Software Security: have we nailed it?

Software security has and continues to be a top line issue for most organisations, yet software and IT teams still continue to produce and deploy insecure code and applications with serious consequences for the brand, reputation and, of course finances of their customers and their own organisation.

Creative Intellect in association with the IASA have recently launched a survey that seeks to understand the security challenges across the development cycle and look to see if it is handled better by large or small projects, organisations and if there is a difference across industries.

I thoroughly recommend you taking part in the survey. All respondents will get a free copy of the full report and will be entered into a draw to win a free half day consulting session with Creative Intellect Consulting Ltd in the field of software delivery and application lifecycle management.

The survey link is: http://www.surveymonkey.com/s/SecuritySurvey-CIC

Advertisement

How Secure is your Cloud?

Cloud security is perhaps the number one topic when it comes to cloud computing and this is still definitely the case if you look like meetings like CloudCamp for example. So why then is there not more of a focus on it from the cloud vendors?

In their June report, "Assessing the Security Risks of Cloud Computing" Gartner provided a fairly competent list of questions that customers should raise with their prospective cloud vendors.

1. Privileged user access.
2. Regulatory compliance
3. Data location
4. Data segregation (which includes Encryption)
5. Recovery
6. Investigative support
7. Long-term viability

Although the list is useful, and I especially like number 7 raised in a security context, there are a couple of key points missing, that while they maybe covered in some subtext under these seven items I personally believe they should be raised to the top level. So here’s my additional set of security topics to raise with your vendor:

8. Internal threat management
9. Portability/access
10. SLAs/Penalties
11.Security in depth

Internal threat management

As we all know too well (or should), one of the majority of security threats of traditional data centres comes from within, with the cloud you’re passing this issue on to someone else. So what are the internal threat management procedures of your cloud vendor? How do they safe guard your data from prying eyes? Sure, encryption and segregation are elements that help here, but what are the data centre processes themselves?

Portability/access

A real favourite topic out there that in many ways overtakes the issues of interoperability is that of portability. How do I safeguard my ability to move from one cloud to another?  Once my data is in a cloud how easily (expensive, quickly) can I get it off again? Now add to this the question of secure and robust portability and this becomes a really interesting question to ask.

SLAs/Penalties

So if there is a breach of security what is the cloud vendors policy? Is this transparent? Made publically available? What sort of compensation could you expect? Free hours? SLAs are an obvious discussion point with cloud vendors but are seldom discussed in terms of security.

Security in Depth

This is one I particularly like and relates to internal threat management and processes but specifically to the development and creation of the cloud vendor’s infrastructure itself. Clearly clouds just don’t happen, someone has to build them and that means software engineering. Therefore a clear explanation of their cloud development processes should be clearly articulated at a software development level. This is one of the key lessons Microsoft has learnt over the years and one I know well.

 

So what other security questions would you want answered by your prospective cloud vendor?