Secure Applications and Services
The work of the SAS group can be divided roughly in three areas:
Cloud security
In the past, organizations would buy IT equipment (hardware and/or software) and manage it themselves. Today many organizations prefer to buy IT services from an IT service provider. This trend is generally, and liberally, referred to as ‘going cloud’.
ENISA has played an important role in giving stakeholders an overview of the information security risks when ‘going cloud’ (ENISA has a more rigorous definition of what this means). For example, our 2009 cloud security risk assessment is widely referred to, across EU member states, and outside the EU. Following up on this risk assessment we published an assurance framework for governing the information security risks when going cloud. ENISA's assurance framework is being used as the basis for some industry initiatives on cloud assurance (such as Eurocloud and CAMM).Recently ENISA published a report onsecurity and resilience in government clouds.
We are following up on our past cloud work with the following activities:
-
Managing security through SLAs: The work of an organization's IT officer has changed as a consequence: Instead of setting up hardware, installing and configuring software, IT officers have to manage service contracts with these IT service providers. We will look at how these service contracts can be set up and monitored in such a way that the information security is optimized. We are running a survey on how security parameters are currently in SLAs. We are also organizing a workshop on security parameters in cloud SLAs, together with OASIS and CSA, at the upcoming OASIS International cloud symposium.
-
Critical cloud services: We are also developing a vision on the criticality of cloud services. Cost savings are driving businesses into cloud services hosted in large datacenters which can deliver computing resources more efficiently than small ones: It is possible to deliver high quality, for a good price. Of course, if a cloud service with millions of customers ceases to operate, then the impact is big too. We intend to analyze and discuss, with stakeholders, what could be the impact of a cloud computing service failures, and in which circumstances cloud services should be considered "critical infrastructure".
Secure software engineering
Cyber attacks are increasingly targeting software vulnerabilities at the application layer. Vulnerabilities at this layer are well-known, for example OWASP publishes a list of common weaknesses, calledthe OWASP top ten. Addressing these vulnerabilities at the application layer is difficult however: Software at this layer is complex, and the security ultimately depends on the many software developers and software development firms who write web applications, apps, addons, libraries, and so on. We are deploying several activities in the area of secure software engineering:
- Secure software engineering initiatives stocktaking: We are monitoring EU and international initiatives that try to address the issue of secure software engineering. We will shortly be publishing an overview of different initiatives in the area of Secure software engineering. We will organize a workshop in 2011, bringing together these different initiatives in an effort to foster collaboration across these initiatives, and at the same time promote their work.
- Secure App Development: In collaboration with OWASP (OWASP's Mobile Security project), ENISA is addressing the lack of security guidelines for developers of smartphone apps. The goal of this activity is to give smartphone developers a list of design principles and coding techniques for addressing the top ten smartphone risks.
- Assessment of the next generation web standards: W3C and other organisations are currently drafting a new generation of web application standards based on HTML and they will be issuing a final call for comments in Q2 of 2011. We are analyzing (together with Distrinet KULeuven) the new web application standards in order to assess the main risks and issues for users, websites, browser developers, web app developers, etc.
Smartphone security
Market analysts predict that smartphones will outnumber PCs by 2013, and that they will be the most common device for accessing the internet. Last year we published a report about smartphone security. The report gives an overview of the top risks and opportunities for smartphone users, and we made recommendations for end-users, and IT officers to address these risks. For an overview of the risks see our smartphone risks top ten.
We are following up on this work with the following activities:
- Secure app development: We are drafting, together with OWASP, security guidelines for app developers.
- App store security: App stores are a new model for 3rd party software distribution, that is not only used for smartphones (Android's marketplace, Apple's Appstore, for example) but also for social media (Facebook apps for example), cloud services (Google apps, for example), and web browsers (Mozilla’s addons, for example). We published a paper about malware threats to app stores and how to defend against them.
- Web login on smartphones: (ongoing) Highlighting an important information security opportunity of smartphones: The fact that online authentication can be implemented more securely by using smartphones.
- Risks and opportunities of IT consumerization: (starting up) Issuing guidelines for IT officers to deal with emerging information security risks from smartphones (iPhones, iPads, etc) entering the workplace.
Contact SAS
We are looking forward to receive feedback on our work and we encourage experts to contact us for collaborating with us on future ENISA reports.
For feedback or collaboration please contact either Giles Hogben or Marnix Dekker by sending an email (using firstname.lastname@enisa.europa.eu).
