lifecycle process for a Cloud environment

▪ Planning and requirements analysis:

o Business requirement has been defined in this phase
o Focus on project manager and stakeholder
o The requirements are then analyzed for their validity and the possibility of
incorporating them into the system to be developed
▪ Defining
o product requirements to be designed and developed during the project
lifecycle.
▪ Design
o Threat modelling will be done in this phase
o system design specifications serve as input for the next phase of the mode
▪ Development
o Code review, unit testing and static analysis
▪ Testing
o Integration testing, system testing, and acceptance testing

Most software development lifecycle models include a maintenance phase as their endpoint

Secure operations Phase

▪ Proper software configuration management and versioning are essential to
application security.
▪ Puppet and chef one of the tools we have
▪ The goal of these applications is to ensure that configurations are updated as
needed and there is consistency in versioning.
o Dynamic analysis
o Vulnerability assessment
o Activity monitoring
o Layer 7 firewall

Disposal phase
Crypto-shredding is effectively summed up as the deletion of the key used to encrypt data that’s
stored in the cloud.

Assessing Common vulnerabilities

▪ Injection
o These occur when untrusted data is sent to an interpreter as part of a command or
query
o If the interpreter is successfully tricked, it will execute the unintended commands or
access data without proper authorization.
▪ Broken authentication and session management
o Application functions related to authentication and session in management are
often not implemented correctly, allowing attackers to compromise passwords,
keys, or session tokens or to exploit other implementation flaws to assume other
users’ identities.
 ▪ “Cross-site scripting (XSS)
o XSS flaws occur whenever an application takes un-trusted data and sends it to a
web browser without proper validation or escaping
▪ “Insecure direct object references:
o A direct object reference occurs when a developer exposes a reference to an
internal implementation object, such as a file, directory, or database key.
▪ Security Misconfiguration
o Good security requires having a secure configuration defined and deployed for the
application, frameworks, application server, web server, database server, and
platform
▪ Sensitive data exposure
o Sensitive data deserves extra protection, such as encryption at rest or in transit, as
well as special precautions when exchanged with the browser
▪ Missing function-level access control:
o If requests are not verified, attackers will be able to forge requests in order to access
functionality without proper authorization.
▪ “Cross-site request forgery (CSRF)
o A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request,
including the victim’s session cookie and any other automatically included
authentication information, to a vulnerable web application.
o This allows the attacker to force the victim’s browser to generate requests that the
vulnerable application thinks are legitimate requests from the victim.
▪ “Invalidated redirects and forwards
o Web applications frequently redirect and forward users to other pages and
websites, and use untrusted data to determine the destination pages.
o Without proper validation, attackers can redirect victims to phishing or malware
sites or use forwards to access unauthorize

Cloud Specific Risk

▪ Need for an application risk management program more critical than ever
▪ Applications that run in a PaaS environment may need security controls baked into
them.
▪ Application isolation is another component that must be addressed in a cloud
environment
▪ You must take steps to ensure that one application cannot access other
applications on the platform unless it’s allowed access through a control.
▪ Nine Notrius
o Data breaches: If a multitenant cloud service database is not properly
designed, a flaw in one client’s application can allow an attacker access not
only to that client’s data but to every other client’s data as well.
o Data loss : Any accidental deletion by the CSP, If a customer encrypts his
data before uploading it to the cloud but loses the encryption key, the data
is still lost.
o Account hijacking: If attackers gain access to your credentials, they can
eavesdrop on your activities and transactions, manipulate data, return
falsified information, and redirect your clients to illegitimate sites
 o Insecure API : The security and availability of general cloud services is
dependent on the security of these basic API. From authentication and
access control to encryption and activity monitoring, these interfaces must
be designed to protect against both accidental and malicious attempts to
circumvent policy

THREAT MODELLING
▪ Threat modeling is performed once an application design is created
▪ The goal of threat modelling is to determine any weaknesses in the application and
the potential ingress, egress, and actors involved before the weakness is introduced
to production
▪ CCSP should always remember that the nature of threats faced by a system
changes over time
▪ Because of dynamic nature of changing threat, constant vigilance and monitoring
are important aspects of overall system security in the cloud
▪ STRIDE threat model
o it remains the responsibility of the organization to assess code for proper,
secure function no matter where the code is sourced.
▪ Approved application Programming interfaces
o Application programming interfaces (APIs) are a means for a company to
expose func-tionality to applications. Following are three benefits of APIs:
▪ Programmatic control and access
▪ Automation
▪ Integration with third-party tools
o Consumption of APIs can lead to your firm leveraging insecure products
o Consumption of external APIs should go through the same approval
process that’s used for all other software being consumed by the
organization
o The CCSP needs to ensure that there is a formal approval process in
place for all API If there is a change in an API or an issue due to an
unforeseen threat, a vendor update, or any other reason, the API in
question should not be allowed until a thorough revie

Software supply chain API management

• This supply chain supplies agility in the rapid development of applications to meet consumer
demand
• software components produced without secure software development guidance similar to
that defined by ISO/IEC 27034-1 can create security risks throughout the supply chain
• it is important to assess all code and services for proper and secure functioning no matter
where they are sourced.

