The rise in popularity of hosted, cloud and Software-as-a-Service (SaaS) is making life more difficult for developers to secure critical applications. “One of the challenges is exercising controls over the remote infrastructure, especially in multi tenant environments,” says Dr Johannes Ullrich, Dean of Research and a faculty member of the SANS Technology Institute.
“Each development environment will place restrictions on how data is stored and handled by the applications and developers need to educate themselves on the platform before committing to projects.”
Dr Ullrich points to emerging industry standard such as the not-for-profit Cloud Security Alliance best practice and guidance documents as a good check-list for developers to use when selecting a base platform.
“Another focus should be gaining an understanding of new programming techniques that offer better security models for developing in a cloud centric world.”
A good practice that Dr Ullrich highlights is tokenisation, a process that replaces some piece of sensitive data with a value that is not considered sensitive in the context of the environment that consumes the token and the original sensitive data. “This is useful for areas like credit card data and when used with randomisation techniques can strengthen applications that use shared data sources that cannot be encrypted as the source is not under the explicit control of the developer,” he says.
Dr Ullrich has over two decades of experience within IT security and in November of 2000, he started the DShield.org project, which he later integrated into the Internet Storm Center.
In March, Dr Ullrich will be teaching the SANS DEV522: Defending Web Applications Security Essentials in Stuttgart, Germany. The session is the first time this course has been offered in EMEA and is intended for anyone tasked with implementing, managing, or protecting Web applications.
Although the course touches on elements related to new software development areas like cloud and SaaS, Ullrich points out that SQL injections is still the most prevalent threat, “Many of the developers who learnt their skills a decade ago are still not aware how to protect against SQL injection,” he says, “The course is designed to help developers build and protect applications as outlined by OWASP’s Top 10 risks as well as evolving threats which are emerging as software moves into the cloud.”
The course is almost at capacity but Ullrich urges that senior developers about to start projects which are likely to be impacted by shared data from third party clouds or SaaS to consider attending. “The next few years are going to see major changes for developers as the landscape moves from on-premise, to web and ultimately cloud – the level of education around application security also needs to make that same progress,” he adds.
SANS Germany 2012 will take place at Arcotel Camino in Stuttgart from March 5 to 10, 2012. More information can be found at www.sans.org/germany-2012.
