OWASP - User contributions [en]

Cloud Top 5 Risks with IAAS

2009-10-23T00:14:28Z

Ken Huang: moved Top 5 Risks with IAAS to Cloud Top 5 Risks with IAAS: Cloud

IAAS serves as the foundation layer for the cloud computing. The Top security concerns are:



1) If the business mission critical application is hosted in IAAS environment, the down time due to man mad or nature disaster could introduce significant business risks. There are examples of some companies went bankrupt due to FBI investigation of data breach in IAAS enviroement.

 

2) Physical security of the IAAS environment. 

 

3) The Service Level Agreement

 

4) Compatibility of IAAS and internal legacy infrastructure.

 

5) Regulatory compliance

 

[[Category:OWASP Cloud ‐ 10 Project]]

Top 5 Risks with IAAS

2009-10-23T00:14:28Z

Ken Huang: moved Top 5 Risks with IAAS to Cloud Top 5 Risks with IAAS: Cloud

#REDIRECT [[Cloud Top 5 Risks with IAAS]]

Cloud Top 5 Risks with IAAS

2009-10-23T00:13:02Z

Ken Huang:

Cloud Top 5 Risks with IAAS

2009-10-23T00:11:50Z

Ken Huang: Created page with 'IAAS serves as the foundation layer for …'

IAAS serves as the foundation layer for the cloud computing. The Top security concerns are:



1) If the business mission critical application is hosted in IAAS environment, the down time due to man mad or nature disaster could introduce significant business risks. There are examples of some companies went bankrupt due to FBI investigation of data breach in IAAS enviroement.

2) Physical security of the IAAS environment. 

3) The Service Level Agreement

4) Compatibility of IAAS and internal legacy infrastructure.

5) Regulatory compliance

Category:OWASP Cloud ‐ 10 Project

2009-10-21T20:33:01Z

Ken Huang:

==== Main ====

== Goal ==

Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

== Audience ==

Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

== Managing OWASP Cloud-10 List (Pre-Alpha) ==

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

*Various Risk Scenarios
*Real World Examples
*Possible Mitigations and Security Controls
*Reference to any related Incident

 

==== OWASP Cloud-10 List ====

== Initial pre-alpha list of OWASP Cloud-10 Security Risks ==

{| cellpadding="2" border="1"
|-
| C1 - Privacy of Users
| [Placeholder] - User's private and PII data gets stored in the cloud
|-
| C2 - Enterprise Data Hosted Outside in Cloud
|
|-
| C3 - Accountability and Ownership of Data Security
|
|-
| C4 - Federating User Identity
|
|-
| C5 - Secondary Usage of Data
|
|-
| C6 - Demonstrating Regulatory Compliance
|
|-
| C7 - SLA - Building Right Level of insurance and accountability
|
|-
| C8 - Vendor Lock-In
|
|-
| C9 - Data Backup and Disaster Recovery
|
|-
| C10 - Direct Exposure to Development and Production Environments
|
 

|}

'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

== Other OWASP Cloud-10 Candidates ==

*Service Availability Risk
*Multi-Tenancy
*Integration between cloud and internally hosted services
*Patching and Vulnerability Management
*Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
*Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

 This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

*Various Risk Scenarios
*Real World Examples
*Possible Mitigation and Security Controls
*Reference to any related Incident

 

==== Roadmap (Status) ====

== Alpha State ==

#'''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (July 2009)'''
#Ask contributors to collect more data and details on each of the risk item. (till Aug 2009)
#Get initial community feedback by discussing it in various blogs, discussion forums etc. (till Aug-Sept 2009)

== Beta State ==

#Publish the first (beta) list of "OWASP Cloud-10" (Oct 2009)
#Identify additional candidates
#……. (repeat steps as in Alpha)

 

==== Reference ====

== Related Efforts ==

#Cloud Security Alliance - http://www.cloudsecurityalliance.org/
#IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

== Related OWASP Projects ==

#OWASP Top Ten Project
#OWASP Legal Project

 

==== Contributors ====

== Project Leaders ==

[[:User:vinaykbansal|'''Vinay Bansal''']] [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]] [[User:Martin G. Nystrom|Martin G. Nystrom]] [[User:Jim Born|Jim Born]]

[http://www.owasp.org/index.php/User:Ken_Huang Ken Huang]

== Contributors ==

 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

[[Category:Cloud_-_Top_5_Risks_with_PAAS| ]]

Cloud - Top 5 Risks with PAAS

2009-10-21T20:32:01Z

Ken Huang:

According to wikipedia, Platform as a service' (PaaS) is the delivery of a computing platform and solution stack as a service. It facilitates deployment of applications without the cost and complexity of buying and managing the underlying hardware and software layers providing all of the facilities required to support the complete life cycle of building and delivering web applications and services entirely available from the Internet—with no software downloads or installation for developers, IT managers or end-users. PaaS offerings include workflow facilities for application design, application development, testing, deployment and hosting as well as application services such as team collaboration, web service integration and marshalling, database integration, security, scalability, storage, persistence, state management, application versioning, application instrumentation and developer community facilitation. These services are provisioned as an integrated solution over the web. 

