How best to avoid “blind trust” as an app developer
Developers don’t always use shared keys. Sometimes they use shared keys for all user data without implementing or setting up proper role-based account controls. Other times, the insecure shared keys are obtained from corporate IT, and app developers mistakenly assume the keys are secure without checking.
Developers should follow security best practices for sharing and using resources from the cloud storage provider. As we see in our app examples examined above, using the right access control options can prevent data exposure. Microsoft publishes a helpful security checklist and guidance for Azure Storage that can be found here: https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide.
In particular, developers should never reuse cloud resources meant for user data, for internal corporate data, and should ensure all shares are appropriately locked down with permissions designed for the stored data.
Developers can also rely on tools to automate the discovery of insecure cloud services as part of their application Software Development Life Cycle (SLDC).
Finally, developers should strongly consider hiring an app security expert to validate and verify the data is protected. This is especially important in cases where developers do follow security best practices only to have resources outside their control – often from Dev-Ops and IT – fail to protect their users data. For enterprises, Symantec Endpoint Security (SES) protects corporate mobile devices from exploitation of vulnerabilities occurring as a result of app developer oversights. SES detects issues within the app itself – for example, hard-coded credentials, usage of third-party cloud services, and data exfiltration – as well as protects mobile devices from other network, OS and app-level threats.
Additionally, Symantec Cloud Workload Protect (CWP) proactively scans enterprise cloud services for misconfigurations exposing data, to protect endpoints. CWP can be used to ensure that corporate accounts on cloud services are properly configured and secured.