Re: [modevdc] Android App in the Cloud
John Steven
As Jack says, applicable "Security Best Practices and "common
vulnerabilities depend a lot on not only what technologies you use to
scaffold your solution but also the threat model (i.e. where attack
surfaces lie, what assets your customer and their stakeholders value,
and what [capable] threats might take interest in promulgating
attack).
Directly to your question, "What security framework should I use?",
the answer is: there isn't a solid cloud-based security model out
there right now. I'm going to suggest a focused tour of some further
reading which might help you. First, the framework: if you're a
one-man or few-man shop on this effort, consider Gunnar Peterson's
triad [*GP1]. Specifically, when you develop a technology component,
consider how to:
* Identity
* Consider the identity of your customer's users
* Make sure related user services (user mgmt, impersonation,
delegation, etc.) 'play' with other services within your solution's
ecosystem
* Enablement
* Make use of platform security features
* Provide intuitive security services as part of your API/platform
for use in customers' workflow
* Defensive Services
* Provide logging/monitoring
* Consider in-application defensive programming [*MC1]
As you make connections to other systems, through XML or otherwise,
think about whether or not you will need any, some, or all of the
following security properties:
* Privacy
* Integrity
* Authentication (proof of sender / receiver / both)
* Availability
Consider whether or not, when you apply the above properties, you'll
want them at the channel, message, or at the field level. The
technology widgets and protocols you'll use to accomplish each of the
above depends on the middleware and the resolution at which you desire
its application.
If the problem you're tackling is larger in scope and your development
team larger than a few people, you may want to ask your client if they
use Zachman, Popkin, or TOGAF for their architectures. In particular,
TOGAF and Zachman have some views that show security properties'
interaction with the other structural/behavioral system components.
...I'd also invite you to look @ OWASP Threat Modeling resources
because the architecture assessments I've done in the past few months
have consistently shown gaps in some block-and-tackle use of services
when moving to cloud.
-jOHN
* [GP1] - http://1raindrop.typepad.com/1_raindrop/2011/01/what-is-it-you-would-say-that-you-do-here.html
* [MC1] - https://www.owasp.org/index.php/OWASP_AppSensor_Project
--
Phone: 703.727.4034
Rss: http://feeds.feedburner.com/M1splacedOnTheWeb
On Fri, Oct 21, 2011 at 4:26 PM, Jack Mannino <jack.a....@gmail.com> wrote:
> Upender,
> As Mehmet mentioned, there is a pretty solid mobile security community
> growing in the NoVa area through OWASP. Great resource to check out. Next
> meeting is November 3 (https://www.owasp.org/index.php/Virginia)
> Your question depends on a lot of things. From a security perspective (and
> to some degree, compliance), short of asking you exactly what the
> application does within a public forum as well as the sensitivity of data it
> might hold, the answer to your question may be simple or go pretty deep.
> Depending on the Android platform features you are trying to leverage (ie-
> C2DM), you might have an even narrower set of options.
> Have you looked at AWS Elastic MapReduce for Hadoop stuff 'in the cloud'?
> -Jack Mannino
>
> On Fri, Oct 21, 2011 at 3:14 PM, Mehmet Yilmaz <meh...@gmail.com> wrote:
>>
>> Upender,
>>
>> I recommend cross-posting your request to owasp...@googlegroups.com and
>> joining that particular OWASP chapter. We are highly interested in mobile
>> security.
>> Thanks,
>> Mehmet
>> On Fri, Oct 21, 2011 at 10:32 AM, Upen <upende...@gmail.com> wrote:
>>>
>>> Hi,
>>> Can anyone comment on the good platform to develop Android App with back
>>> end on the Cloud ? I've so far shortlisted Heroku (supports Tomcat) and
>>> OpenShift from RedHat (Supports JBOSS as Paas and better monitoring tools)
>>> with SqlLite or MongoDB as non-Sql database. The data for the app I'm
>>> developing may require some intense analysis in the future for which I am
>>> thinking of some kinda Hadoop base on these cloud based servers. My
>>> application is for the federal client which will require a robust security
>>> model. Any recommendations on the security model ?
>>> Also please let me know how can I distribute this Android App within an
>>> enterprise w/o publishing it on Android Market.
>>>
>>> Any suggestion, recommendation and/or URL for existing similar
>>> application is greatly appreciated.
>>>
>>> Thanks
>>> Upender
>>>
>>>
>>>
>>>
>>> --
>>> Please Note: If you hit "REPLY", your message will be sent to everyone on
>>> this mailing list (modevd...@meetup.com)
>>> This message was sent by Upen (upende...@gmail.com) from MoDevDC -
>>> iPhone/Android/Windows/Smartphone Developers.
>>> To learn more about Upen, visit his/her member profile
>>> To unsubscribe or to update your mailing list settings, click here
>>>
>>> Meetup, PO Box 4668 #37895 New York, New York 10163-4668 |
>>> sup...@meetup.com
>>
>>
>> --
>> Mehmet Yilmaz
>>
>>
>>
>>
>>
>> --
>> Please Note: If you hit "REPLY", your message will be sent to everyone on
>> this mailing list (modevd...@meetup.com)
>> This message was sent by Mehmet Yilmaz (meh...@gmail.com) from MoDevDC -
>> iPhone/Android/Windows/Smartphone Developers.
>> To learn more about Mehmet Yilmaz, visit his/her member profile
>> To unsubscribe or to update your mailing list settings, click here
>>
>> Meetup, PO Box 4668 #37895 New York, New York 10163-4668 |
>> sup...@meetup.com
>
>
>
>
> --
> Please Note: If you hit "REPLY", your message will be sent to everyone on
> this mailing list (modevd...@meetup.com)
> This message was sent by Jack Mannino (jack.a....@gmail.com) from
> MoDevDC - iPhone/Android/Windows/Smartphone Developers.
> To learn more about Jack Mannino, visit his/her member profile
> To unsubscribe or to update your mailing list settings, click here
>
> Meetup, PO Box 4668 #37895 New York, New York 10163-4668 |
> sup...@meetup.com