Application security - AWS Cloud Adoption Framework: Security Perspective
StartAdvanceExcel

This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.

Application security

Note

Detect and address security vulnerabilities during the software development process and while operating the application.

Organizations are adopting transformative approaches, such as DevSecOps (Development, Security, and Operations), to consistently use, operate, and improve the quality and security within the SDLC using CI/CD pipelines. More components of the end-to-end application architecture and software supply chain are expressed as code. This includes core delivery infrastructure (code repository, pipeline, artifact store, application code, and underlying infrastructure). It's imperative to utilize automation to achieve a high level of security assurance at scale. Integrate dedicated application security capabilities into the various stages of the SDLC using tools and services (AWS services, AWS Partners, AWS Marketplace, and third parties). These can detect and prevent instability, misconfiguration, and vulnerabilities.

Start

Your customers and product owners are requesting development teams to release more, faster, and with more confidence. Begin by selecting a single application team to transform the way they deliver to meet these goals. In order to integrate security analysis and review processes into the design stage of the SDLC, make use of risk analysis techniques like attack and threat modeling. Threat modeling should be performed during the design phase of a given workload feature or feature change, as these changes may introduce new threats that require you to update your threat model. Take advantage of best practice assessments, like the AWS Well-Architected Framework.

To assure security and quality within the development stage, some developers (champions) within the team assume dedicated security and quality responsibilities to assist with reviews and communication with the centralized teams. Integrating security and quality processes into the development and testing phases of the SDLC helps expedite subsequent reviews by the centralized security team.

Centralized security and operations teams can now focus on developing security guardrails, detective capabilities, enterprise best practices, and automation to support other teams at scale. They can implement automated testing capabilities and tools that support functional, non-functional, and security use cases, in order to rely less on manual auditing and human intervention. Developers interface with these tools during the testing stage of the SDLC in a self-service manner. They use an integrated development environment (IDE), a command line interface (CLI), and tools within the CI/CD pipeline to reduce the number of pre-existing workload vulnerabilities. Carry out these processes.

  • Perform functional application tests (such as unit testing, integration testing, regression testing, and user acceptance testing).

  • Pre-commit hooks using static testing tools like awslabs/git-secrets, which can be used to detect static secrets and sensitive information before code is committed to a source code repository.

  • Conduct static application security testing (SAST) using Amazon CodeGuru (or another tool from the AWS Marketplace) to automatically review code and detect security vulnerabilities.

  • Perform IaC static code analysis using aws-cloudformation/cloudformation-guard to enforce best practices and prevent misconfiguration of AWS resources.

  • Conduct a software composition analysis (SCA) to audit known vulnerabilities within publicly available software packages, read How to automate your software-composition analysis on AWS.

  • Generate a software bill of materials (SBOM) and store it with every release.

  • Perform penetration testing in accordance with the AWS Customer Support Policy.

Applications can use AWS KMS and AWS Secrets Manager to protect passwords and other sensitive data while abstracting them from source code and configuration files. Adding mitigating controls at the edge using tools like AWS WAF and AWS Shield provides protection against common web exploits (also refer to the OWASP top 10). Bots may affect availability, compromise security, or consume excessive resources, and AWS WAF improves the ability to respond to incidents as they occur. Observability of applications is provided by Amazon CloudWatch, while monitoring AWS resource misconfigurations against a baseline of security frameworks using AWS Security Hub.

Advance

As the testing tools, detective and preventive guardrails, and automation are tuned and matured, the confidence in these capabilities and noticeable improvement in speed to deliver software encourages more teams to begin their transformation. AWS Organizations SCPs enable the evaluation, security customization, and use of a growing list of new AWS services. Common architecture patterns start to emerge between teams, a shared library of Well-Architected CI/CD pipeline, infrastructure, and application patterns that can be centralized and made available to development teams in a self-service manner. General purpose, machine learning-powered code generators, such as Amazon CodeWhisperer, are used to automatically generate personalized recommendations in real time.

The detection and prevention of security and operational flaws are further shifted left to maximize the benefits of discovering vulnerabilities earlier in the SDLC where they are easier and cheaper to fix. Enforcement of testing capabilities using a break-the-build approach is adopted in accordance with the enterprise risk management strategy. More advanced testing capabilities are introduced into the testing stage of the CI/CD pipeline, such as:

  • Functional acceptance testing using Amazon CloudWatch Synthetics canaries to continuously verify customer experience

  • Dynamic Application Security Testing (DAST) from the AWS Marketplace used to analyze real-world vulnerabilities against the runtime operations of the application

  • Resilience testing using AWS Resilience Hub to track and optimize recovery time objective (RTO) and recovery point objective (RPO) of workloads

  • Performance testing using Amazon DevOpsĀ Guru to detect, analyze, and make recommendations for operational issues

Production applications begin to adopt Zero Trust architectures that do not solely depend on network perimeters. Instead, network controls are augmented with identity, device, behavior, and other rich context and signals to make more granular, intelligent, adaptive, and continuous access decisions. This may include the use of a service mesh like AWS App Mesh, application authentication and authorization using Amazon Cognito, and reducing the use of long-term credentials using AWS IAM Identity Center (successor to AWS IAM Identity Center). Amazon EC2 instances are provisioned and managed at scale using configuration management tooling like AWS Systems Manager. EC2 instances can leverage automated vulnerability management tooling like Amazon Inspector, and automated patching solutions such as AWS SSM Patch Manager. Container images should be managed through ECR and scanned with ECR image scanning for vulnerabilities. AWS Incident Manager can be implemented to build automated response plans and enable active collaboration when a security incident happens. AWS CodeArtifact can be used to store your application artifacts securely and achieve traceability and accountability through AWS CloudTrail.

Excel

As you collect output from various testing tools across your environment, you can make better use of the vulnerability trending data. You can adjust key performance indicators (KPIs) where needed, and make more data-driven decisions. Centralize output data from your various testing tools using Amazon RDS, and create dashboards with QuickSight. Create KPIs to monitor and drive secure coding behavior at the team, leadership, and individual level. The focus should be on time-of-detection versus time-of-remediation, recurrence of vulnerabilities, security incident remediation timings, and preventable vulnerabilities that made it into production.

The central team should build re-usable libraries for security functionality that can be shared across application teams and golden EC2 AMIs, or container images using EC2 Image Builder. Containers and EC2 instances should be configured to only run signed code, to prevent malicious code from being initiated. Use AWS Signer to sign code. Include security conformance testing. High or medium risk vulnerabilities should break the build and taint artifacts to prevent them from being deployed to production. Create a bug-bounty and responsible disclosure program to crowdsource security testing and receive vulnerability reports.

Consider using interactive application security testing (IAST), bug bounty programs, or runtime application self-protection (RASP) to further reduce false positives, detect vulnerabilities, and provide defense in depth.

Infrastructure should be ephemeral. Applications should rely on blue/green deployments to roll out fixes, patches, and updates. Initiate canary deployments for multiple releases per day across multiple teams. Make your application more security self-aware to perceive attackers attempting to bypass business logic or fuzzing input. Use CloudWatch Alarms to generate alerts.

Resilience of your infrastructure should be tested using Chaos Engineering with AWS Fault Injection Service.