Security nous lacking in cloud app development

Hewlett-Packard exec says developers' poor grasp of security practices when building cloud-based enterprise software could lead to code having loopholes hackers can exploit.
Written by Jamie Yap, Contributor

The maturing cloud computing trend has spurred more enterprise applications to be built for access via the cloud network, but one Hewlett-Packard executive argues that developers have yet evolved in tandem with regard to putting security at the forefront of their processes.

Matt Bertram, chief technologist of software at HP Asia-Pacific and Japan, pointed out that coding a secure app for enterprise use is both a challenge to overcome and a major pitfall to avoid for many IT departments. Developers of traditional enterprise software obviously have coding knowhow, but many may not be aware of security best practices for cloud-based applications and this may leave loopholes in the code that hackers may exploit, he said in an interview on Thursday.

Bertram noted that security is an oft-quoted concern among companies as to why they have no plans to migrate to the cloud. So this lack of awareness on cloud-based security on the developers' end is all the more pressing, particularly with hackers seemingly moving from attacking corporate networks to targeting the applications itself, he explained.

With cloud computing thrown into the software development mix, he acknowledged that coding becomes more complex. Security comes in multiple levels and would move away from just securing the network perimeter to focusing on how to safeguard the application from external threats, he said.

The core elements to app development, such as performance, quality, resilience, and security remain the same, but ensuring these are not compromised becomes ever more important when developing an app for a cloud environment, the HP executive stressed.

This is because such apps would be more visible and exposed than internal ones, and should breaches occur, the negative impact on the business would be seen and felt more keenly, he explained.

Furthermore, for apps with "cloud-bursting" capabilities, developers would need to build apps that are "smarter" and selective in matching infrastructure resources with the business activities' needs, he noted. Cloud bursting generally refers to an application tapping on additional compute power--either from reserve internal resources or from third-party public cloud providers--after existing capacity provisioned for the software has been exhausted.

Vigilant code checking, testing important
This is why it is important to implement security measures early on during the code writing stage, as well as carry out security testing or troubleshooting earlier in the application lifecycle, Bertram suggested. Increasing one's security awareness does not mean just writing good code, but being able to identify and correct badly written ones at earlier stages too, the HP executive said.

The IT vendor, for one, has tools that can help scan the code of enterprise applications to weed out poorly written ones that increases the likelihood of a security breach, he added.

He also called on developers to increase their collaboration with the security community, which would help them in writing their apps more securely.

All said, Bertram believes enterprises will increasingly pay attention to designing applications that are optimized for the cloud, given that more of them have finished virtualizing their IT infrastructure.

"It's a logical progression. After infrastructure has been sorted with virtualization, automation, and self-service, the game now is building and delivering innovation the business via applications," he stated.

Editorial standards