Well-Architected Framework:Application Security

Applications and related data are the main components of cloud-based businesses. On the one hand, they contain significant business value. On the other hand, the cost and implementation barriers for attacks on cloud-based applications are greatly reduced, making them more vulnerable to malicious access. Therefore, it is important to ensure the confidentiality, integrity, and availability of applications and related data in order to ensure stable and secure business operation.

Application Level Classification

The number of cloud-based business applications is huge. Each application has different business value and importance. Enterprises should classify applications based on business architecture and evaluate the importance of each application in the business chain. This can be used as a reference to allocate cost for security protection. Enterprises can formulate targeted security strategies and measures by concentrating resources and attention on the most critical applications to maximize the security and sustainability of business operations. The following is an example:

1. Core business applications: These applications are the core of enterprise business and are directly related to the normal operation and revenue of the business. For example, the core banking system of a financial institution, the transaction system of an e-commerce platform, etc. The security requirements for these applications are very high, and any security vulnerabilities or disruptions may result in significant financial loss and reputational damage to the enterprise.

2. Sensitive information applications: These applications process business processes that involve sensitive data. For example, patient information management systems in hospitals, case management systems in law firms, etc. The security requirements for these applications are also high, and leaks or tampering of sensitive information may result in legal risks, privacy infringement, and reputational damage.

3. Supporting business applications: These applications provide auxiliary functions in the daily operation of organizations, such as human resources management systems, internal collaboration platforms, etc. The security requirements for these applications are relatively high, and security vulnerabilities may result in employee information leakage, confidential document leakage, or internal chaos.

4. Other business applications: These applications are other business systems in the operation of organizations, and their importance to operations is relatively low. For example, customer relationship management systems, conference management systems, etc. The security requirements for these applications are moderate. They need to ensure data integrity and availability, but the level of concern for confidentiality and attack risks is relatively low.

Regular Penetration Testing

For cloud-based businesses, penetration testing is an important aspect of ensuring application security. Penetration testing is a type of black box security testing that simulates real attacks. By simulating the behavior of attackers, it helps enterprises discover security vulnerabilities in applications and effectively reduce unknown security risks and improve application security. At the same time, penetration testing should not only be a one-time activity but should be conducted regularly. As enterprise applications are continuously updated and iterated, the use of new technologies and components can bring new security risks. On the other hand, malicious access methods of attackers are constantly evolving. These two realities pose continuous challenges to application security. Even if an application passes penetration testing in a certain period, it cannot guarantee that it will always be in a secure state.

Regular Vulnerability Detection and Assessment

Vulnerabilities refer to defects in the implementation of hardware, software, protocols, or system security policies, which allow attackers to access or disrupt systems or applications without authorization. Vulnerability detection and assessment aim to identify security vulnerabilities in applications and evaluate their impact on application security, helping enterprises to promptly fix vulnerabilities and improve application security. Vulnerability detection can be divided into two types: automated tools and manual discovery. Automated tools can only detect common and known vulnerabilities, which may result in false positives and false negatives, and cannot provide in-depth repair suggestions in the context of enterprise business scenarios. As for manual vulnerability detection, Alibaba Cloud provides the Managed Security Service, which customizes vulnerability detection plans based on enterprise security needs. The service is divided into two aspects: detecting security vulnerabilities in application systems and components and detecting vulnerabilities in application code. The service also provides repair plans.

On the other hand, for automated vulnerability detection, Alibaba Cloud provides the Cloud Security Center service. This service detects vulnerabilities in application systems by using OVAL rules, web scanners, software component analysis, POC verification, and other methods. It covers five categories of vulnerabilities: Linux software vulnerabilities, Windows system vulnerabilities, web CMS vulnerabilities, application vulnerabilities, and emergency vulnerabilities. The service identifies vulnerabilities in application systems and provides corresponding remediation suggestions.

Application Security Protection

The first line of defense for application security is protection. Both enterprises and Alibaba Cloud need to work together to protect application security.

From the perspective of enterprises, they need to follow certain security development strategies from the beginning of application development to minimize the attack surface. For example, using secure communication protocols instead of plaintext protocols for application communication, using encryption algorithms to store important sensitive data, returning unified and customized error pages, encapsulating core code to prevent tampering, and using a separation of front-end and back-end to prevent exposure of backend addresses, etc.

