Application security has been getting attention for years. In my mind, its importance increases when an application is deployed to a cloud environment, as the application is more exposed.
One of the biggest mistakes an organization can make is to take an existing application and simply deploy it to a cloud without first considering what new attack vectors this move opens up.
When possible, an application should be re-architected for cloud deployment—this allows parts of the application to scale independently, and to be more distributed and resilient. It's really an opportunity to make an application more secure than ever. Forcing a development team to not use the corporate firewall as a crutch will result in a solid application.
Application security can be a complicated topic, but here are my crib notes: Never trust user input, and always encode output back to the user. Getting those two things right will remove about 80 percent of application security issues.
After input and output are taken care of, next up is proper authentication and authorization. These should be checked on every page or service request, not just at initial login. Ideally, any administrative functions are run through a separate application, so if a malicious user does compromise an account, the most he can get is a single user's data, not admin access.
The last big thing to consider is data encryption: For performance reasons, most organizations don't want to encrypt all data, so the trick is to find the balance of encrypting enough sensitive information so that if you get compromised, data cannot be pieced together to provide useful identification.
Crib notes, though, are for barely passing, and we want to implement solid cloud security, not just meet minimum certification levels, so go read more at the Open Web Security Application Project website.
%20Logos%202022/sharetru-white-logo.svg){kind=logo}