Cybersecurity How cloud applications can be made more secure
Companies are increasingly using cloud services, but they often have security vulnerabilities. The associated cyber attacks are now to be prevented by a new security software.
Companies on the topic
The founding members of Code-Shield include (from left to right) Dr. Johannes Späth, Prof. Bodden from the Fraunhofer Institute IEM, Manuel Benz and Andreas Dann.
Many companies move their IT infrastructure to “clouds”, use the storage and computing capacities of cloud services or program applications directly in the cloud.
As a result, cloud computing is becoming a growing market. While this offers many advantages, special safety precautions are also required. Many applications contain vulnerabilities that are exploited by hackers. Thus, cyber attacks on cloud software systems are constantly increasing. The software Code-Shield of the company of the same name is now intended to detect and automatically fix vulnerabilities. Code-Shield is an offshoot of the Fraunhofer Institute for Mechatronics Design Technology IEM and the Heinz Nixdorf Institute of the University of Paderborn.
Cyberattacks on patchy cloud containers
Many companies are not prepared for the cyber attacks. However, these often have consequences for data security. Hackers often use vulnerable web interfaces, misconfigured interfaces, or vulnerable access protocols. For example, sensitive data can be stolen.
“Targets of hacker attacks are, for example, openly writable buckets of companies. In this type of cloud containers, data is stored in the form of objects. The attacks are possible, for example, if the bucket is not read-only and can thus be accessed publicly,“ explains Prof. Eric Bodden, scientist at Fraunhofer IEM. Together with colleagues from the Heinz Nixdorf Institute, he launched the Code-Shield offshoot and thus developed a tool that analyzes, evaluates, and fixes vulnerabilities in the security of cloud applications.
Automatically detect vulnerabilities
With Code-Shield, the start-up wants to put a stop to hackers. The software automatically analyzes vulnerabilities in the program code, focusing on cloud-native applications, such as Spotify and Netflix. Electric scooters, which have been part of the streetscape for some time, are also connected to a cloud. The applications are hosted directly with the cloud provider.
The program code is also programmed in the cloud and is then available, for example, from Amazon Web Services, a well-known provider of these services. difficulty: The interfaces and components provided by the providers are not easy to use. They enable the programmer to develop new applications in a short time. However, if the interfaces are configured incorrectly, private data can be unintentionally published. The Code-Shield software is designed to automatically detect and visualize these vulnerabilities in real time. The software presents the complete cloud infrastructure in the form of diagrams, from the website and app to the code and the data container, so that programmers can quickly identify possible problems and attack points. Components such as third-party open source libraries can also be integrated, displayed and checked.
Fingerprinting method and data flow analysis
In order to detect the vulnerabilities in the code, the tool uses the so-called fingerprinting method. The open source components are downloaded from the cloud and then a fingerprint is calculated per component. Thus, an insecure code is immediately recognized when it is integrated into an application again at a later time.
On the other hand, Code-Shield analyzes the program code that the developer writes himself, stores it in the cloud and permanently edits it in order to adapt and supplement functionalities. In this case, the software carries out daily data flow analyses, whereby, among other things, user inputs are checked in the front end in order to quickly detect tampering. Specially developed algorithms enable the analyses. Many IT security tools deliver false reports of 70 to 80 percent. This is similar to a spell checker that marks errors in every sentence where there are none. However, according to the scientists, the rate of false reports from Code-Shield is less than five percent. For example, the software discovered security vulnerabilities in the Corona Warning app before its release.
The code Shield technology was awarded the Ernst Denert Software Engineering Award in 2019. The company is funded by the European funding programme Start-Up-Transfer-NRW and the BMBF programme Start-Up-Secure.
This post originally appeared on our partner portal Industry-of-Things.de.