/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsORLANDO, USA: The Cloud Security Alliance (CSA) and the Software Assurance Forum for Excellence in Code (SAFECode) released new guidance for the secure development of cloud applications.
The paper, "Practices for Secure Development of Cloud Applications" aims to provide practical secure development recommendations in the context of critical threats specific to cloud computing.
SAFECode and CSA partnered to determine whether additional software security guidance was needed to address unique threats to cloud computing, and if so, to identify specific security practices in the context of identified threats. The joint technical working group analyzed existing secure software development practices and secure design considerations as outlined in the SAFECode publication "Fundamental Practices for Secure Software Development 2nd Edition" in the context of CSA guidance, including "The Notorious Nine: Cloud Computing Top Threats in 2013."
While the working group's efforts confirmed that each practice identified by SAFECode as fundamental to software security applied equally to cloud software, it also identified additional practices that should be adopted by those developing software for the cloud, given the unique threats faced in that domain.
This new report represents the product of that collaboration and is intended to help readers better understand and implement best practices for secure cloud software development. It offers practical secure development guidance in the areas of multi-tenancy, trusted compute pools, tokenization of sensitive data, data encryption and key management, authentication and identity management, shared-domain issues and securing APIs.
Said Tabet, senior technologist, EMC Corporation and one of the paper's primary authors, said: "It is our hope that by bringing together practical experience in both cloud computing and software security, we are able to offer secure development guidance that is both highly actionable and effective at addressing the unique security considerations of cloud software developers.
"We encourage individual enterprises to tailor our recommendations to meet their needs and to use them as part of a larger software security process that should continue to evolve alongside advancements in cloud computing."
To aid others in adopting and using these practices effectively, this paper describes each identified security practice in the context of unique attributes of cloud computing and the associated threats as identified by CSA. The recommended practices are mapped to specific threats in order to provide a more detailed illustration of the security issues these practices aim to resolve and a starting point for those wishing to learn more. Each section offers specific action items for development and security teams, as well as useful references that provide additional implementation guidance.