Securing open source software

• ISO 27034-1, companies can be confident that partners have the same understanding of
application security
Identity and access management

Identity and access management (IAM) includes people, processes, and systems that manage access
to enterprise resources by ensuring that the identity of an entity is verified and then granting the
correct level of access based on the protected resource

IAM capabilities include the following:

• Identity management
• Access management
• Identity repository and directory services

identity management
• Identity management is a broad administrative area that deals with identifying individuals
in a system and controlling their access to resources within that system by associating user
rights and restrictions with the established identity.

Access Management
• Access management deals with managing an individual’s access to resources
o Authentication identifies the individual and ensures that he is who he claims to be
o Authorization evaluates “What do you have access to?” after authentication
o Policy management establishes the security and access policies based on business
needs and the degree of acceptable risk.
 o Federation is an association of organizations that come together to exchange
information as appropriate about their users and resources to enable collaborations
and transactions
o Identity repository includes the directory services for the administration of user
account attributes.

Identity Repository and Directory services

• Identity repositories provide directory services for the administration of user accounts and
their attributes.
• Directory services are customizable information stores that offer a single point of
administration and user access to resources and services used to manage, locate, and
organize objects
• Common directory services include these:
o x.500 and LDAP
o Microsoft Active Directory

Federated identity management

• Federated identity management (FIM) provides the policies, processes, and mechanisms
that manage identity and trusted access to systems across organizations.
• federated identities allow for the generation of tokens (authentication) in one domain and
the consumption of these tokens (authorization) in another domain.
• Federation standards
o SAML allows business entities to make assertions regarding the identity,
attributes, and entitlements of a subject (an entity that is often a human user) to
other entities, such as a partner company or another enterprise application.”
o Security Assertion Markup Language (SAML) is by far the most commonly
accepted standard used in the industry today. Security Assertion Markup
Language (SAML) is an XML standard that allows secure web domains to
exchange user authentication and authorization data. Using SAML, an online
service provider can contact a separate online identity provider to
authenticate users who are trying to access secure content.
o
o XML-based framework for communicating user authentica-tion, entitlement, and
attribute information
o
Identity Provider Relying Party

Would hold all of the identities and generate a Would be the service provider and would
token for now users consume these tokens.

• Other standards in the federation space exist:

o OpenID Connect
▪ Connect lets developers authenticate their users across websites and apps
without having to own and manage password file
 o OAuth:
▪ OAuth is widely used for authorization services in web and mobile
applications
▪ “The OAuth 2.0 authorization framework enables a third-party application to
obtain limited access to an HTTP service, either on behalf of a resource
owner by orchestrating an approval interaction between the resource
owner and the HTTP service, or by allowing the third-party application to
obtain access on its own behalf

Federated identity Providers

• The identity provider holds all the identities and generates a token for known
users. The relying party is the service provider and consumes these tokens.
• In a cloud environment, it is desirable that the organization itself continues to
maintain all identities and act as the identity provider.

Federated sso
• Federated SSO is typically used for facilitating interorganizational and intersecurity
domain access to resources leveraging federated identity management.

Multifactor authentication
• Multifactor authentication is to add an extra level of protection to verify the
legitimacy of a transaction
• One-time passwords also fall under the banner of multifactor authentication
• Step-up authentication is an additional factor or procedure that validates a user’s
identity, normally prompted by high-risk transactions or violations according to
policy rules.
• Three methods are commonly used:
o Challenge questions
o Out-of-band authentication (a call or Short Message Service [SMS] text
message to the end user)
o Dynamic knowledge-based authentication (questions unique to the end
user)

