Chapter 7 – Cloud Application Security

Question 1

What is Forklifting?

Answer 1

Moving an entire application to the cloud without significant changes; often self-contained stand-alone applications.

Question 2

What is Cloud-Secure SDLC?

Answer 2

A Software Development Lifecycle focusing on security throughout the development phases.

Question 3

What is the focus during the Defining phase of SDLC?

Answer 3

To identify the business requirements of the application and describe aspects of the business needs.

Question 4

What is developed during the Designing phase of SDLC?

Answer 4

User stories, interface design, and requirements for APIs.

Question 5

What occurs during the Development phase of SDLC?

Answer 5

The phase where the code is written.

Question 6

What activities are involved in the Testing phase of SDLC?

Answer 6

Initial penetration testing and vulnerability scanning; includes DAST and SAST.

Question 7

What is Functional Testing?

Answer 7

Ensures the software performs its intended tasks completely and accurately.

Question 8

What is Security Testing?

Answer 8

Ensures that the controls included in the software are working effectively.

Question 9

What begins the Secure Operations phase?

Answer 9

When thorough testing is complete and the environment is secure.

Question 10

What happens during the Disposal phase?

Answer 10

Software must be securely disposed of when it reaches end of life or is replaced.

Question 11

What is QA (Quality Assurance)?

Answer 11

Management/inspection to reduce the possibility of introducing errors.

Question 12

What does ISO/IEC 27034-1 Standards for Secure Application Development provide?

Answer 12

An approach for tracking security controls used in software and an overview of application security.

Question 13

What is ONF (Organizational Normative Framework)?

Answer 13

A framework for all components of application security controls and best practices.

Question 14

What is ANF (Application Normative Framework)?

Answer 14

Subsets of ONF for each specific application, sharing applicable parts needed for security.

Question 15

What is the relationship between ANF and ONF?

Answer 15

ANF-to-ONF is one-to-one; ONF-to-ANF is one-to-many.

Question 16

What is IAM (Identity and Access Management)?

Answer 16

About the people, processes, and procedures used to manage identities.

Question 17

What is Identity Management?

Answer 17

The process of associating user rights with a given identity.

Question 18

What is Provisioning in Identity Management?

Answer 18

Issuing a unique identity assertion and a password for authentication.

Question 19

What does Access Management deal with?

Answer 19

Controlling access to resources and identifying user permissions.

Question 20

What are Identity Repositories?

Answer 20

Stores of information or attributes of identities.

Question 21

What are Directory Services?

Answer 21

How identities and attributes are managed; examples include X.500 and LDAP.

Question 22

What is Federated Identity Management?

Answer 22

Used to manage identities across disparate organizations; a SSO for multiple orgs.

Question 23

What is the Web of Trust Model?

Answer 23

Each member of the federation reviews and approves each other member for inclusion.

Question 24

What is a trusted third-party model of federation (CASB)?

Answer 24

Outsources the review and approval task to a trusted third party.

Question 25

What is SAML (Security Assertion Markup Language)?

Answer 25

A federation standard for communication authentication and authorization across organizations.

Question 26

What is SAML 2.0?

Answer 26

Standard used to pass security assertions across the internet.

Question 27

What does WS-Federation allow?

Answer 27

Orgs to trust each other’s identity information across organizations.

Question 28

What is OAuth?

Answer 28

Used in authorization with mobile apps to provide limited access to HTTP services.

Question 29

What is OpenID Connect?

Answer 29

An interoperable authentication protocol based on OAuth 2 specification.

Question 30

What does Stateful Packet Inspection do?

Answer 30

Prevents inbound traffic unless the connection has been initiated from inside the network.

Question 31

What are WAFs (Web Application Firewalls)?

Answer 31

Protect specific web-based applications and can protect against DoS/DDoS attacks.

Question 32

What is DAM (Database Activity Monitoring)?

Answer 32

Protects the database from unusual requests or activity.

Question 33

What are API Gateways?

Answer 33

Impose controls as an API proxy and implement access control.

Question 34

What is an XML Gateway?

Answer 34

Works around how sensitive data and services are exposed to APIs.

Question 35

What is XACML (eXtensible Access Control Markup Language)?

Answer 35

An attribute-based access control policy language designed to express security policies.

Question 36

What are APIs (Application Programming Interfaces)?

Answer 36

Coding components that allow applications to communicate through a web interface.

Question 37

What are RESTful APIs?

Answer 37

Relies on stateless, client-server communications and is scalable.

Question 38

What are the characteristics of RESTful APIs?

Answer 38

Low processing, uses simple URLs, not reliant on a single programming language.

Question 39

What is SCIM (System for Cross-domain Identity Management)?

Answer 39

Open standard designed to manage user identity information with a RESTful API.

Question 40

What is SOAP (Simple Object Access Protocol)?

Answer 40

Protocol specification for the exchange of structured information in web services.

Question 41

What are the characteristics of SOAP?

Answer 41

Standards-based, reliant on XML, and has built-in error handling.

Question 42

What is SDK (Software Development Kits)?

Answer 42

A collection of software development tools in one package to facilitate application creation.

Question 43

What is TLS (Transport Layer Security)?

Answer 43

Protocol to ensure privacy during communication between applications.

Question 44

What is SSL (Secure Socket Layer)?

Answer 44

Same use as TLS, but has been replaced by TLS.

Question 45

What is Whole-Instance Encryption?

Answer 45

Encrypts all system’s data at rest in one instance.

Question 46

What is the STRIDE Model?

Answer 46

A standardized way of describing threats by their attributes.

Question 47

What is CSRF (Cross-Site Request Forgery)?

Answer 47

Manipulates a logged-on user’s browser to send a forged HTTP request.

Question 48

What is White-Box Testing?

Answer 48

Static Application Security Testing; reviewing the source code.

Question 49

What is Black-Box Testing?

Answer 49

Dynamic testing of the program as it functions in runtime without reviewing source code.

Question 50

What is Application Orchestration?

Answer 50

When two or more applications must interact to complete a business process.

Question 51

What are the two approaches to Application Orchestration?

Answer 51

Linking elements directly or abstracting functions for distinct input/output handling.

Question 52

What is Authentication?

Answer 52

Confirms the identity assertion belongs to the entity presenting it.