SAFECode and the Cloud Security Alliance Release Guidance for the Secure Development of Cloud Applications
New Paper Outlines Practical Software Security Recommendations to Address Threats Specific to Cloud Computing
Orlando, Fla. – Cloud Security Alliance Congress – Dec. 5, 2013 – The Cloud Security Alliance (CSA), a not-for-profit organization which promotes the use of best practices for providing security assurance within cloud computing, and the Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization dedicated to increasing trust in technology products and services through the advancement of effective security assurance methods, today released new guidance for the secure development of cloud applications. The paper, “Practices for Secure Development of Cloud Applications,” aims to provide practical secure development recommendations in the context of critical threats specific to cloud computing.
SAFECode and CSA partnered to determine whether additional software security guidance was needed to address unique threats to cloud computing, and if so, to identify specific security practices in the context of identified threats. The joint technical working group analyzed existing secure software development practices and secure design considerations as outlined in the SAFECode publication “Fundamental Practices for Secure Software Development 2nd Edition” in the context of CSA guidance, including “The Notorious Nine: Cloud Computing Top Threats in 2013.”
“Cloud computing has provided significant advantages to technology users of all kinds, and we have only just begun to explore the possibilities. Though the growth of cloud computing has created new security issues to address, the Cloud Security Alliance has provided the industry with a wealth of effective guidance to help mitigate many of these concerns,” said Howard A. Schmidt, Executive Director of SAFECode. “SAFECode’s collaboration with CSA fills an important need given the foundational role of secure software development in the effort to secure both cloud computing and the broader technology infrastructure.”
While the working group’s efforts confirmed that each practice identified by SAFECode as fundamental to software security applied equally to cloud software, it also identified additional practices that should be adopted by those developing software for the cloud, given the unique threats faced in that domain. This new report represents the product of that collaboration and is intended to help readers better understand and implement best practices for secure cloud software development. It offers practical secure development guidance in the areas of multi-tenancy, trusted compute pools, tokenization of sensitive data, data encryption and key management, authentication and identity management, shared-domain issues and securing APIs.
“It is our hope that by bringing together practical experience in both cloud computing and software security, we are able to offer secure development guidance that is both highly actionable and effective at addressing the unique security considerations of cloud software developers,” said Said Tabet, Senior Technologist, EMC Corporation and one of the paper’s primary authors. “We encourage individual enterprises to tailor our recommendations to meet their needs and to use them as part of a larger software security process that should continue to evolve alongside advancements in cloud computing.”
To aid others in adopting and using these practices effectively, this paper describes each identified security practice in the context of unique attributes of cloud computing and the associated threats as identified by CSA. The recommended practices are mapped to specific threats in order to provide a more detailed illustration of the security issues these practices aim to resolve and a starting point for those wishing to learn more. Each section offers specific action items for development and security teams, as well as useful references that provide additional implementation guidance.
Practices for Secure Development of Cloud Applications is available immediately for free download at www.safecode.org and www.cloudsecurityalliance.org.
It was authored by Bryan Sullivan, Microsoft; Said Tabet, EMC; Edward Bonver, Symantec; Judith Furlong, EMC; Steve Orrin, Intel; and Peleus Uhley, Adobe Systems, Inc.
Note for CSA Congress Attendees: The paper’s key authors will be discussing the paper today at the Cloud Security Alliance Congress in a panel titled, “Developing Secure Software for the Cloud: What’s Unique? What’s the Same?”. The panel will be held on Dec. 5 at 10:15 a.m. as part of the Emerging Technology and Trends Track.
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, CA Technologies, EMC Corporation, Intel Corporation, Microsoft Corp., SAP AG, Siemens AG and Symantec Corp. For more information, please visit www.safecode.org and follow us on Twitter @safecodeforum.
About the Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.
ZAG Communications for the CSA