The Expert's View with Rémy Marot

Cloud Security , Security Operations

Navigating Cloud Security Concerns: Best Practices for Web Applications

Understanding the Shared Responsibility Model, Common Vulnerabilities, and Strategies for Enhanced Cloud Web Application Security
Navigating Cloud Security Concerns: Best Practices for Web Applications

Cloud adoption has seen a major uptick in the past three years. While cloud adoption was more of a necessity during the pandemic, businesses are now revisiting their decision given the concerns around cloud security. While one can't do without cloud in today's day and age, businesses need to have a better understanding of the best practices around cloud security concerns.

See Also: Live Virtual Summit | Measuring Your Data's Risk & The Cost of Unpreparedness

Cloud shared responsibility model

Although the shared responsibility model differs between cloud providers, all of them share the same principles around the below two aspects:

  • Web Application Security Code: Writing secure code is the customer’s responsibility. Cloud service providers do not patch the code when a vulnerability exists. In some cases, a cloud provider may offer services to help mitigate the issues, such as web application firewalls.
  • Identity and access management: The customer is responsible for defining identities in the context of its web application and must determine how the permissions model is established and applied to its users.

Common web application vulnerabilities

Web applications deployed on cloud infrastructures can suffer the same vulnerabilities as applications deployed on-premises. Even if cloud providers offer additional security services, which are often optional and require an advanced configuration, security flaws present in a given application are not automatically patched.

However, the impact of these vulnerabilities can be more severe on cloud infrastructures as an attacker may be able to reach other cloud resources. This could include gaining access to more sensitive information or performing arbitrary modifications, depending on their permissions.

Data exposure and cloud resource misconfigurations

By design, cloud providers offer services that are, most of the time, exposed on the internet by default. Due to the open nature, users are required to configure additional security controls to restrict access to sensitive data.

Data exposure can arise from different sources like the development of CI/CD-based files and cloud resource misconfiguration.

DNS record takeovers

A DNS record takeover is when an attacker hijacks a subdomain of an intended target domain. Depending on the service and application, DNS takeover attacks can vary from an attacker performing a simple content injection to capturing sensitive data or even setting up a realistic phishing application.

Insecure APIs

Internal or third-party APIs are commonly used to process application logic for cloud-based web applications, especially when they are built upon a microservices architecture. However, these APIs may not meet the secure design principles, resulting in security vulnerabilities that directly impact the application.

Software supply-chain attacks through dependency confusion

In December 2020, the SolarWinds supply chain attack demonstrated the importance of securing your software development environment and software delivery mechanism. The SolarWinds attack revealed how software compromised at its source can have devastating consequences, especially with a large customer base.

SaaS-based applications permissions management

SaaS-based applications are easier for cloud customers to manage, especially when it comes to infrastructure and application patching. However, many SaaS administrators often overlook the need to properly configure and ensure that necessary permissions are applied, particularly for data access and identity management.

Resource exhaustion and financial loss

Cloud infrastructure is used to have a highly resilient service when distributed and scaled across multiple data centers and even across multiple providers, helping their customers to reduce the risks of Denial of Services (DoS) attacks on their services. Due to the “pay as you go” subscription model, many cloud customers pay based on the resources they use, including CPU usage, memory, storage or bandwidth usage, among others. If an attacker takes advantage of these resources, cloud customers are the ones to foot the bill.

Mitigation Key Takeaways

Securing web applications on the cloud requires a combination of measures from both the cloud service provider and the customers themselves. Here's an expanded view of the provided best practices for enhancing cloud web application security:

Defined Responsibilities: Clearly outline and assign responsibilities among all parties involved in the development, deployment, and maintenance of web applications. This ensures accountability and clarity regarding who handles specific security aspects, mitigating confusion and potential oversights.

Continuous Vulnerability Assessment: Implement regular and automated assessments to identify and address vulnerabilities in both web applications and associated cloud resources. This ongoing evaluation helps in staying proactive against emerging threats and weaknesses.

Comprehensive Inventory Management: Maintain a comprehensive inventory of all web application components and their respective cloud resources. Regularly audit dependencies, ensuring they are from trusted sources and have the correct versions. This practice reduces the risk of using outdated or compromised components.

Least Privilege Principle: Adhere to the principle of least privilege when configuring permissions for cloud resources and SaaS applications. Limit access rights to only what is necessary for each user or service, reducing the potential impact of a security breach or data exposure.

Secure Development and Deployment Chains: Ensure that the software development and deployment processes prioritize security. Avoid exposing sensitive information during the development or deployment phases that could be exploited by unauthorized entities.

Microservice Architecture Security: Evaluate and enforce rigorous security assessments for microservice-based architectures. This ensures that each component of the architecture is secure, preventing potential compromises that could lead to unauthorized access or exploitation of other cloud assets.

Logging and Monitoring: Enable comprehensive logging for all components involved in web applications and regularly review alerts. This proactive approach allows for the detection of potential abuses or security breaches, enabling timely responses and mitigation measures.

Implementing these best practices collectively strengthens the security posture of web applications hosted on the cloud. It's crucial to view security as a continuous and evolving process, adapting to new threats and technology changes while maintaining a proactive stance toward potential risks.

About the Author

Rémy Marot

Rémy Marot

Staff Research Engineer

Rémy joined Tenable in 2020 as a Senior Research Engineer on the Web Application Scanning Content team. Over the past decade, he led the IT managed services team of a web hosting provider and was responsible for designing and building innovative security services in a Research & Development team. He also contributed to open source security softwares, helping organizations increase their security posture.

Interests outside of work: Rémy enjoys spending time with his family, cooking and traveling the world. Being passionate about offensive security, he enjoys doing ethical hacking in his spare time.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.