This week's book giveaways are in the Jython/Python and Object-Oriented programming forums.
We're giving away four copies each of Machine Learning for Business: Using Amazon SageMaker and Jupyter and Object Design Style Guide and have the authors on-line!
See this thread and this one for details.
Win a copy of Machine Learning for Business: Using Amazon SageMaker and JupyterE this week in the Jython/Python forum
or Object Design Style Guide in the Object-Oriented programming forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Paul Clapham
  • Jeanne Boyarsky
  • Knute Snortum
Sheriffs:
  • Liutauras Vilda
  • Tim Cooke
  • Junilu Lacar
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Joe Ess
  • salvin francis
  • fred rosenberger

Secure by Design - Security challenges of Cloud and DevOps

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,


With almost all applications jumping to cloud and teams injecting DevOps practices. What are the security challenges and things to consider in this new platform and development practices?


Thank you
 
Author
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Jon,

This is really a big question but I'll give it a try

Moving an application from on-premise (non-cloud) environment to the cloud isn't an easy task. Some believe it's just a matter of switching data center and cutting costs, but the truth is, designing software to be cloud native is a challenge. For example, when running applications on-premise, you might have made assumptions that inherently are less secure – for example, how log data is stored (on a non-encrypted disk? on the same server?) or how credentials are handled within the application (maybe they're hardcoded or placed in property files?). Consequently, going to the cloud requires deep skills in a development team. Everyone needs to be aware of how data is exposed, where it resides (is it in Europe, US, China?), if there are any legal requirements that need to be address. How is data stored at rest - encrypted or not? The questions are many.

But this doesn't mean that you should avoid the cloud. On the contrary, it means that you need to be aware of the challenges before doing so. A good practice could be to prepare your team / organization by reading books, attending conferences, etc before "just" moving the software to Azure or AWS (or some other cloud vendor).

Regarding DevOps – I think this is a fantastic movement. All this freedom and flexibility. DevOps finally allows you to build great software and run it, but wait a minute... run your software in production, set up your infrastructure, account management... All this flexibility also brings an equal amount of responsibility! Commisioning / decomissioning servers, configuring networks, dealing with certificates, ... all of this requires profound knowledge and insights in security and how it should be done. This means that if you don't do this correctly, then you'll be in deep trouble. For example, when moving to the cloud and adopting the DevOps culture, you quickly realize how easy it is to set up a new environment. This all sounds great becuse now you have "infinite" number of test envioronments – but this is where the danger lies. What you get isn't infinite number of test environments, you get infinite number of production environments! Each environment in the cloud is equally potent as your production environment (the only difference is the data in your databases right?). So, if someone steels your access keys to a "test" environment, then they could fire up new server instances to mine bitcoins, perform DDoS attacks, etc.

So all in all, should you avoid the cloud and DevOps? No, definitely not. This is exactly as with all other things. You need to know what you're doing and do proper analysis before taking the step.

Cheers,

/Daniel
 
Jon Pelipas
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Daniel,


Big thanks for giving great insight over my broad question.

Sounds like developers will be more integrated to several security aspects in the development - which I think is good.


Cheers,
Jon
 
They worship nothing. They say it's because nothing is worth fighting for. Like this tiny ad:
Sauce Labs - World's Largest Continuous Testing Cloud for Websites and Mobile Apps
https://coderanch.com/t/722574/Sauce-Labs-World-Largest-Continuous
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!