Cloud Application Security Flashcards
List Steps in the SDLC
- Initiation and Plan
- Acquisition and Development
- Deployment
- Operations and Maintenance
- Decommissioning
What happens in the Initiation and Plan phase of the SDLC
- Define software and security requirements
- Create Software Requirements Specification (SRS)
- Project Plan and Costs
- Management Approval
What happens in the Acquisition and Development and Plan phase of the SDLC
Analysis and Design and Thread Modeling
SLA/NDA
Programming and testing (code review, unit testing, static analysis)
Documentation
What happens in the Deployment phase of the SDLC
- QA & Security Testing
- User Acceptance Testing
- Certification and Accreditation
- Roll-out Production
What happens in the Operations & Maintenance phase of the SDLC
Auditing/Continuous Monitoring
Change Control/Change Management
Data backups
What happens in the Decommissioning phase of the SDLC
Closing contracts
Data disposal
List SDLC Frameworks
Microsoft’s Security Development Lifecycle
Open Web Application Security Project (OWASP)
NIST 800-64 Special Security Considerations in the System Development Lifecycle
ISO 27034-1 Information technology - Security techniques - Application security ONF/ANF
Certification
AKA
Testing features and safeguards of a system to determine if it meets the organizations requirements
Applies to custom and COTS
AKA - Assessment
Accreditation
AKA
Management’s APPROVAL to DEPLOY the system into production, perhaps with special conditions (e.g managers authorization, seal of approval)
AKA Authorization
Certification and Accreditation AKA
Assessment and Authorization
Security System Development Lifecycle
The SSDLC builds security into each and every phase of the cycle
Even better and more proactive approach to building secure systems and applications
Organization Normative Framework (ONF)
ISO 27034
Used to help establish a framework with a security control library, required to build secure applications
Primary goal is to create seven containers that contain the policies and directions the organization uses during the development of operations of applications
Organization Normative Framework - ONF - Containers
- Business Context - security policy, standards and best practices adopted
- Regulatory Context - standards, laws, and regulations that affect application security
- Technical Context - includes required available technologies that are applicable to application security
- Specification - documenting the organizations IT functional requirements and the solution that are appropriate to address them
- Roles - factors related to IP applications
- Process - for application security
- Application Security Controls (ACS) Library - contains the approved controls that are required to protect an application based on the identified threats, the context, and the targeted level of trust
Application Security Management Process (ASMP)
A component of ONF
Used to create, manage, maintain each Application Normative Framework (ANF)
ONF is used to produce an ANF with ASMP
Created in 5 steps:
- Specify the application requirements and environment
- Accessing application security risks
- Creating and maintaining ANF
- Provisioning and operating the application
- Auditing the security of the application
Application Normative Framework (ANF)
ANF maintains the applicable portions of the ONF that are needed to enable a specific application to achieve the required level of security or the target level of trust
ONF to ANF is a one to many relationship
List common Software Development Methodologies
- Waterfall - one process completes in its entirety before you go the next phase
- Spiral - Cyclical process of Requirements, Risk Analysis, Prototype, and Validation until you get to the achieved goal
- Agile Software Development
List Agile Principles
- Working software delivered frequently (weeks rather that months
- Welcome changing requirements (even late in development)
- Close daily cooperation between business and developers
- Continuous attention to technical excellence and good design
- Emphasizing teamwork
List Agile Values
- Individuals and interactions over processes and tools
- Working software over comprehensive documentation
- Customer collaboration over contract negotiation
- Responding to change over following a plan
Agile vs DevSecOps
Management goal for Agile are focused on completing development units called sprints
Agile divides development and operations teams and doesn’t emphasize automation, while DevSecOps combines development, operations and security and emphasizes automation
DevSecOps implements organizational change - business owners, developers, operators and security/quality assurance collaborate on the project;
DevSecOps implements cultural change - emphasizes training all team members to have wide variety of similar and equal skills
DevSecOps - overall project deadlines and major version release benchmarks have priority and automation is primary goal to maximize efficiency when deploying software
Agile Scrum Roles
- Product Owner - a person with vision for the final product - customer
- Scum Master - manager/facilitator
- Scrum Team - developers
Verification and Validation Model (V-Model)
A model like waterfall but test planning and testing start at the earlier stage
Verification - determining through testing that what was built matches what was designed
Validation - through business analysis, determining that the application fits the needs of the organization. Often called Acceptance testing.
Prototype Model
Before the start of the actual software development, a prototype is created
The prototype is demonstrated to the customer
The customer gives feedback until the prototype is accepted