The top 5 security concerns are: 

1: Business Continuity Planning and Disastor Recovery with PAAS vendor. Example: Windows Azure platform, Microsoft's cloud computing platform, suffered an outage one weekend in March, 2009. Had your enterprise been using the service, how would the outage have affected the organization's ability to conduct business? Alternatively, it would have been Microsoft's responsibility to fix it, not your IT team's (but be careful; your executive team may not see the distinction). 

2: Lack of Secure Software Development Process with PAAS vendor. One PAAS offering is the SDLC. The Secure SDLC (SSDLC) is still new and not widely used. The lack of SSDLC could mean insecure code.

3: Vendor Lock In: Platform as a Service (PaaS) vendors tend to dictate the database, storage and application framework used, so what about those legacy applications? Enterprises will still require the skills and infrastructure to be able to run them.

4: Lack of adequate provisions in SLA. the Cloud Computing Bill of Rights provides a useful checklist of protection with which to benchmark a supplier's offering. The upcoming National Institute of Standards and Technology (NIST) Cloud Computing Security publication will do a lot to standardize federal-compliant cloud infrastructures and need to be followed.

5: How to meet compliance demands and control risks when work with a PAAS Vendor 

Reference 

http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1361723,00.html 

http://en.wikipedia.org/wiki/Platform_as_a_service http://www.cloudsecurityalliance.org/

http://social.msdn.microsoft.com/Forums/en-US/windowsazure/thread/6c1cd8a2-8d9d-43e9-a1d8-928e0ca4de78 

[[Category:OWASP Cloud ‐ 10 Project]]

Category:Cloud - Top 5 Risks with PAAS

2009-10-21T20:28:34Z

Ken Huang: Created page with 'Category:OWASP Cloud ‐ 10 Project'

[[Category:OWASP Cloud ‐ 10 Project]]

Category:OWASP Cloud ‐ 10 Project

2009-10-21T20:27:28Z

Ken Huang:

Category:OWASP Cloud ‐ 10 Project

2009-10-21T20:26:38Z

Ken Huang:

Category:OWASP Cloud ‐ 10 Project

2009-10-21T20:22:45Z

Ken Huang:

Cloud - Top 5 Risks with PAAS

2009-10-21T20:17:32Z

Ken Huang:

Cloud - Top 5 Risks with PAAS

2009-10-21T20:01:29Z

Ken Huang:

Cloud - Top 5 Risks with PAAS

2009-10-21T20:00:43Z

Ken Huang: moved Cloud-10 Risks with PAAS to Cloud - Top 5 Risks with PAAS

According to wikipedia, Platform as a service' (PaaS) is the delivery of a computing platform and solution stack as a service. It facilitates deployment of applications without the cost and complexity of buying and managing the underlying hardware and software layers providing all of the facilities required to support the complete life cycle of building and delivering web applications and services entirely available from the Internet—with no software downloads or installation for developers, IT managers or end-users. PaaS offerings include workflow facilities for application design, application development, testing, deployment and hosting as well as application services such as team collaboration, web service integration and marshalling, database integration, security, scalability, storage, persistence, state management, application versioning, application instrumentation and developer community facilitation. These services are provisioned as an integrated solution over the web. 

The top 5 security concerns are: 

1: Business Continuity Planning and Disastor Recovery with PAAS vendor. Example: Windows Azure platform, Microsoft's cloud computing platform, suffered an outage one weekend in March, 2009. Had your enterprise been using the service, how would the outage have affected the organization's ability to conduct business? Alternatively, it would have been Microsoft's responsibility to fix it, not your IT team's (but be careful; your executive team may not see the distinction). 

2: Lack of Secure Software Development Process with PAAS vendor. One PAAS offering is the SDLC. The Secure SDLC (SSDLC) is still new and not widely used. The lack of SSDLC could mean insecure code.

3: Vendor Lock In: Platform as a Service (PaaS) vendors tend to dictate the database, storage and application framework used, so what about those legacy applications? Enterprises will still require the skills and infrastructure to be able to run them.

4: Lack of adequate provisions in SLA. the Cloud Computing Bill of Rights provides a useful checklist of protection with which to benchmark a supplier's offering. The upcoming National Institute of Standards and Technology (NIST) Cloud Computing Security publication will do a lot to standardize federal-compliant cloud infrastructures and need to be followed.

