Aardvarks to Zorillas - Anything goes

Many a times it is difficult to find the reasons as to why a cloud application security is very different than any other approaches. A cloud is very similar to a private hosted data center sans the physical security aspects of it. The various components that build up the system can very well be built into the cloud. IdMs, RBACs, Key or Token based Systems. It is only a matter of time where in the Cloud Providers will partner with all these providers to get the economies of scale. The approach to the cloud model is not very much different than to a colocation or a private cloud. The Hypervisor is another component that needs to be managed as part of the Vulnerability Management of resources. What is applicable in a traditional model is still applicable to the cloud and in addition the concerns of the cloud. A few questions to answer.. It is more a logical data flow diagram which can help you identify the type of data on move and at rest and the necessary logical controls therefore r...

I have worked in a few places where PKI has been deployed and managed manually. We have had major issues in managing the keys issued and the nightmare we had as we updated our key management systems. (excel sheets) At one of the organizations I worked for, the system used a internally generated PKI for managing a large set of devices. These devices were issued certificates and are needed to connect to the server. This being an important and critical system involving devices all across the United States and Canada was such a pain to maintain as the certificates expire at different times and it was difficult to keep of track of expiring certificates, equipment that are pulled off the network and those that needs to expired for some reason. The main certificate server based on OpenSSL had the root certificate and the copies of the client certificates were maintained in a USB FoB key and locked away. The process is so contorted and involved two FTEs to handle this job on a regular basis (E...

Security Verification is a process through which Code can be analyzed. However, as prerequisite it needs to be addressed with due consideration of What the application is and the business operation that it supports. The main reason for this is that it would be very difficult to prioritize and address the weaknesses. The threat modeling is an important tool and along with the threat model a security review would be an indispensable tool in identifying the root cause of vulnerabilities – CODE. Based on the prioritized functions and possible attack vectors – For example - Protocol Errors may be a potential area for Input validation problems. Based on the preliminary build, it is possible for a preliminary scan of the code base. This should provide a base input that can again be cleaned up to remove unwanted areas to concentrate the efforts and to move to areas of potential weaknesses. The easiest way to achieve this is to use a Static Code Analyzer, a lot of tools are available both open ...