Chapter 7 - Cloud Application Security Flashcards
What is forklifting ?
Bringe an app into the cloud without significant changes in the code
What are common cloud application deployment pitfalls
Quick Remote calls take longer in the cloud, the code is not ready And Multi tenancy can lead to e.g. information bleeding
What are the steps of the SDLC?
Define, design, develop, test, secure operations and disclosure
What is the ISO/IEC 27034 about?
Information technology - security techniques - application security.
Include pets of ONF and ANF related to application security . One to N relation from I to a and one to one from a to o.
What is IAM
Identity and access management
Identity management is the process. Contains issuing an identity, creating a Password
Access management is about authentication, authorization , policy management, federation and Identity repositories.
What are the two options on federated identity management?
Web of trust where each member reviews and approve each member… low scalability
Third party identifier where a third party takes this tasks. Third party could be CASB
What are the roles in federated I’m
Identity provider and relying Parties
What are Federation standards?
SAML (most used one)
WS federation
OAuth
OpenIDConnect
What is the concept of web application firewalls
They are applied in addition to traditional firewalls. It knows how the application should behave and detected the smallest changes
What is database survived monitoring DAM and deception technology
Piece of software that watches databases and sends alerts in case of unusual activity or requests
Deception technology is the use of WAF and DAM. Deception occurred by quietly rerouting the traffic to a database filled wir useless data to tell and enforce law
Which technique is typically used with data in transit ?
SSL and Tal
Which types of vPN exist?
Virtual vpn and virtual wir security
Virtual vpn hat no encryption and works with shims
Virtual with security are known as IPSec VPN and used end to end encryption
What is whole instance encryption?
The entire storage is encrypted as a whole. Today with strong processors it is feasible on small smart devices. Snapshots must also be considered
What is volume encryption
Just as whole instance encryption but only a certain volume is encrypted
What is the STRIDE model?
Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privileges
It is used to address threats to an application
What are common vulnerabilities?
Injection, broken authentication, cross site scripting, insecure direct object access, security misconfiguration, sensitive data exposure, missing function level access control, cross site request forgery , using components with known vulnerabilities and invalidated redirects and forwards
What does quality of service target?
That security mechanisms do not increase performance to heavily
What are vulnerability scans and penetration testing?
Vulnerability scanning is scanning for known vulnerabilities
Penetration testing of vulnerability scanning plus taking action and thus having an active component
What is sast and what is dast
Sast is a form of what box testing where the code is reviewed whereas dast is a sort of black box testing where code is not known and the application is run to look for problems and vulnerabilities
What does the NIST Framework for critical infrastructure cybersecurity consist of?
Framework core components: identify, protect, detect, respond, recover
Framework Profile: used to Assists organization align activities with business requirements
Framework implementation Tiers: identity where organization is with regard to their particular approach
What is runtime application self-perfection?
It is able to reconfigure itself without human intervention. It is called Ringtone because it launches itself as the application is executed in benotet