Alibaba Cloud has more than ten years of security attack and defense experience and has a large number of successful application cases, such as Taobao, Tmall, Alipay, etc. From the perspective of Alibaba Cloud application security protection, it can be divided into website and mobile application (APP) security protection.

Website Application Security

For website application security, Alibaba Cloud has four major security product pillars, which form a comprehensive cloud security system from the dimensions of traffic security, DDoS security, application security, and host security. They correspond to Alibaba Cloud Firewall, Anti-DDoS, Web Application Firewall, and Cloud Security Center, respectively.

Alibaba Cloud Firewall detects network traffic to identify malicious attack behavior. It includes internet boundary firewalls, VPC boundary firewalls, and host boundary firewalls. They work together to achieve unified monitoring of data access behaviors and fine-grained management of access control policies between the internet, VPCs, and hosts. These capabilities form a three-layer defense system that includes internet boundaries, virtual network boundaries, and host boundaries.

Anti-DDoS includes multiple sub-products and combines Alibaba Cloud's years of experience in DDoS attack and defense to meet the needs of various DDoS protection scenarios for enterprises. Anti-DDoS Origin can greatly enhance DDoS protection capabilities for enterprise applications without changing the business architecture, providing up to Tbps-level DDoS protection. Anti-DDoS Pro & Premium is a DDoS attack proxy protection service provided by Alibaba Cloud. By modifying DNS resolution, this service directs the access traffic of the business application to the Anti-DDoS Scrubbing Centers, providing more than 8 Tbps of defense bandwidth for mainland China and more than 2 Tbps of defense bandwidth for non-mainland China.

Web Application Firewall identifies and protects website application traffic from malicious attacks, allowing only normal and secure traffic to reach the origin applications. This prevents website applications from being maliciously invaded, protects business application security and data security. Specifically, Web Application Firewall covers most common web application attacks and provides accurate access control, scanning protection, CC protection, bot management, region blocking, custom responses, and other functionalities, meeting the application security protection requirements of multiple industries and business scenarios.

Cloud Security Center focuses on the security protection of workloads such as hosts, containers, and virtual machines in multi-cloud scenarios. It provides core capabilities such as cloud asset management, configuration audits, proactive defense, security hardening, cloud product configuration assessments, and security visualization. Based on massive cloud logs, analysis models, and powerful computing capabilities, it builds a comprehensive security situational awareness platform on the cloud, which can effectively detect and block risk events such as virus propagation, hacker attacks, ransom encryption, vulnerability exploitation, access key leakage, and mining. It helps enterprises improve their security emergency response capabilities holistically.

Mobile Application Security

With the popularity of mobile applications and the increasing storage of sensitive data of users, protecting the security of mobile applications has become particularly important. Security vulnerabilities and attack threats can lead to risks such as user data leakage, personal privacy exposure, financial loss, and identity theft. Alibaba Cloud provides various security service SDKs. Enterprise mobile application clients can initiate requests to the corresponding cloud security services by calling the SDK interfaces. The cloud service executes security protection processes and returns responses. The mobile application client then submits the responses to the mobile application server to continue the business process. For example, Alibaba Cloud Security Authentication Service provides lightweight multi-factor authentication access services to help enterprises implement account password protection and password-less authentication, improving user authentication experience and security. Alibaba Cloud Mobile Application Protection focuses on protecting mobile applications from decompilation and reverse engineering. It provides protection for Android applications through APK/AAB obfuscation and class security obfuscation. For iOS applications, it provides protection through control flow flattening, branch forgery, obfuscation of instructions, and encryption of pointers, effectively increasing the difficulty of reverse engineering mobile applications.

Development team Security Training

During the application development phase, it is recommended to provide development security training for developers. Security training is also the first stage of the SDL process. Through security training, common issues can be effectively avoided in the development phase. In addition, combined with subsequent business security testing and penetration testing, it can shorten the development cycle and ensure the security of development and deployment.

Development security training usually has standard training content and courses. For enterprises, development security training should follow the following points:

1. Clarify the red lines for development security to understand what should and should not be done. Clarify the boundaries of development security by setting red lines.

2. Develop a process for development security training. By establishing a certification mechanism, ensure that developers learn and understand the training courses.

3. Regularly conduct training and sharing of high-risk vulnerability cases.

4. Establish development security specifications, code specifications, and other compliance checks.

For development security training content, it is recommended to focus on the following points: