In our travels as cloud application and cloud infrastructure consultants, nubeGO consultants have contributed to web applications for both B2B and B2C clients hosted in private VPCs or openly accessible on the internet through the public cloud. Security is at the top of our list and at the forefront of our minds whenever we embark upon a new advisory or implementation project. Securing your web applications shouldn't be an after-thought, even when building internal applications for use on internal systems; that's why we encourage our clients to consider the guidelines of the AWS Well-Architected Framework and OWASP Top 10 when designing for security.
The OWASP Top 10 list of web application security threats is updated by OWASP every year with the latest common security risks for developers and operations engineers to consider when designing and implementing their web application systems. The current set of top 10 risks to consider are:-
Sensitive Data Exposure
XML External Entities (exposing external resources through XML flaws)
Broken Access Control
Use of Components with Known Vulnerabilities
Insufficient Logging and Monitoring
If your engineers aren't confident they can spot the code and configuration that puts the system at risk of these vulnerabilities, one of the most effective means of defence is to implement regular security vulnerability screening as part of your CI/CD pipeline. Tools such as FindBugs(Java), Puma (C#) and SonarQube (multiple languages) provide quick and free open-source static code screening of application source code that can be triggered by your build and deployment tools.
Enterprise tools such as CheckMarx and Nexus Lifecycle provide more comprehensive security review and scanning procedures across your entire system from CVE (common vulnerability and exposure) checks and static code analysis to malware scanning and security testing tools.
To protect against mis-configuration and monitoring gaps, nubeGO can help you perform an Audit, Assessment and Advisory initiative to understand any risks to your systems and help you to define a plan for ongoing protection and remediation. Our qualified Cloud Solutions Architects and Development Best-Practice consultants can work with you to defend against the OWASP Top 10 security risks.