With more and more companies deciding that migrating applications to the cloud is an attractive option, many still do not fully assess the associated risks. Attacks increasingly become more and more sophisticated and companies now face several risk concerns, be it remote access to key applications over the internet, data loss or lack of visibility into cyber threats and vulnerabilities. It is no longer enough to simply check physical security, procedural and digital perimeter security when moving your existing applications into the cloud.
1. Information Leakage & Data Breaches
It is every CIO’s nightmare that their precious data falls into the wrong hands, and with high profile companies like Adobe, Ebay and Target experiencing severe data breaches in recent years, these attacks are unfortunately becoming more common. One issue is that multi-tenant cloud environments can potentially be a one-stop shop for intruders of corporate applications and data, and if an attacker can get far enough, applications and sensitive information can be compromised. As many designers of legacy web applications fail to properly protect against information leakage, a real problem arises, as one flaw in a single application can be the equivalent of an open door to an attacker, allowing them access into the application and into sensitive data.
2. Input Validation
Input validation is vital to ensuring application security. User supplied information, such as personal data is often provided to applications via user input fields and stored by the application for future reference. These user input fields are the major entry points for malicious attackers, providing them the opportunity to steal important personal data if appropriate validation is not provided within the application. The majority of high profile security vulnerabilities that we have recently experienced in web applications result from failures of input validation or error handling, ranging from SQL injection to Buffer Overflow. Having effective input validation is vital for your applications to be secure in the cloud.
3. XSS (Cross Site Scripting)
XSS vulnerabilities have been around almost as long as the web itself. XSS attacks can expose real vulnerabilities in your code, being an avenue for intruders to steal data, run malicious code and take control of a user’s session. Despite being a problem for over twenty years, sites are continuing to experience XSS attacks. With new technologies, we see new ways of using XSS to exploit applications, such as the Tweetdeck breach earlier this year, where code was embedded into tweets to drive an XSS exploit. With over 90% of all websites having at least one vulnerability and 70% of all of those vulnerabilities being XSS-related, XSS is a real problem that can compromise sensitive user data.
4. CSRF (Cross Site Request Forgery)
CSRF attacks work because of vulnerabilities of the framework of Web 2.0. A successful CSRF attack can compromise end user data and operations, potentially compromising an entire web application and providing attackers with the opportunity to steal data directly from the user, rather than the organisation. Organisations can protect themselves from CSRF attacks by using randomly generated tokens at the beginning of each new session, expiring at the end of the active session.
5. Session Management Vulnerabilities
According to the 2014 Cenzic Vulnerability Report, Session Management vulnerabilities are the most widespread vulnerability affecting applications. With 79% of all applications affected by Session Management vulnerabilities, attackers can interject themselves as valid website users meaning the data legitimate users enter on the site can be compromised. Session management is the process of tracking a user’s activity and interactions across a website. It is mostly widely used after a user signs in to the site, mainly on social networks or online commerce sites. By exploiting the active vulnerabilities of websites, attackers can perpetrate attacks and hijack user sessions, impersonating the user and stealing their data.
In summary, companies need to ensure that the structural security of their custom developed applications is given the highest level of attention and prioritised appropriately when executing a wider cloud transformation programme. In realising the potentially significant benefits that cloud can bring, do not expose your business to additional risk by overlooking these critical factors.