Chapter 7 – Cloud Application Security Flashcards
What is Forklifting?
Moving an entire application to the cloud without significant changes; often self-contained stand-alone applications.
What is Cloud-Secure SDLC?
A Software Development Lifecycle focusing on security throughout the development phases.
What is the focus during the Defining phase of SDLC?
To identify the business requirements of the application and describe aspects of the business needs.
What is developed during the Designing phase of SDLC?
User stories, interface design, and requirements for APIs.
What occurs during the Development phase of SDLC?
The phase where the code is written.
What activities are involved in the Testing phase of SDLC?
Initial penetration testing and vulnerability scanning; includes DAST and SAST.
What is Functional Testing?
Ensures the software performs its intended tasks completely and accurately.
What is Security Testing?
Ensures that the controls included in the software are working effectively.
What begins the Secure Operations phase?
When thorough testing is complete and the environment is secure.
What happens during the Disposal phase?
Software must be securely disposed of when it reaches end of life or is replaced.
What is QA (Quality Assurance)?
Management/inspection to reduce the possibility of introducing errors.
What does ISO/IEC 27034-1 Standards for Secure Application Development provide?
An approach for tracking security controls used in software and an overview of application security.
What is ONF (Organizational Normative Framework)?
A framework for all components of application security controls and best practices.
What is ANF (Application Normative Framework)?
Subsets of ONF for each specific application, sharing applicable parts needed for security.
What is the relationship between ANF and ONF?
ANF-to-ONF is one-to-one; ONF-to-ANF is one-to-many.
What is IAM (Identity and Access Management)?
About the people, processes, and procedures used to manage identities.
What is Identity Management?
The process of associating user rights with a given identity.
What is Provisioning in Identity Management?
Issuing a unique identity assertion and a password for authentication.
What does Access Management deal with?
Controlling access to resources and identifying user permissions.
What are Identity Repositories?
Stores of information or attributes of identities.
What are Directory Services?
How identities and attributes are managed; examples include X.500 and LDAP.
What is Federated Identity Management?
Used to manage identities across disparate organizations; a SSO for multiple orgs.
What is the Web of Trust Model?
Each member of the federation reviews and approves each other member for inclusion.
What is a trusted third-party model of federation (CASB)?
Outsources the review and approval task to a trusted third party.
What is SAML (Security Assertion Markup Language)?
A federation standard for communication authentication and authorization across organizations.
What is SAML 2.0?
Standard used to pass security assertions across the internet.
What does WS-Federation allow?
Orgs to trust each other’s identity information across organizations.
What is OAuth?
Used in authorization with mobile apps to provide limited access to HTTP services.
What is OpenID Connect?
An interoperable authentication protocol based on OAuth 2 specification.
What does Stateful Packet Inspection do?
Prevents inbound traffic unless the connection has been initiated from inside the network.
What are WAFs (Web Application Firewalls)?
Protect specific web-based applications and can protect against DoS/DDoS attacks.
What is DAM (Database Activity Monitoring)?
Protects the database from unusual requests or activity.
What are API Gateways?
Impose controls as an API proxy and implement access control.
What is an XML Gateway?
Works around how sensitive data and services are exposed to APIs.
What is XACML (eXtensible Access Control Markup Language)?
An attribute-based access control policy language designed to express security policies.
What are APIs (Application Programming Interfaces)?
Coding components that allow applications to communicate through a web interface.
What are RESTful APIs?
Relies on stateless, client-server communications and is scalable.
What are the characteristics of RESTful APIs?
Low processing, uses simple URLs, not reliant on a single programming language.
What is SCIM (System for Cross-domain Identity Management)?
Open standard designed to manage user identity information with a RESTful API.
What is SOAP (Simple Object Access Protocol)?
Protocol specification for the exchange of structured information in web services.
What are the characteristics of SOAP?
Standards-based, reliant on XML, and has built-in error handling.
What is SDK (Software Development Kits)?
A collection of software development tools in one package to facilitate application creation.
What is TLS (Transport Layer Security)?
Protocol to ensure privacy during communication between applications.
What is SSL (Secure Socket Layer)?
Same use as TLS, but has been replaced by TLS.
What is Whole-Instance Encryption?
Encrypts all system’s data at rest in one instance.
What is the STRIDE Model?
A standardized way of describing threats by their attributes.
What is CSRF (Cross-Site Request Forgery)?
Manipulates a logged-on user’s browser to send a forged HTTP request.
What is White-Box Testing?
Static Application Security Testing; reviewing the source code.
What is Black-Box Testing?
Dynamic testing of the program as it functions in runtime without reviewing source code.
What is Application Orchestration?
When two or more applications must interact to complete a business process.
What are the two approaches to Application Orchestration?
Linking elements directly or abstracting functions for distinct input/output handling.
What is Authentication?
Confirms the identity assertion belongs to the entity presenting it.
