6. Cloud Application Security Flashcards
Which of the following is not a component of the STRIDE model?
A. Spoofing
B. Repudiation
C. Information disclosure
D. Exploitation
Answer: D. Exploitation
STRIDE stands for spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privileges, not exploitation.
In a federated identity arrangement, which organization authorizes users to perform actions on systems or services?
A. The identity provider
B. The service provider
C. The token provider
D. All of the above
Answer: B. The service provider
Service providers manage authorization for their service and rely on the identity provider to authenticate users. Token provider is not a typical role in a federated identity arrangement.
Henry knows that multifactor authentication consists of at least two items and that they have to be of different types. Which of the following is a valid multifactor authentication option?
A. A complex password and a secret code
B. Complex passwords and an HSM
C. A hardware token and a magnetic strip card
D. A password and an application-generated PIN on a smartphone
Answer: D. A password and an application-generated PIN on a smartphone
Multifactor authentication needs to be made up of different types of factors: something you know, something you have, or something you are, like a biometric factor. A password is something you know and an application-generated PIN from a fob or smartphone is something you have. An HSM is not a factor, it is a storage method. Hardware tokens and magstripe cards are both something you have, and passwords and secret codes are both
something you know.
Amanda has been told that the organization she is joining uses a sandbox as part of its CI/CD pipeline. With what SDLC phase is the sandbox most likely associated?
A. The design phase
B. The coding phase
C. The testing phase
D. The operations phase
Answer: C. The testing phase
Sandboxes are used to isolate code while it is running to allow it to be tested. Amanda is likely to encounter the sandbox as part of the testing phase when the organization wants to isolate its code while it undergoes QA and functional testing.
Yarif’s organization uses a secrets management tool to handle its secrets lifecycle. Yarif wants to explain a typical secret’s lifecycle to one of his staff. What order is a typical for a secret?
A. Creation, revocation, rotation, expiration
B. Expiration, creation, rotation, revocation
C. Creation, rotation, revocation, expiration
D. Creation, rotation, expiration, revocation
Answer: C. Creation, rotation, revocation, expiration
A typical secrets lifecycle starts with creation, moves on to rotation, may include revocation if needed, and ends with the expiration of secrets at the end of their lifecycle.
Heikka has deployed a web application firewall and is preparing to write policies to analyze traffic. Which of the following is not a typical filtering capability for WAFs?
A. Users
B. Privileged database use
C. Session information
D. Application- specific context
Answer: B. Privileged database use
Web application firewalls typically provide the ability to filter based on users, sessions, data sent and received, and application-specific context. Database activity monitoring (DAM) tools are used to monitor for privileged database use, among other useful data points for database security.
Lin wants to conduct nonfunctional testing of her organization’s new application. Which of the following items is not tested by nonfunctional testing?
A. User acceptance
B. Stability
C. Performance
D. Quality
Answer: A. User acceptance
User acceptance is part of functional testing, not nonfunctional testing. Software quality, including its stability and performance, is tested by nonfunctional testing.
Software composition analysis tools are used to help protect against which of the following OWASP Top-10 Cloud Native Application Security issues?
A. CI/CD pipeline and software supply chain flaws
B. Injection flaws
C. Improper asset management
D. Insecure orchestration configurations
Answer: A. CI/CD pipeline and software supply chain flaws
CI/CD pipeline and software supply chain flaws cover somewhat different areas, but SCA tools are used to address software supply chain flaws. Software composition analysis checks to see which open-source components are part of a software package and allows security professionals and developers to protect against issues in the software supply chain by knowing what components they’re using and relying on.
Joanna’s team of developers is reviewing source code to identify potential issues. What type of testing is Joanna’s team conducting?
A. Dynamic
B. Interactive
C. Black box
D. Static
Answer: D. Static
Static code review involves reviewing source code to identify issues. Dynamic testing is done with running code. Interactive testing is done by interacting with the code or application as a user would, and black-box or zero-knowledge testing involves testing as an attacker would, without any knowledge or detail of the environment or application.
Geoff’s organization has designed its application to rely on Docker. What type of application virtualization model has Geoff’s organization adopted?
A. Sandboxing
B. Containers
C. Microservices
D. Multitenancy
Answer: B. Containers
Docker is a container engine. Sandboxing is used to provide a safe, secure environment for testing or isolation. Microservices are small, independent services used to make up a larger service environment. Multitenancy is the concept of multiple users or organizations using the
same infrastructure, typically through a virtualized management platform.
Jim’s organization uses the Waterfall SDLC model. What occurs after testing and debugging have been finished in the Waterfall model?
A. Quality assurance testing
B. Interactive software testing
C. Operational activities
D. Business rule validation
Answer: D. Business rule validation
The last stage of the Waterfall model is the operational phase, which includes support and maintenance. Testing occurs in Phase 5, and business rule analysis is in Phase 2.
OWASP identifies cloud-native application security risks. Which of the following should Jean identify as the most critical issue to address to ensure the security of her organization’s SSH keys?
