While Cloud applications are vulnerable to many of the traditional threats described by OWASP and the CWE dictionary, there are also unique threats that development teams must understand in order to properly mitigate risk during both the design and development phases. The following key cloud challenges are derived from our Securing Applications in the Cloud white paper which also includes recommendations for implementing effective countermeasures.
- ABUSE OF CLOUD RESOURCES - Highly available cloud resources such as Apple’s iCloud, Microsoft’s SkyDrive, and Amazon’s S3 have become commonplace. They provide relative anonymity, ease of access, and robust sharing capabilities which, when combined with common mistakes, results in cloud based applications being seen as high value targets by potential attackers.
- INSECURE APIs - Application programming interfaces provided by cloud service providers may not be secure by default. When these services are integrated with a new or existing application, significant vulnerabilities can be introduced. These include commonly known or predictable third party API keys, anonymous access, misused tokens or passwords, plain text transmission of data, and rigid access controls that don’t conform to a required authorization model.
- SHARED TECHNOLOGY VULNERABILITIES - In the cloud’s multi-tenant environment, heavy use of virtualization mechanisms results in hardware, software, networks, and even system components all potentially being shared with other tenants. Vulnerabilities in another tenant’s application or service has the potential to affect your applications and data and as a result, hackers constantly seek ways to penetrate and exploit various layers within each unique cloud framework.
- DATA LOSS AND LEAKAGE - Most large organizations go to great lengths to ensure the security of data in their enterprises. By moving data to public cloud storage, organizations forfeit a great deal of control over data loss prevention. Remember, regardless of where your it lives, you are legally responsible for protecting any sensitive data you collect, process, and store. It is important that your CSP’s data handling practices meet the protection requirements for both your organization and any relevant regulatory bodies.
- ACCOUNT, SERVICES, AND TRAFFIC HIJACKING - Session and account hijacks are often the result of phishing attacks, malware, and fraud. In a common scenario, attackers steal the session ID provided to an individual user, enabling the attackers to impersonate the identity of the victim. Once attackers gain access to a compromised account they possess all of the privileges provided to the associated account holder. In a cloud environment that relies heavily on shared resources and trusted users, an attacker can cause significant damage through privilege escalation, XSS, and CSRF.
Similar to other platforms, the cloud platform carries inherent risks that can be mitigated, but only if teams clearly understand where cloud applications are vulnerable and how they can be attacked – and most importantly, know how to mitigate them proper design elements, defensive coding, and targeted security testing.
Check out our Cloud Center of Excellence page for more information on our Cloud related services and training offerings.