One of the important sub-texts of the Cloud is its long-term impact on the development of applications and services. There is still a reasonably high level of user tolerance of poorly behaved software in most on-premise establishments but this will have to change if security in the Cloud is to be maintained.
Security in the Cloud context is also becoming a broad church, encompassing not only the obvious requirement for defence against hacking attacks but also the efficient functioning of all the elements that make up the Cloud. The fundamental requirement is that any specific operational environment (services and applications) not only has to be replicated on any suitably specified virtual server environment in the service provider’s resource – it must also work perfectly. This is fast becoming a pre-requisite.
“When you’re operating in your own datacentre the systems administration people can compensate for things the software does that are not perfect,” said Brian Chess, founder and chief scientist with Fortify Software. “In the Cloud that becomes harder to do so it is more important that the software behaves correctly from the beginning. In the end, the degree to which you can trust the software is the degree to which you can trust the Cloud.”
Fortify is already known for its Fortify 360 on-premise security tool, which analyses software possible security vulnerabilities in advance of them actually happening. Now the company has updated the tool so that it can identify vulnerabilities that specifically apply to Cloud based environments. This extends its capabilities to service the needs of businesses looking to build private Clouds. In addition, it has adapted the tool so it can be offered as a SaaS service, called Fortify on Demand.
The company has also introduced what it claims is the first software security Cloud Readiness Scorecard, to help development teams to not just evaluate their software for cloud environments, but also identify and resolve specific security vulnerabilities that could appear because of a move to a cloud environment.
“The potential for cost savings and increased business agility with the Cloud is very appealing but users are in practice apprehensive about it,” Chess said. “They don’t know what will happen to their software and data once they go to the cloud. So our point is that if you can trust your software when you go to the Cloud you can move with confidence. If you don’t trust your software you’re not going to realise the benefits of the Cloud.
“We think we can give people insight into their software and what is going to happen when they move to the Cloud, much more so than they can get from just looking at the software from the outside. We’re looking at it from the inside.”
In both Fortify 360 and Fortify on-Demand is the SaaS version the system can examine the code of an application and determine where and how any element of it might be exploited. The types of attack are still the common ones of SQL injection, buffer overflow and the rest, but the company has added a number of checks that provide greater visibility and control over how these vulnerabilities can be exploited in a Cloud environment.
According to VP of Business Development, Mike Armistead, the approach can work with just about all types of software but it will require a number of different approaches, depending on the software type. “Clearly, for applications that you build or are built for you we can do source code analysis. If it is something you have bought, but you have the executable code, that can be analysed. If it is infrastructure or applications running in the Cloud we advise users to ask for the equivalent of a Fortify Report. This gives an independent party check on the applications used. Obviously customers don’t have the right to access the service provider’s code themselves,” he said.
In this last scenario, service providers can use Fortify 360 to validate themselves and issue a report. Armistead sees this approach working for both Cloud service consumers, where they can use the tools at appropriate points in their own software environment to gain the maximum benefit, and Cloud service providers.
“They are in a good spot to help those clients and use the tools to both strengthen their own offerings and to determine which applications they want to accept in certain environments,” he said. “They have to be careful what they accept as it could contaminate their own environment.”
Armistead suggested that, these days, hackers are sneaky in that they will exploit a vulnerability in an application but they won’t use it as a direct target. “But they will use it to play a program into the network. And if that is a shared environment then they have a very rich target.”
Fortfiy recently joined the Cloud Security Alliance (CSA), which does give the potential for Fortify on Demand to become part of a CSA package of security best practices. It would certainly make some sense for there to be a recognised process by which service providers can indicate their own levels of security assurance. In addition, there is a potential need to be able to validate a customer’s environment to identify possible vulnerabilities before they are taken on, particularly during the early years of Cloud services development where so many poorly-behaved applications are to be found in regular use.
“The attraction of joining the CSA is that they collectively see security as an enabler of business,” Armistead said. “Many people still see security as the brake but the CSA very much wants it to be the accelerator. If we can get security right then we can do lots of very cool stuff in the cloud. But if we don’t it right then nobody is going to want to play.”
The CSA has already outlined a number of steps software should go through on its way to the cloud, including undertaking a secure development lifecycle, and this is a point where Fortify and the CSA are very much aligned, as Fortify comes from the software developer point of view.
Microsoft has, of course, traditionally been the primary target for hackers, and many of the applications users will need to work with will be based on its applications and servers. The company is already a member of CSA and according to Armistead, is more than well aware of its history as a security target and has taken significant steps to counter this issue.
Post new Comment