A. Injection flaws
B. Insecure secrets storage
C. Using components with known vulnerabilities
D. Ineffective logging and monitoring
Answer: B. Insecure secrets storage
SSH keys are a form of secret, and Jen knows that keeping SSH keys secure is an important part of secure secret storage. Injection flaws can include XSS, SQL injection, and CSRF, among others, but not SSH keys. There’s no mention of vulnerable components, nor is there mention of logging or monitoring issues, but Jen may want to ensure logging is enabled for privileged use associated with administrative accounts.
The broad use of many small instances to allow applications to increase or decrease performance as needed is part of what cloud application development pitfall?
A. Scalability
B. Interoperability
C. Portability
D. API security
Answer: A. Scalability
Scalability for cloud applications often relies on the ability to easily add or remove small instances to provide more resources as needed. Interoperability is the ability to work across platforms, services, or systems, and doesn’t use many small instances to function. Similarly, portability allows software to move between environments without requiring specific APIs or tools and again doesn’t rely on large numbers of small instances. API security attempts to
prevent abuse of APIs and might leverage an API gateway instead of small instances.
Which of the following is not a common threat to cloud applications that should be considered during threat modeling?
A. Firmware vulnerabilities
B. Broken authentication
C. Sensitive data exposure
D. Using components with known vulnerabilities
Answer: A. Firmware vulnerabilities
Since cloud applications run on virtualized infrastructure in most cases, firmware vulnerabilities are not considered a common threat to cloud applications. Broken authentication, sensitive data exposure issues, and components with known vulnerabilities are all common
threats to applications.
Murali is using the Process for Attack Simulation and Threat Analysis (PASTA) framework as part of his organization’s security processes. He has just completed Stage 3, factoring applications and identifying application controls. What will he do next in Stage 4?
A. He will analyze and model attacks.
B. He will define business objectives.
C. He will perform threat analysis based on threat intelligence.
D. He will run vulnerability scans.
Answer: C. He will perform threat analysis based on threat intelligence.
Stage 4 in PASTA involves performing threat analysis based on threat intelligence after Stage 3’s factoring of applications and identification of application controls.
Selah wants to assess her organization’s application security using the Application Security Verification Standard (ASVS), and wants to perform a penetration test as the validation method for security. What ASVS level does she want to use?
A. Level 0
B. Level 1
C. Level 2
D. Level 3
Answer: B. Level 1
ASVS is composed of three levels, with Level 1 being the base level that relies on penetration testing for security validation, and moving on through Levels 2 and 3 with increasing levels of validation requirements. Selah’s needs align to Level 1.
The auditor that Ian’s company works with has inquired about whether his organization uses a software composition analysis tool as part of its risk management efforts. What capability is the auditor asking Ian about?
A. The ability to identify the language in which source code is written
B. The ability to identify software version numbers in a codebase
C. The ability to identify the language in which compiled code is written
D. The ability to identify open-source software in a codebase
Answer: D. The ability to identify open-source software in a codebase
SCA is used to determine what open-source software is in a codebase. This helps to control risks by allowing the organization to know what components may need to be updated and which may be insecure because they might otherwise be hidden in packages or installers.
Mike’s organization has determined that it wants to use interactive application security testing (IAST) as part of its SDLC. In which stage in a typical SDLC is IAST typically
performed?
A. Design
B. Code
C. Test
D. Maintain
Answer: C. Test
IAST typically occurs in the test or QA stage of most software development lifecycles. It helps to ensure that testing occurs earlier and that errors are found and fixed sooner. Since code needs to exist before it can be tested, it cannot happen in design, and the coding stage typically involves things like unit testing instead of interactive testing that requires a more complete application to validate. Finally, the maintenance stage of the SDLC is more likely to use vulnerability scanning tools rather than interactive testing on an ongoing basis.
Susan wants to monitor privileged use in her database system as part of an effort to detect attacks using behavioral analysis. What tool should she recommend to her database team?
A. A CASB
B. A WAF
C. A DAM
D. A SDLC
Answer: C. A DAM
A DAM, or database activity monitoring tool, is a tool that combines network data and database auditing information to help identify unwanted or illicit activity. Susan’s best bet is a DAM. A cloud application security broker is used to enforce policies on users of cloud services, a WAF is a web application firewall, and SDLC is the software development lifecycle.
Jason wants to add traffic flow control and access control to his organization’s APIs. What security tool can he use to add this additional security layer most effectively?
A. An API gateway
B. An IPS
C. An API firewall
D. An IDS
**Answer: **
API gateways are tools used to manage, monitor, and aggregate APIs, and typically have the ability to control authentication and authorization, provide traffic flow control features, and can filter based on API security best practices or rules. An IPS can be used inline to filter
traffic and to prevent attacks, but they typically aren’t designed to be API aware, and thus don’t have the full set of capabilities that will meet Jason’s needs. An IDS isn’t inline and thus can’t manage traffic, and API firewalls are not common security tools.
