Chapter 7 - Cloud Application Security

Question 1

What is forklifting ?

Answer 1

Bringe an app into the cloud without significant changes in the code

Question 2

What are common cloud application deployment pitfalls

Answer 2

Quick Remote calls take longer in the cloud, the code is not ready And Multi tenancy can lead to e.g. information bleeding

Question 3

What are the steps of the SDLC?

Answer 3

Define, design, develop, test, secure operations and disclosure

Question 4

What is the ISO/IEC 27034 about?

Answer 4

Information technology - security techniques - application security.

Include pets of ONF and ANF related to application security . One to N relation from I to a and one to one from a to o.

Question 5

What is IAM

Answer 5

Identity and access management

Identity management is the process. Contains issuing an identity, creating a Password

Access management is about authentication, authorization , policy management, federation and Identity repositories.

Question 6

What are the two options on federated identity management?

Answer 6

Web of trust where each member reviews and approve each member… low scalability

Third party identifier where a third party takes this tasks. Third party could be CASB

Question 7

What are the roles in federated I’m

Answer 7

Identity provider and relying Parties

Question 8

What are Federation standards?

Answer 8

SAML (most used one)
WS federation
OAuth
OpenIDConnect

Question 9

What is the concept of web application firewalls

Answer 9

They are applied in addition to traditional firewalls. It knows how the application should behave and detected the smallest changes

Question 10

What is database survived monitoring DAM and deception technology

Answer 10

Piece of software that watches databases and sends alerts in case of unusual activity or requests

Deception technology is the use of WAF and DAM. Deception occurred by quietly rerouting the traffic to a database filled wir useless data to tell and enforce law

Question 11

Which technique is typically used with data in transit ?

Answer 11

SSL and Tal

Question 12

Which types of vPN exist?

Answer 12

Virtual vpn and virtual wir security

Virtual vpn hat no encryption and works with shims
Virtual with security are known as IPSec VPN and used end to end encryption

Question 13

What is whole instance encryption?

Answer 13

The entire storage is encrypted as a whole. Today with strong processors it is feasible on small smart devices. Snapshots must also be considered

Question 14

What is volume encryption

Answer 14

Just as whole instance encryption but only a certain volume is encrypted

Question 15

What is the STRIDE model?

Answer 15

Spoofing 
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privileges

It is used to address threats to an application

Question 16

What are common vulnerabilities?

Answer 16

Injection, broken authentication, cross site scripting, insecure direct object access, security misconfiguration, sensitive data exposure, missing function level access control, cross site request forgery , using components with known vulnerabilities and invalidated redirects and forwards

Question 17

What does quality of service target?

Answer 17

That security mechanisms do not increase performance to heavily

Question 18

What are vulnerability scans and penetration testing?

Answer 18

Vulnerability scanning is scanning for known vulnerabilities

Penetration testing of vulnerability scanning plus taking action and thus having an active component

Question 19

What is sast and what is dast

Answer 19

Sast is a form of what box testing where the code is reviewed whereas dast is a sort of black box testing where code is not known and the application is run to look for problems and vulnerabilities

Question 20

What does the NIST Framework for critical infrastructure cybersecurity consist of?

Answer 20

Framework core components: identify, protect, detect, respond, recover

Framework Profile: used to Assists organization align activities with business requirements

Framework implementation Tiers: identity where organization is with regard to their particular approach

Question 21

What is runtime application self-perfection?

Answer 21

It is able to reconfigure itself without human intervention. It is called Ringtone because it launches itself as the application is executed in benotet