Huawei and Commvault jointly launch the Hybrid C... » Huawei and Commvault have released their Hybrid Cloud Backup Solution at CeBIT 2017, currently takin... MOBOTIX brings innovation and partnerships to ISC ... » During ISC West from the 5th to 7th of April at Sands Expo in Las Vegas, NV, MOBOTIX (stand 16065), ... ST. MICHAEL'S OPENS DOORS WITH HELP FROM ERA » David Stapleton and Era’s Tania Tams with Mrs. Grundy and pupils at St Michael’s First School Vig... 17% growth ensures Nationwide Platforms remains wo... » Nationwide Platforms has once again retained its position as the world’s largest IPAF provider after... Le Pen Seeks Anti-terrorism Operations in Chad...B... » "Well, Marine Le Pen may be able to save France from abroad. But hold on for a minute, do you really... Synectics to showcase urban transport surveillance... » David AindowUrban transport networks are in danger of data overload. Guarding against emerging secur... TomTom Telematics collaborates with SOTI » TomTom Telematics has announced a collaboration with SOTI that will see the company’s popular flag... Dimension Data launches support and managed servic... » London, United Kingdom: Dimension Data has extended its current offering with Cisco Meraki. This inc... LOCKEN ANNOUNCES STRATEGIC COLLABORATION WITH ISEO » Leading developers of cable free access control, LOCKEN and ISEO Group, an Italian based designer,... Sopra Steria finds UK citizens want more secu... » London: Sopra Steria has revealed that UK citizens are keener than ever to use digital public servic...


Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.


Subscribe to Vigilance Weekly

Information Security Header

The rise in popularity of hosted, cloud and Software-as-a-Service (SaaS) applications has made the task of securing these applications and the critical data they use more difficult for developers.  Advanced stateless applications, multi-tenanted and redundant cloud based architectures need to be taken into account at the earliest stages of design and throughout the development process. All the while, security processes must be adhered to and implemented on platforms that are rapidly evolving.


To find out more about the challenges faced by developers in an increasingly cloudy world, we spoke with Dr. Johannes Ullrich, Dean of Research and a faculty member of the SANS Technology Institute. Dr. Ullrich has over a decade of experience within IT security and in November of 2000, he started the project, which he later integrated into the Internet Storm Center. His work with the Internet Storm Center has been widely recognized and in 2004, Network World named him one of the 50 most powerful people in the networking industry. In 2005, Secure Computing Magazine named him one of the Top 5 influential IT security thinkers.

“One of the challenges is exercising controls over the remote infrastructure, especially in multi tenant environments,” explains Dr. Ullrich. “Each development environment will place restrictions on how data is stored and handled by the applications and developers need to educate themselves on the platform before committing to projects.”

In many cases, developers assume that the underlying infrastructure is secure and will mitigate the potential for a successful cyber-attack.  Weaknesses in the layers from the OS up through the App Server and any supporting libraries can lead to vulnerabilities.  However, understanding the baseline security processes and validation for new cloud platforms is still a challenging task. Dr. Ullrich points to emerging industry standards such as the not-for-profit Cloud Security Alliance best practice and guidance documents as a good checklist for developers to use when selecting a base platform.

But even within a platform that has good baseline security validation, Security Misconfiguration is still an issue and an emerging threat on the Open Web Application Security Project (OWASP) Top 10 Most Critical Web Application Security Risks.  Dr. Ullrich recommends that developers verify the system’s configuration management and if verification is not possible, the assumption must be that it’s not secure.

Even with the move to cloud, old threats still linger and according to OWASP, the number one issue is still injection flaws.  Injection is essentially tricking an application into including unintended commands in the data sent to an interpreter. In an attack, these strings are then interpreted as commands and although SQL is the most common, the threat can extend to OS Shell, LDAP, XPath and Hibernate. “Many of the developers who learnt their skills a decade ago are still not aware how to protect against SQL injection,” he explains.” In most cases, this is relatively simple but often overlooked.”

In some cases, it is best to avoid the interpreter entirely, or if that is not possible Dr. Ullrich recommends an interface that supports bind variables to allow the interpreter to distinguish between code and data.

Dr. Ullrich believes a key focus for developers should be gaining an understanding of new programming techniques that offer better security models for developing in a cloud centric world.

For example, the practice of tokenisation, a process that replaces some piece of sensitive data with a value that is not considered sensitive in the context of the environment that consumes the token and the original sensitive data. “This is useful for areas like credit card data as it takes the valuable assett at risk of the table so it can no longer be stolen,” he explains.

Developers are often not able to see the operational environment and controls that will support an application after it goes live. However, the development process can still provide a foundation for best practice on-going security.

Dr. Ullrich highlights several good practical steps that every developer should always follow.  One of the most critical is encryption. If developers live with the assumption that no application can ever be 100% guaranteed unbreakable, then the next logical step is that all sensitive data should be securely stored.  But this extends past the database and into oblique areas that can be overlooked such as directories, log files and backups.

For example, an error handler that logs credit card details that have been refused because a merchant gateway is unavailable could become a vulnerable collection point for lots of sensitive information. Unless the developers explicitly include these logs or temporary data stores within encryption schemas, the security of the application is weakened. Encryption also extends to communication security over the Internet and developers should insist that SSL be used for everything requiring authentication.

In March, Dr. Ullrich will be teaching the SANS DEV522: Defending Web Applications Security Essentials in Stuttgart, Germany. The session is the first time this course has been offered in EMEA and is intended for anyone tasked with implementing, managing, or protecting Web applications. Although the course touches on elements related to new software development areas like cloud and SaaS, Dr. Ullrich urges that senior developers about to start projects which are likely to be impacted by shared data from third party clouds or SaaS to consider attending. “The next few years are going to see major changes for developers as the landscape moves from on-premise, to web and ultimately cloud – the level of education around application security also needs to make that same progress,” he adds.

About Dr. Ullrich

Johannes Ullrich

Dr. Johannes Ullrich is the Dean of Research and a faculty member of the SANS Technology Institute. In November of 2000, Johannes started the project, which he later integrated into the Internet Storm Center. His work with the Internet Storm Center has been widely recognized. In 2004, Network World named him one of the 50 most powerful people in the networking industry. Secure Computing Magazine named him in 2005 one of the Top 5 influential IT security thinkers. His research interests include IPv6, Network Traffic Analysis and Secure Software Development. Johannes is regularly invited to speak at conferences and has been interviewed by major publications, radio as well as TV stations. He is a member of the SANS Technology Institute's Faculty and Administration as well as Curriculum and Long Range Planning Committee. As chief research officer for the SANS Institute, Johannes is currently responsible for the GIAC Gold program. Prior to working for SANS, Johannes worked as a lead support engineer for a Web development company and as a research physicist. Johannes holds a PhD in Physics from SUNY Albany and is located in Jacksonville, Florida. He also maintains a daily security news summary podcast and enjoys blogging about application security.