5: How to meet compliance demands and control risks when work with a PAAS Vendor 

 

Reference 

http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1361723,00.html 

http://en.wikipedia.org/wiki/Platform_as_a_service http://www.cloudsecurityalliance.org/ 

http://social.msdn.microsoft.com/Forums/en-US/windowsazure/thread/6c1cd8a2-8d9d-43e9-a1d8-928e0ca4de78

Cloud-10 Risks with PAAS

2009-10-21T20:00:43Z

Ken Huang: moved Cloud-10 Risks with PAAS to Cloud - Top 5 Risks with PAAS

#REDIRECT [[Cloud - Top 5 Risks with PAAS]]

Cloud - Top 5 Risks with PAAS

2009-10-21T19:59:21Z

Ken Huang: Created page with 'According to wikipedia, Platform as a service' (PaaS) is the delivery of a computing platform and solution stack as a service. It facilitates deployment of applications without t…'

According to wikipedia, Platform as a service' (PaaS) is the delivery of a computing platform and solution stack as a service. It facilitates deployment of applications without the cost and complexity of buying and managing the underlying hardware and software layers providing all of the facilities required to support the complete life cycle of building and delivering web applications and services entirely available from the Internet—with no software downloads or installation for developers, IT managers or end-users. PaaS offerings include workflow facilities for application design, application development, testing, deployment and hosting as well as application services such as team collaboration, web service integration and marshalling, database integration, security, scalability, storage, persistence, state management, application versioning, application instrumentation and developer community facilitation. These services are provisioned as an integrated solution over the web. 

The top 5 security concerns are: 

1: Business Continuity Planning and Disastor Recovery with PAAS vendor. Example: Windows Azure platform, Microsoft's cloud computing platform, suffered an outage one weekend in March, 2009. Had your enterprise been using the service, how would the outage have affected the organization's ability to conduct business? Alternatively, it would have been Microsoft's responsibility to fix it, not your IT team's (but be careful; your executive team may not see the distinction). 

2: Lack of Secure Software Development Process with PAAS vendor. One PAAS offering is the SDLC. The Secure SDLC (SSDLC) is still new and not widely used. The lack of SSDLC could mean insecure code.

3: Vendor Lock In: Platform as a Service (PaaS) vendors tend to dictate the database, storage and application framework used, so what about those legacy applications? Enterprises will still require the skills and infrastructure to be able to run them.

4: Lack of adequate provisions in SLA. the Cloud Computing Bill of Rights provides a useful checklist of protection with which to benchmark a supplier's offering. The upcoming National Institute of Standards and Technology (NIST) Cloud Computing Security publication will do a lot to standardize federal-compliant cloud infrastructures and need to be followed.

5: How to meet compliance demands and control risks when work with a PAAS Vendor 

 

Reference 

http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1361723,00.html 

http://en.wikipedia.org/wiki/Platform_as_a_service http://www.cloudsecurityalliance.org/ 

http://social.msdn.microsoft.com/Forums/en-US/windowsazure/thread/6c1cd8a2-8d9d-43e9-a1d8-928e0ca4de78

Category:OWASP Cloud ‐ 10 Project

2009-10-21T18:38:10Z

Ken Huang:

Category:OWASP Cloud ‐ 10 Project

2009-10-21T18:28:26Z

Ken Huang: /* Contributors */

==== Main ====

==Goal==
Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

==Audience==
Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

==Managing OWASP Cloud-10 List (Pre-Alpha)==
“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:
* Various Risk Scenarios
* Real World Examples
* Possible Mitigations and Security Controls
* Reference to any related Incident

==== OWASP Cloud-10 List ====

==Initial pre-alpha list of OWASP Cloud-10 Security Risks==

{| border='1' cellpadding='2'
|-
|C1 - Privacy of Users
| [Placeholder] - User's private and PII data gets stored in the cloud

|-
|C2 - Enterprise Data Hosted Outside in Cloud
|

|-
|C3 - Accountability and Ownership of Data Security
|

|-
|C4 - Federating User Identity
|

|-
|C5 - Secondary Usage of Data
|

|-
|C6 - Demonstrating Regulatory Compliance
|

|-
|C7 - SLA - Building Right Level of insurance and accountability
|

|-
|C8 - Vendor Lock-In
|

|-
|C9 - Data Backup and Disaster Recovery
|

|-
|C10 - Direct Exposure to Development and Production Environments
|

|}
'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

==Other OWASP Cloud-10 Candidates==
* Service Availability Risk
* Multi-Tenancy
* Integration between cloud and internally hosted services
* Patching and Vulnerability Management
* Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
* Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

* Various Risk Scenarios
* Real World Examples
* Possible Mitigation and Security Controls
* Reference to any related Incident

==== Roadmap (Status) ====

==Alpha State==
# '''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (July 2009)'''
# Ask contributors to collect more data and details on each of the risk item. (till Aug 2009)
# Get initial community feedback by discussing it in various blogs, discussion forums etc. (till Aug-Sept 2009)

