Everyone says that the cloud is great for speed, but poor for security. How do software quality pros ensure that the applications they're testing are cloud-ready when it comes to security?
I've always been skeptical of the cloud. Maybe it's because of the nasty security flaws I often find in cloud-based applications. These very applications are often housed in data centers with "flawless" SSAE 16 audit reports. Don't let the salespeople know I told you this: the reality is that "secure hosting provider" doesn't automatically translate into secure applications.
What about mobile threats?
You may also want to bone up on OWASP's top ten list of security vulnerabilities for the mobile enterprise.
Recent news has shown us cloud providers have another security issue to deal with when it comes to the NSA getting their sneaky hands in the pie. Marketing and surveillance aside, software quality professionals need to continue (or start) down the path that's been shown to help shore up software security vulnerabilities.
It's finding that low-hanging fruit – the fundamental flaws that study after study show are at the root of most of our application security problems. The Pareto principle applies nicely here: 20 percent of the vulnerabilities create 80 percent of the problems. That's where you need to focus.
The OWASP Top 10 2013 project is a great place to learn more. Once you fix the common application vulnerabilities and are prepared to answer cloud security-related questions, you'll be close to keeping up with the threats and a few steps ahead of the regulators and even your competition.
One thing you have to keep in mind is that some of these web-related security exploits require – or are at least facilitated by – vulnerable hosts accessing your applications (i.e. systems with Java, Adobe, and related browser-side exploits). As someone in charge of software quality and security, you cannot control that side of the equation but you can at least do your part to ensure that your applications are reasonably secure and are not actually enabling the problem.
This was first published in September 2013