ORLANDO, USA: Cloud Security Alliance Congress — The Cloud Security Alliance (CSA), a not-for-profit organization which promotes the use of best practices for providing security assurance within cloud computing, and the Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization dedicated to increasing trust in technology products and services through the advancement of effective security assurance methods, today released new guidance for the secure development of cloud applications.
The paper, “Practices for Secure Development of Cloud Applications,” aims to provide practical secure development recommendations in the context of critical threats specific to cloud computing.
SAFECode and CSA partnered to determine whether additional software security guidance was needed to address unique threats to cloud computing, and if so, to identify specific security practices in the context of identified threats, said a press release.
“Cloud computing has provided significant advantages to technology users of all kinds, and we have only just begun to explore the possibilities. Though the growth of cloud computing has created new security issues to address, the Cloud Security Alliance has provided the industry with a wealth of effective guidance to help mitigate many of these concerns,” said Howard A. Schmidt, executive director of SAFECode.
“SAFECode’s collaboration with CSA fills an important need given the foundational role of secure software development in the effort to secure both cloud computing and the broader technology infrastructure.”
While the working group’s efforts confirmed that each practice identified by SAFECode as fundamental to software security applied equally to cloud software, it also identified additional practices that should be adopted by those developing software for the cloud, given the unique threats faced in that domain.
This new report represents the product of that collaboration and is intended to help readers better understand and implement best practices for secure cloud software development. It offers practical secure development guidance in the areas of multi-tenancy, trusted compute pools, tokenization of sensitive data, data encryption and key management, authentication and identity management, shared-domain issues and securing APIs.
To aid others in adopting and using these practices effectively, this paper describes each identified security practice in the context of unique attributes of cloud computing and the associated threats as identified by CSA.
The recommended practices are mapped to specific threats in order to provide a more detailed illustration of the security issues these practices aim to resolve and a starting point for those wishing to learn more. Each section offers specific action items for development and security teams, as well as useful references that provide additional implementation guidance, added the release.