Secure application development for the cloud best practices

Why follow best practices?

Understanding and following best practices as well as building in the cloud on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform™, Kubernetes, containers, and applications will enable you to get the most out of your toolkit. This includes more security as you are building, more proficiency with the tools and services you are using, better structure, faster environment, a reliable system that will withstand outages, and a more cost-effective solution.

Examples of Best Practices

Every product or service being used has a bad, ok, good, and best way to be used. Let’s look at some common examples:

Commenting in Code

For instance, when learning how to write code, no matter which language, the first thing you learn is how to comment in code; not commenting is bad because you or other teammates might not understand the code you wrote, leading to more confusion and slowing down workflows. The best practice would be folding your comments or writing comments so that you and anyone else can understand what the comments are and what the code is meant to accomplish.

Tagging resources

Not using tags or labels with your resources in the cloud is not the best way of building. Tags can let you know who owns the resources and what project it is a part of, enabling you to know the purpose of each resource. Also, tags help you to find resources and they are often used by cybersecurity platforms for organization purposes and exceptions. A comprehensive tagging process can help security and development teams see the entire software supply chain, making it easier to identify and limit the scope of attacks. Therefore, having a set tagging process such as a resource owner and project association, will be the best way to leverage tags.

Access control

Allowing everyone access to your environment or resources is a bad practice for obvious reasons. You can add an access control list. However, the best practice is to use multiple layers, such as an access control list, security groups, and access control policies to add access control layers of protection.

Encryption

Encryption is a security best practice. This will protect your data from being publicly readable at rest or in transit.

Think of encryption like this: you are delivering an important message from Barbados to Texas. To keep it confidential, you write it in a special code that only the two of you understand. To further protect your special message, you put it in a locked container and only your friend has the key to get in. This way both your message and the container are protected. This is like using encryption at rest and in transit. Doing nothing is bad. Doing one or the other is better. Two levels of protection are the best practice.

Use Cases

As mentioned earlier there are many different use cases or scenarios. Designing can take a bit of strategic planning and you have to do a bit of a balancing act to find the perfect fit for your goals. At times, for greater performance, you have to use a less restrictive security posture, or you have to spend a more money to achieve the desired goal. These three different use case diagrams will show some common uses, structures and highlight the best practices in these scenarios to help DevOps teams build secure apps.

Use Case 1: Basic Web App

Cloud service providers like AWSAzure, and GCP all have an Architecture Framework that defines best practices for using their services.

For example, AWS has the AWS Well-Architected Framework which is composed of six pillars: Reliability, Cost Optimization, Performance Efficiency, Operational Excellence, Security, and Sustainability. Referencing the diagram below, we will explore how aligning your architecture with design pillars can help you build better.



Source link