Securing your Cloud-based Applications (Part 1)
This is Part 1 of the 3-part series on the security of your Cloud-based applications
53% of CIOs see overall security risks as a barrier to cloud adoption. But the idea that moving your applications to the cloud is risky or somehow less secure is, frankly, outdated. Career cybersecurity professionals see it the other way, overwhelmingly agreeing that moving applications to the cloud usually has a net positive impact on security. It’s not a sure thing that moving your applications to the cloud will improve the overall security (thus the “usually”), but if you know the basic process for securing cloud-based applications, it is all but guaranteed. In this series of blog posts, we will break down a 3-step process for securing your cloud-based applications so you can enjoy the benefits of the cloud (performance, scalability, resilience, etc.) while actually improving overall security. Security is an iterative process–more about the journey than the destination–and like any journey, it starts with a single step.
The first step is to tackle the most common web vulnerabilities. In a world where hackers have millions of easy targets to choose from, taking even the most basic security measures will make your application less enticing and reduce your risk immeasurably. But how do you know what the “most common vulnerabilities” are? Fortunately, the Open Web Application Security Project (OWASP) was created to answer this exact question. It’s a global, not-for-profit collaboration of IT security professionals who share data and real-world experience to map out and rank the list of the most critical web and mobile application security flaws that attackers are exploiting in the wild right now. The list they maintain, known as the “OWASP Top 10” represents the source of over 95% of web and mobile security breaches. The current list includes:
- Injection
- Broken Authentication and Session Management
- Cross-Site Scripting
- Insecure Direct Object References
- Security Misconfigurations
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross-Site Request Forgery
- Using Components with Known Vulnerabilities
- Unvalidated Redirects and Forwards
The next question is how can you check your web and mobile apps to see if you are vulnerable to these security flaws? You can read the excellent OWASP documentation and do it manually, but fortunately, there is a thriving market of IT Security tools that have been created for just this purpose. There are lots of tools to choose from the but the one we’ve had the most consistent success with is NetSparker Cloud. It’s extremely comprehensive, and it works with the widest variety of web applications.
The challenge with any automated vulnerability scanner is knowing how to interpret the (sometimes overwhelming) results they spit out. If you have a cybersecurity professional on your internal team, or in your network, this is in their wheelhouse. If not, we strongly recommend you engage a contractor or a consulting firm that specializes in securing cloud-based applications. They will be able to help you understand exactly what needs to be fixed and why.
If you don’t have a cybersecurity expert at your beck and call, we can help. We have partnered with a Boston-based firm that can execute the entire process for you, even purchasing the license on your behalf and conducting a meeting with your web developers to ensure the fixes actually get implemented.
Please fill out the form below or shoot me an email and I will make the introduction. The cost for a 1-time scan is $699, or $999 if you want a scan and re-scan.
