Application Security in Cloud

By -
Cloud is the no more a new buzz, and slowly the world is moving towards cloud to save cost and transfer ownership of their own infra challenges to cloud vendors. There are many considerations for cloud and which model to follow completely depends on requirements and vision of an organizations moving to cloud.

While cost plays a major role, still security challenges will still be in place when cloud is considered for the applications.

There may be a case when applications are still developed in house and hosting happens on cloud as production. It is very important to simulate cloud security considerations when development of applications is in process. In many cases, development environment may not be more secure compared to production as it is required for testing, however this could also pose challenge as to make application fast and scalable, some security points may be left.

In order to ensure cloud applications are secure enough for business purpose, few points are mentioned below, which can help us secure our environment.

  • Secure Coding Practice : This forms the first layer of security. Developers should ensure that they are not using any vulnerable version of open source technologies like jquery or css to bring in more customization, while they open doors to ease of access or user interface design, but they create a big challenge for security reasons.
  • Source Code Review : Security Testers should be in picture all the time till development is happening and ensuring that each module being developed is free from vulnerabilities. The modules should be tested independently as well as overall application function. This is crucial phase as many times vulnerabilities are not in module but when connected together, makes business logic challenge for security.
  • Threat Modelling to be conducted : Security testers should ensure threat modelling is performed keeping all business testing, user testing and other challenges while performing security testing of applications. Since applications may be developed on cloud, there are chances of unauthorized access to code changes if access controls are not tested. 
  • Developers Understanding on Security : This is completely a focused area as developers and project managers are more focused towards getting the code to production, however during this they completely forget the needs and security understanding of the organizations and how application access will work. Just in case, developers need to understand how IAM(Identity and Access Management) works in an organizations so the same can be considered when application development happens.
  • Encryption is the key : This is very critical for developers as they should encrypt whatever possible while transactions happens so the first level of security is implemented directly to applications. Any traversal of data should happen using encryption mechanisms.
  • Penetration Testing of Applications : This will always be the most important part as this is done keeping in view the hackers approach. In order to make this exercise more effective, all 3 types of exercise (Black Box, Grey Box, White Box)  should be performed. This will ensure maximum pointers are in place while moving applications to production.

There can be more pointers to secure applications in cloud, however above mentioned pointers will definitely create a secure atmosphere for applications to run.






Comments

Post a Comment

Popular posts from this blog

Payment Gateway Security Testing Checklist

By -
Below given are some of the possible testing scenarios, which may prove to be useful in performing payment gateway testing. Whether all the types of payment options available through the payment gateway are selectable or not.  Whether each payment option is showing its specification and requirements after being selected by the user.What happens, after the failure of the payment process or if the session ends.  To check, if the payment gateway is allowing to enter data in the blank fields of the card number, card name, expiry date and CVV number.  To examine, how the payment gateway system behaves or responds, after leaving one or more fields, blank such as leaving CVV number field, blank, etc.  Whether the user is being redirected to the application page, after the successful completion of the payment process.  Applying language change, during the payment process. Checking successful integration of
Read more

Network Security VAPT Checklist

By -
Network Security VAPT Checklist Lets talk about the scope first. If you are given a 500 machines to perform VAPT, then here is your scope. Single machine can have 65535 ports open. Any single port can deploy any service software from the world. For example FTP can be run on smartftp, pureftpd etc. Any single FTP software version (for example pureftpd 1.3.3a) can have number of vulnerabilities available. So if you multiply all of these, then it is impossible for any auditor to go ahead and probe all ports manually and find services manually. Even if he/she is able to do it, it is impossible to check all vulnerabilities that are pertaining to a single port of a single machine. Hence we have to rely on scanners such as nexpose, nessus, openvas, coreimpact etc. Here are some quick tools and test cases that one can perform on commonly found ports in the network pentest. Ø   Identify live hosts ·          Ping ·          Hping ·          Nmap Ø   Identify OS type ·
Read more

How to dump Database using Sqlmap

By -
Image
Database Dump using SQLMap Find out the parameter of application that is vulnerable to SQL injection . Vulnerable Parameter  : “User ID” Enter ‘ and then click on Submit button. will get the SQL Error. Now Intercept the Request in burp. Copy the incepted request and save it in sqlmap installed directory. Open CMD and go to the directory where SQL map is installed (C:/sqlmap) and type sqlmap.py –r sqlinjection (filename) –-dbs and then enter. (dbs is used for dump database name). Then type Y and enter. Type N and enter, it display all the database . Now we have to find out the table in database. Type sqlmap.py –r sqlinjection –D dvwa(database name) –tables.     In the above snap we got the table name in dvwa database. Then we have find out the column name. type sqlmap.py –r sqlinjection –d dvwa –T users –column. Now we are going to dump the userid and password from column. Type sqlmap.py –r sqlinje
Read more