Security review is a plan that will be needed for many Cloud deployment. Currently, many security review are paper in nature and lack clarity on the security requirements for many organisations. It should be a standardised process to be conducted for all applications. A checklist is one way that can be provided for developers. Template use cases can also be given to speed up the review process. Two common security to take note in your checklist is infrastructure and application.
Infrastructure security leverage on PoLP (principles of least privilege) as the guideline in the design. They are usually configured at infrastructure objects for cloud platform. These are the common checkpoints you can take note.
- Secure all root and administrative access to authorised users.
- Ensure network subnets are segregated from public Internet access.
- Ensure that your applications and services are segregated with the right security policies.
- Ensure you have the appropriate user roles and security groups.
- Implement services to detect, protect and mitigate against threats like DDoS attacks.
- Data or network traffic must be encrypted.
Application Security are setup or built within the application. Your checklist must include the following key points.
- Authentication must be setup to prevent malicious access.
- Authorisation must be enabled at functions or data level.
- Application must protect against SQL injection.
- Cross-side scripting must be disabled.
- CORS must be secured and used with cautious.
The above are standard checklist that can help you kickstart or speed up your security review process. It is important to develop your application with security requirements and not fix security at the last moment.