Development Threats And Countermeasures For Cloud Computing
Regardless if you’re developing an app, service, or website, you’ll need to deal with common threats and vulnerabilities. So, even before you publish your work, you must ensure that you have already placed countermeasures to prevent malicious individuals and your users from breaking your program or platform. After all, you know how devastating the aftermath can be if your cloud computing in business becomes instrumental in any cybercrimes.
To help you out, here are some of the most common threats your cloud computing project may face and the countermeasures you can place to prevent them from happening.
SQL injection is a prevalent threat, and many huge companies have become a victim to it. Most security experts even revere it as one of the top dumbest cyber threats that work—even to this day. If your app involves the usage of SQL and database, you must ensure that you prevent users from sending anything that your server may construe or interpret as SQL statements. (1)
A few of the common ways you can counter it is to be precise with your database privileges, filter any data coming from users, and take advantage of new SQL- and database-related functions and frameworks of the language you use.
There are times that developers insert lines of codes in their programs to make it easy for users to debug them. Forgetting to remove those codes may allow your users to discover it, leading to malicious individuals exploiting it for their gain.
To counter this threat, you can either make sure you release a version with all of those codes removed or take a different approach in debugging, like only allowing debugging to be available server-side.
Denial of service (DoS)
The concept of denial of service is simple: deny the other users of your service by making it unavailable to everyone. It’s commonly done by using multiple computers or users and making them take all your server’s bandwidth, memory, or computing capacity. For example, hackers can use an automated script to log in to your app or website’s login page or download files thousands of times in minutes, which can slow your server down and even crash. (2)
There are multiple ways to counter this kind of threat, depending on the type of attack that would be launched against you. You can start with something simple like preventing users from accessing your app or platform multiple times in a short amount of time by timing them out. If you expect that you’ll be dealing with distributed DoS (DDoS) attacks, you may want to invest in application front-end hardware or third-party security service to protect you.
Nowadays, most cloud computing programs and platforms publicly provide an application programming interface (API) to allow other apps and entities to communicate with them. Unfortunately, providing public APIs come with multiple problems on its own. To prevent its misuse, your countermeasure against their misusage is to make it secure.
- First, don’t allow anonymous API access. Let everyone authenticate first before they can use your API.
- Next, take advantage of sessions and unique tokens. Don’t allow any individuals to be authenticated forever in a single machine. Make sure that your connection to your system via API expires.
- Lastly, create a system to monitor the ones who are accessing your app or platform via APIs. After all, even if you do the previous two steps, it doesn’t mean that you’re safe from exploitations, abuses, and vulnerabilities you may have overlooked.
Many data leaks and breaches happen because of end-user attacks—or informally referred to as phishing. Unlike most threats that initially target your system, end-user attacks target users to get the information they need first. When they’re successful, that’s the time that they’ll be back to target you. Some of the ways to do that are phishing, smishing, whaling, and vishing. (3)
While most end-user attacks are usually out of the developer’s hands, there are still multiple countermeasures to end-user attacks, one of which is multi-factor authentication. Even if malicious individuals have stolen usernames and passwords, they can still have difficulty accessing your service if they don’t have access to the other ‘factors’ required, like the authentication messages in your users’ phones and email inboxes required when logging in.
Most of the threats mentioned before are mainly geared towards Platform as a Service (PaaS) and Software as a Service (SaaS). Meanwhile, as a part of cloud computing, Infrastructure as a Service receives a plethora of complex types of threats, one of which is side-channel attacks.
Typically, if you’re developing or running an IaaS, hiring a certified cloud security professional (CCSP) is ideal for protecting you from IaaS attacks. If that’s not your cup of tea, you have the alternative to train yourself as one and get certified. Aside from protecting your product, you can even use it as a selling point for your service.
Becoming a victim and an instrument to cybercrimes because of your cloud computing in business is devastating. Even if your company is also a victim, your end-users will blame you for alleged negligence and incompetence. Not only will your reputation plummet, but cases involving cybercrimes can also cost you thousands—or even millions—of your hard-earned money.
- “The Top 5 Dumbest Cyber Threats That Work Anyway,” Source: https://blog.malwarebytes.com/cybercrime/2017/04/the-top-5-dumbest-cyber-threats-that-work-anyway/
- “Security Tip (ST04-015) Understanding Denial-of-Service Attacks,” Source: https://us-cert.cisa.gov/ncas/tips/ST04-015
- “What Is Phishing? A Brief Guide to Recognizing and Thwarting Phishing Attacks,” Source: https://www.comptia.org/content/articles/what-is-phishing/