==Beta State==
# Publish the first (beta) list of "OWASP Cloud-10" (Oct 2009)
# Identify additional candidates
# ……. (repeat steps as in Alpha)

==== Reference ====

==Related Efforts==
# Cloud Security Alliance - http://www.cloudsecurityalliance.org/
# IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

==Related OWASP Projects==
#OWASP Top Ten Project
#OWASP Legal Project

==== Contributors ====

==Project Leaders==
[[:User:vinaykbansal|'''Vinay Bansal''']] [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]] [[User:Martin G. Nystrom|Martin G. Nystrom]] [[User:Jim Born|Jim Born]]

== Contributors ==

Ken Huang[[|]] 

 

#[https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====

{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

 __NOTOC__ <headertabs />

Category:OWASP Cloud ‐ 10 Project

2009-10-21T18:26:19Z

Ken Huang: /* Contributors */

==== Main ====

==Goal==
Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

==Audience==
Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

==Managing OWASP Cloud-10 List (Pre-Alpha)==
“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:
* Various Risk Scenarios
* Real World Examples
* Possible Mitigations and Security Controls
* Reference to any related Incident

==== OWASP Cloud-10 List ====

==Initial pre-alpha list of OWASP Cloud-10 Security Risks==

{| border='1' cellpadding='2'
|-
|C1 - Privacy of Users
| [Placeholder] - User's private and PII data gets stored in the cloud

|-
|C2 - Enterprise Data Hosted Outside in Cloud
|

|-
|C3 - Accountability and Ownership of Data Security
|

|-
|C4 - Federating User Identity
|

|-
|C5 - Secondary Usage of Data
|

|-
|C6 - Demonstrating Regulatory Compliance
|

|-
|C7 - SLA - Building Right Level of insurance and accountability
|

|-
|C8 - Vendor Lock-In
|

|-
|C9 - Data Backup and Disaster Recovery
|

|-
|C10 - Direct Exposure to Development and Production Environments
|

|}
'''<center>Table 1: Top 10 Cloud - Security Risks</center>'''

==Other OWASP Cloud-10 Candidates==
* Service Availability Risk
* Multi-Tenancy
* Integration between cloud and internally hosted services
* Patching and Vulnerability Management
* Lack of Transparency in Internal Security Controls and difficulty/complexity of auditing
* Enterprise Intranets exposed directly on Internet (if they move on a Public Cloud)

This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

* Various Risk Scenarios
* Real World Examples
* Possible Mitigation and Security Controls
* Reference to any related Incident

==== Roadmap (Status) ====

==Alpha State==
# '''Identify and publish a first draft of potential "OWASP Cloud-10" candidates (July 2009)'''
# Ask contributors to collect more data and details on each of the risk item. (till Aug 2009)
# Get initial community feedback by discussing it in various blogs, discussion forums etc. (till Aug-Sept 2009)

==Beta State==
# Publish the first (beta) list of "OWASP Cloud-10" (Oct 2009)
# Identify additional candidates
# ……. (repeat steps as in Alpha)

==== Reference ====

==Related Efforts==
# Cloud Security Alliance - http://www.cloudsecurityalliance.org/
# IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models - http://blogs.idc.com/ie/?p=210

==Related OWASP Projects==
#OWASP Top Ten Project
#OWASP Legal Project

==== Contributors ====

==Project Leaders==
[[:User:vinaykbansal|'''Vinay Bansal''']] [[User:Shankar Babu Chebrolu|Shankar Babu Chebrolu]] [[User:Martin G. Nystrom|Martin G. Nystrom]] [[User:Jim Born|Jim Born]]

==Contributors==

Ken Huang

# [https://lists.owasp.org/mailman/listinfo/owasp-cloud-10 Subscribe or read the Cloud-10 mail archives]

==== Project Details ====
{{:GPC Project Details/OWASP Cloud ‐ 10 Project | OWASP Project Identification Tab}}

__NOTOC__
<headertabs/>

OWASP for Kids

2009-10-21T16:43:43Z

Ken Huang:

The goal of this project is to contribute teaching material for teaching Kids on the web application security. The teaching material can be in the format of Power Point, Video, World document or any other format. The goal is to teach kids to use search tool, e-mail, facebook, blog, or general browsing safely. As an initial attempt, I will upload an initial power point document (coming soon) as the reference and I welcome any new contributors to this project.

OWASP for Kids

2009-10-21T16:15:25Z

Ken Huang: OWASP for Kids is the place where you can find or contribute teaching material for web appliation security for kids

The goal of this project is to contribute teaching material for teaching Kids on the web application security. The teaching material can be in the format of Power Point, Video, World document or any other format. The goal is to teach kids to use search tool, e-mail, facebook, blog, or general browsing safely. As an initial attempt, I upload the following power point as the reference and I welcome any new contributors to this project.