Supplemental Security Devices

• It adds additional security to defence in depth
• The general approach for a defense-in-depth architecture is to design using multiple
overlapping and mutually reinforcing elements and controls that allow for the
establishment of a robust security architecture
• Supplemental security devices include the following
o Web application firewall (WAF)
▪ Its an layer 7 firewall understand HTTP traffic
▪ It can be effective in case of Dos Attack
o Database activity monitoring (DAM)
▪ It understand sql command
 ▪ It an agent based, or network based
▪ It detects and stop sql injection attack
o XML
▪ XML gateways can be either hardware or software.
▪ XML gateways transform the way services and sensitive data are exposed
as APIs to developers, mobile users, and cloud users.
▪ XML gateways can implement security controls such as data loss
prevention
▪ (DLP), antivirus, and antimalware services.

o Firewalls
▪ Firewalls can be distributed or configured across the SaaS, PaaS, and IaaS
landscapes; these can be owned and operated by the provider or can be
out-sourced to a third party for ongoing management and maintenance.
▪ Firewalls in the cloud need to be installed as software components
o API gateway
▪ An API gateway is a device that filters API traffic, it can be installed as a
proxy
▪ API gateway can implement access control, rate limiting, logging, metrics,
and security filtering

Cryptography
• When working with cloud-based systems, it is important to remember they are operating
within and across trusted and untrusted networks
o Transport layer security (TLS)
▪ A protocol that ensures privacy between communicating applications and
their users on the Internet.
o SSL
▪ establishing an encrypted link between a web server and a browser
o Virtual private network (VPN, such as IPSec gateway):
▪ A network that is con-structed by using public wires—usually the Internet—
to connect to a private network, such as a company’s internal network

All these technologies encrypt data to and from your data centre and system
communications within the cloud environment.
• Data-at-rest encryption used in cloud systems:
o Whole instance encryption
▪ Encrypting all the data associated with operation and use of virtual machine,
such as data stored at rest, protect snapshot create from volume
o Volume encryption
▪ Encrypting single volume,
o File level encryption
▪ Encrypting specific file or single file

Technologies and approaches such as tokenization, data masking, and sandboxing are
valuable to augment the implementation of a cryptographic solution
Sometimes the use of encryption is not the most appropriate or functional choice for a
system protection element due to design, usage, and performance concern

Tokenization
• Tokenization generates a token (often a string of characters) that is used to substitute
sensitive data, which is itself stored in a secured location such as a database

Data masking
• Data masking is a technology that keeps the format of a data string but alters the content
• Data masking ensures that data retains its original format without being actionable by
anyone who manages to intercept the data

Sandboxing
• A sandbox isolates and utilizes only the intended components, while having appropriate
separation from the remaining components (that is, the ability to store personal information
in one sandbox, with corporate information in another sandbox)
• sandboxing is typically used to run untested or untrusted code in a tightly controlled
environment
• Organizations can use a sandbox environment to better understand how an application
actually works and fully test applications by executing them and observing the file behaviour
for indications of malicious activity

Application Virtualization
• Application virtualization is a technology that creates a virtual environment for an
application to run
• Application virtualization can be used to isolate or sandbox an application to see the
processes the application performs.
• Examples
o Wine
o Microsoft App-V
o Xenapp
• The main goal of application virtualization is to be able to test applications while protecting
the OS and other applications on a particular system.
• it is of critical importance to address the security of applications through the use of
assurance and validation techniques
 o Software assurance is vital to ensuring the security of critical information
technology resources. Information and communications technology vendors have a
responsibility to address assurance through every stage of application development.
o Verification and validation
▪ Coupled with relevant segregation of duties and appropriate independent
review, verification and validation look to ensure that the initial concept and
delivered product are complete
▪ Verification and validation occur at each stage of development to ensure
consistency of the application
▪ It should be inline with change management process
• Both concepts can be applied to code developed by the enterprise and to APIs and services
sourced externally

Cloud-based Functional Data

• Functional data refers to specific services you may offer that have some form of legal
implication
• the data collected, processed, and transferred by the separate functions of the application
can have separate legal implications depending on how that data is used, presented, and
stored.
• When considering cloud-friendly systems and data sets, you must break down the legal
implications of the data

Cloud-Secure Development lifecycle

• One software development lifecycle is structured like this
o 1. Requirements
o 2. Design
o 3. Implementation
o 4. Verification
o 5. Release
• It is well understood that security issues discovered once an application is deployed
are exponentially more expensive to remediate

