Cloud Security – The Next Big Thing? Fortify Readiness Scorecard

Use Netsparker


With the paradigm shifting, especially for high traffic or high availability web applications, towards cloud computing – will Cloud Security become the next big thing?

We’ve already seen how you can use a cloud platform like Amazon EC2 for password cracking. So with a lot of companies moving to 3rd party cloud platforms, I’m sure security and data privacy is a concern.

Fortify are addressing this with a free add-on for their existing Fortify 360 product.

Fortify Software has come up with a way for companies interested in moving their applications to a cloud provider can analyse it line by line for security-worthiness in the new environment.

The Readiness Scorecard is effectively a free add-on for the company’s software assurance products, Fortify 360, and the online Fortify on Demand assurance service, able to give companies a vulnerability rating for software as if it was running in a cloud environment. Aren’t code vulnerabilities the same whether they are in the cloud or inside a corporate network?

According to Fortify chief scientist and founder, Brian Chess, the cloud questions coding assumptions that would have been reasonable when an application was originally written. Applications can communicate with one another using insecure protocols, while assumed infrastructure such as DNS servers will in the cloud model be shared and beyond the oversight of the IT department.

I would expect the same, if an application is inherently secure and well programmed with sanitized inputs etc, it should be secure on a regular host and on a cloud computing platform. But then there are inherent risks with a cloud platform such as the way in which the nodes communicate with each other and as mentioned – how DNS is handled.

It’s good practice though to make sure an application assumes less trust when on a cloud platform, make sure all communications are encrypted securely (for example between the front-end and the database) and any data written to the file system is also done securely with correct permissions.

In short, software has to assume less trust and the vulnerability of data must be pinpointed precisely. “When you move to the cloud, your risk profile changes,” said Chess.

The point of the Readiness Scorecard is to give in-house teams a list of both minor and major fixes needed before a given application can be run in the cloud in a way that minimises such risk, he said.

“Like immunising themselves against infection, cloud providers can use Fortify 360 or Fortify on Demand to ensure that bad code introduced by one or more customers doesn’t contaminate their cloud offering,” said Chess.

Current Fortify customers would get access to the Scorecard free of cost from later this quarter while new users would have the feature bundled with subscriptions.

Anyway, if you’re considering moving something to a cloud platform – you could use this tool from Fortify..or not. Just be aware that the risk profile for your application is changing and that you should take precautions to ensure you remain secure.

It’s also important for cloud providers themselves to make sure their platform is configured securely to increase customer security and integrity. As it’s a fairly new model I’d say we still have some way to go with this, it’s definitely the way forward for hosting sites prone to large spikes though.

Source: Network World

Posted in: Networking Hacking, Web Hacking

, ,


Latest Posts:


Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.


Comments are closed.