PaaS & Security - Problems, Solutions, Vendors
Platform-as-a-Service (Paas) is a cloud computing model where the service provider offers a platform that enables customers to develop, run, and manage applications. The service provider maintains the infrastructure for developing and running the applications.
Typically, the customer develops the application for a sandbox having limited supported languages and configuration options. The service provider offers the computing infrastructure, operating systems, middleware, and preinstalled software packages to facilitate running the applications.
PaaS is commonly used for web server hosting, as well as for services like Google App Engine, which allow users to develop their own code to be run in a limited sandbox.
For performance reasons, applications from multiple customers are typically run in the same operating system instance. The applications may be isolated from each other using containers or some language-specific sandbox mechanism (e.g., the Java virtual machine).
A major security risk, beyond those for IaaS, is an application breaking out from its sandbox. Containers were not originally designed to be secure against breakout (particularly if the user is able to utilize some vulnerability to obtain root privileges). Programming language sandboxes have been found to be even more fragile; for example, new vulnerabilities are typically found and patched in the Java virtual machine every month.