• ISO/IEC 27034-1
o Security of applications must be viewed as a holistic approach in a broad context
that includes not just software development considerations but also the business
and regulatory context and other external factors that can affect the overall security
posture of the applications being consumed by an organization.
o ISO/IEC 27034-1 defines concepts, frameworks, and processes to help organizations
integrate security within their software development lifecycle
o Standards are also required to increase the trust that companies place in particular
software development companies.
• Organizational normative Framework
o ISO 27034-1 lays out an organizational normative framework (ONF) for all
components of application security best practice
▪ The containers include the following:
 • Business context: Includes all application security policies,
standards, and best practices adopted by the organization
• Regulatory context: Includes all standards, laws, and regulations
that affect application security
• Technical context: Includes required and available technologies that
are applicable to application security
• Specifications: Documents the organization’s IT functional
requirements and the solutions that are appropriate to address
these requirements
• Roles, responsibilities, and qualifications: Documents the actors
within an organization who are related to IT application
• ISO 27034-1 defines an ONF management process. This bidirectional process is meant to
create a continuous improvement loop
• Application normative Framework
o The application normative framework (ANF) is used in conjunction with the ONF and
is created for a specific application.
o The ONF to ANF is a one-to-many relationship, where one ONF is used as the basis
to create multiple ANFs
• Application security management Process
o ISO/IEC 27034-1 defines an application security management process (ASMP) to
manage and maintain each ANF
▪ 1. Specifying the application requirements and environment
▪ 2. Assessing application security risks
▪ 3. Creating and maintaining the ANF
▪ 4. Provisioning and operating the application
▪ 5. Auditing the security of the application

Application Security testing

• Static application security testing
o It is generally considered a white box,
o Source code analysis, byte code, and binaries without executing the application code
o SAST is used to determine coding errors and omissions that are indicative of security
vulnerabilities
o SAST can be used to find XSS errors, SQL injection, buffer overflows, unhandled error
conditions, and potential backdoors.
o It delivers more comprehensive results from others
• Dynamic application security testing
o It is considered as an blackbox testing
o DAST is used against application in running state
o DAST is mainly considered effective when testing exposed HTTP and HTML
interfaces of web applications
o Static and dynamic application tests work together to enhance the reliability of
organizations creating and using secure applications.
• Runtime application self-Protection
o RASP products are optimized to run in production with minimal latency
o They install an agent within an application and performs all its analysis in the app in real-time
and anywhere in the development process -- IDE, continuous integrated environment, QA or
even in production
 o RASP lets an app run continuous security checks on itself and respond to live attacks by
terminating an attacker’s session and alerting defenders to the attack
o It intercepts all calls from the app to a system, making sure they're secure, and validates data
requests directly inside the app.
o Web Application Firewall
• Vulnerability assessments and Penetration testing
o Vulnerability assessments or vulnerability scanning look to identify and report on known
vulnerabilities in a system
o vulnerability assessments are performed as white-box tests
o Penetration testing is a process used to collect information related to system vulnerabilities
and exposures, with the view to actively exploit the vulnerabilities in the system
o To assist with targeting and focusing the scope of testing, independent parties also often
perform gray-box testing with some level of information provided.
o Security testing, permission must always be obtained prior to testing.
o Within cloud environments, most vendors allow for vulnerability assessments or penetration
tests to be executed.
o SaaS providers are most likely not to grant permission for penetration tests to occur by
clients
• Secure code Reviews
o Conducting a secure code review, whether informally or formally, is another approach to
assessing code for appropriate security controls
o The integration of a code review process into the system development lifecycle can improve
the quality and security of the code being developed

Summary

o CCSP on identifying the necessary training and awareness activities required to

ensure that cloud applications are deployed only when they are as secure as possible
o CCSP has to be involved in identifying the requirements necessary for creating
secure identity and access management solutions for the cloud
o The CCSP must also be able to identify the functional and security testing needed to
provide software assurance
o CCSP should be able to summarize the processes for verifying that secure software
is being deployed
o When considering cloud service. It is important to remember that cloud service are not an
“ALL or NOTHING” approach. DATA sets are not created EQUAL; some have LEGAL
implication, and other do not. Functional data refers to specific service you may offer that
have some form of LEGAL IMPLICATION. Put another way, the data COLLECTED,
PROCESSED. and TRANSFERRED by the separate functions of the application have
SEPARATE LEGAL implications depending on how that DATA is USED, PRESENTED, and
STORED.
o When considering “cloud friendly” systems and data sets, you must break down LEGAL
IMPLICATION OF THE DATA. Does the specific service being considered for the cloud have
any CONTRACT associated with it that expressly FORBIDS THIRD-PARTY processing or
handling? Are there any REGULATORY REQUIRMENTS associated with the FUNCTION.
Breaking down SYSTEM to the FUNCTIONS and SERVICES that have LEAGAL
IMPLICATION from that that done’ is essential to the overall security posture of your cloud-
based system and overall enterprise need to meet CONTRACTUAL, LEAGL and
REGUATORY requirements..
o