Cloud Application Review Questions

Question 1

List 5 NIST SDLC Phases

Answer 1

Initialization:. document enterprise architecture, identify applicable laws, and regulations

Acquisition/Development: Risk assessment, security controls, cost, analysis, testing

Implementation/Assessment: User guidance, security certification

Operations/Maintenance: Configuration management control

Sunset: Transition planning, secure deposal

Question 2

SLDC vs. S-SDLC

Answer 2

• Emphasis on security in each phase for S-SDLC
• Loss of control : It systems and do not run on infrastructure owned by the business
• Trust placed in 3rd party
  
  • CSP transparency
  • Third-party audit results
• Dependency upon network connectivity to CSP
• Data transmission over the internet

Question 3

Top 5 OWASP 2013 Attack Vectors

Answer 3

• Injection
• Broken Authentication and Session Management
• Cross- Site Scripting
• Insecure Direct Object References
• Security Misconfiguration

Question 4

Define security concerns wth respect to RESTful APIs

Answer 4

• Lack of predefined security methods
• RESTful APIs are used to retrieve back-end data
• XML/JSON messages are transmitted using HTTP
• Avoid hard-coding URL parameters
• Use TLS
• Use multi-factor authentication

Question 5

Federated Identity and SSO

Answer 5

• Federated Identity
  
  • Centralized, trusted identity provider
  • Single set of credentials
  • Applications are configured to trust the identity provider
• Single Sign-On is a sub-set of federation, and permits access to numerous applications or system