Microsoft has issued guidance for Azure developers, outlining ways to improve security for cloud applications.
The information, contained in a white paper called Security Best Practices for Developing Windows Azure Applications, is aimed at software developers, architects and testing professionals, and describes security techniques based on Microsoft's Security Development Lifecycle (SDL).
Combining details of potential threats and Azure's security technologies with how Microsoft believes the SDL should be applied to Azure applications, the information has been welcomed but criticisms remain that it is focused on features at the expense of overall security design.
"We've seen a dramatic increase in threats to software. We've met that challenge by adding defences to our systems but also by acquiring development teams at Microsoft that adhere to the SDL," said Michael Howard, one of the authors of the white paper and Microsoft's principal programme manager for security engineering, in a video post on Monday. "But now we face a new challenge: many corporations want to move their applications to the cloud. So a small group of us at Microsoft got together to build [the white paper]."
Professor John Walker, a security expert from Nottingham Trent University, told ZDNet UK on Tuesday he was "quite impressed" with the SDL. He said that providers such as Microsoft and Amazon are working hard to develop their cloud security propositions. "I've been reviewing cloud providers and they are going over the top to provide security," he said.
Walker said that cloud security was in general much tighter than in-house application security.
Jacob West, who manages security research at Fortify Software, was more cynical. "I think for the most part that the document gives excellent guidance on how to use security functionality, such as authentication and access control schemes, to protect applications," he told ZDNet UK on Tuesday. "However, I feel that developers will find the document falls significantly short of the concrete guidance needed to develop applications that provide secure functionality, not just security features.
"Cloud developers must concern themselves with a plethora of vulnerabilities — SQL injection, XSS, etc — that impact their applications, regardless of how they will be deployed. Additionally, cloud developers must learn to avoid a variety of new mistakes that manifest themselves exclusively in the cloud," said West.
Microsoft first announced Azure in 2008, and set it live in January 2010. A month of free usage followed before Microsoft commercialised the platform at the start of February.