The transition to cloud - an opportunity to get application security right
It’s generally been true that entirely avoidable IT attacks caused most data breaches in traditional infrastructure. And it’ll most likely be true that many successful attack techniques will be entirely avoidable in cloud. That’s if enterprises, software makers, and cloud service providers take their separate roles in mitigating vulnerabilities seriously.
Consider what Barclay’s head of payment security, Neira Jones, said recently about SQL injection attacks. She said that such attacks account for 97% of data breaches globally.
While I think that overall percentage of total attacks attributed to SQL injection is way high - I still have no doubt that most attacks can be avoided - and the most important fight is over the inherent security of the software we use - from our operating systems and on-premise applications to Web browsers and cloud applications.
In fact, web application security testing has been important since we started placing applications on the web in the 1990s - however, back then, most software vendors paid no attention to the flaws inherent in their software. In fact it was actually worse than that: they fought the security researchers tooth and nail in an effort to bury any potential problems. The end result of not having software properly vetted meant waves of disruptive worm attacks, and eventually the mess we have today where most skilled attackers can target companies at will.
Today, I’d argue, that the multi-tenant, highly-virtualized, many-to-many system nature of cloud computing makes application security exponentially more important that it’s ever been before.
This moment also creates enormous opportunity, if enterprises demand that service providers and application developers do their job and produce secure, resilient applications. Quality application security testing makes it possible for service providers to show enterprises that their applications and platforms have, indeed, been vetted for flaws, and this type of due diligence goes a long way to reassure enterprise decision-makers such as CIOs and CISOs that they can trust to host their applications and data to the provider.
In this Gartner report, Application Security Testing of Cloud Services Providers Is a Must, the research firm advises cloud service providers that they should:
1 Demand assurances from cloud providers that their software, through which they provide services, has been tested for security vulnerabilities. Security testing of cloud providers' systems, conducted by reputable independent application security testing vendors, is a preferred option. An alternative is security testing conducted by the cloud provider itself.
2 Accept security certificates issued by a trusted security vendor if they meet your industry's and your enterprise's security standards.
I agree fully, and this is the type of action enterprises should had of been demanding from software makers, service providers, and hardware providers for years. Unfortunately, they didn’t in numbers that affected much change in vendor attitudes or software quality. Today, with the mass transition to cloud, the industry has an opportunity to get it right.
# # #
George V. Hulme has been writing about enterprise technology and IT security for nearly two decades. You can also find him tweeting about those topics on Twitter @georgevhulme.
