Securing an application in the public cloud means building highly efficient security checks into every phase of the application’s lifecycle from build to deploy to maintenance. Once you’ve deployed what you’re confident is a secure application, how do you keep it secure?
To give SMBs a best-practice overview of public cloud application security, a recent episode of The Virtual CISO Podcast features Jeff Schlauder, Founder at Catalina Worldwide LLC. The show’s host is Pivot Point Security CISO and Managing Partner, John Verry.
Full-circle security validation is not enough
Jeff notes that even if you apply security best practices across the whole software lifecycle from build through deploy, that’s still just a point-in-time validation. If you do that monthly or every few months, just time passing leads inevitably to change, which increases security risk.
Therefore, it’s key to run through the entire application validation process with each new build. Which for Jeff’s agile team is typically once per week.
“Throughout the six days between deployments we feel really good every step of the way about what’s going to go out,” Jeff explains. “Not just the common, ‘Is there a code vulnerability?’ but is S3 set up correctly? Are these buckets publicly exposed? Some of that is one-and-done and can be automated, but probably 20% of it requires somebody to pay attention to it.”
Some of the steps that are typically not automated are the ones that introduce the most risk. The process takes ongoing management across the overall environment, not just the code and containers but also the operational bits.
A helpful tool in the AWS arsenal is AWS Security Essentials, which scores your environment on a percentage basis. If you’re approaching 100% secure and doing everything that’s appropriate for your business, that’s something to be proud of—and it’s a way to demonstrate on a continuous basis to stakeholders that you’re secure and compliant. Microsoft Azure has a similar tool.
Old-school code review
A best-practice approach that Jeff emphasizes is hands-on peer review of application code.
“It doesn’t matter how great the vulnerability management tools are—there’s value in having a second set of eyes not just on vulnerabilities, but is it the right thing to be doing?” notes Jeff. “Is it the right approach? Is it scalable? Does it go outside of the parameters and the direction of where we want to go?”
The ability to have someone else look at how something was done, not just if it’s secure, is worth the time and cost to drive quality in Jeff’s experience. Automated tools can catch the vast majority of security glitches. But they will never flag technique or “technology leveraging” kinds of issues. It could be something as simple as declaring a variable and not using it, or failing to deallocate some memory.
“These types of things may not be security issues,” clarifies Jeff. “It’s more about the approach: Did you solve this problem? Is it the right the approach to solve the issue. That’s the piece that can sometimes be overlooked without a peer review.”
To listen to this business-level discussion with Jeff Schlauder on public cloud application security, click here.
How do you know if your business is really, truly secure? Here’s a valuable perspective: How Do You Know If Your Business is Really Secure?