Cloud Application Security Flashcards

1
Q

List Steps in the SDLC

A
  1. Initiation and Plan
  2. Acquisition and Development
  3. Deployment
  4. Operations and Maintenance
  5. Decommissioning
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What happens in the Initiation and Plan phase of the SDLC

A
  1. Define software and security requirements
  2. Create Software Requirements Specification (SRS)
  3. Project Plan and Costs
  4. Management Approval
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What happens in the Acquisition and Development and Plan phase of the SDLC

A

Analysis and Design and Thread Modeling
SLA/NDA
Programming and testing (code review, unit testing, static analysis)
Documentation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What happens in the Deployment phase of the SDLC

A
  1. QA & Security Testing
  2. User Acceptance Testing
  3. Certification and Accreditation
  4. Roll-out Production
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What happens in the Operations & Maintenance phase of the SDLC

A

Auditing/Continuous Monitoring
Change Control/Change Management
Data backups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What happens in the Decommissioning phase of the SDLC

A

Closing contracts

Data disposal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

List SDLC Frameworks

A

Microsoft’s Security Development Lifecycle
Open Web Application Security Project (OWASP)
NIST 800-64 Special Security Considerations in the System Development Lifecycle
ISO 27034-1 Information technology - Security techniques - Application security ONF/ANF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Certification

AKA

A

Testing features and safeguards of a system to determine if it meets the organizations requirements

Applies to custom and COTS

AKA - Assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Accreditation

AKA

A

Management’s APPROVAL to DEPLOY the system into production, perhaps with special conditions (e.g managers authorization, seal of approval)

AKA Authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Certification and Accreditation AKA

A

Assessment and Authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Security System Development Lifecycle

A

The SSDLC builds security into each and every phase of the cycle

Even better and more proactive approach to building secure systems and applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Organization Normative Framework (ONF)

A

ISO 27034

Used to help establish a framework with a security control library, required to build secure applications

Primary goal is to create seven containers that contain the policies and directions the organization uses during the development of operations of applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Organization Normative Framework - ONF - Containers

A
  1. Business Context - security policy, standards and best practices adopted
  2. Regulatory Context - standards, laws, and regulations that affect application security
  3. Technical Context - includes required available technologies that are applicable to application security
  4. Specification - documenting the organizations IT functional requirements and the solution that are appropriate to address them
  5. Roles - factors related to IP applications
  6. Process - for application security
  7. Application Security Controls (ACS) Library - contains the approved controls that are required to protect an application based on the identified threats, the context, and the targeted level of trust
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Application Security Management Process (ASMP)

A

A component of ONF

Used to create, manage, maintain each Application Normative Framework (ANF)

ONF is used to produce an ANF with ASMP

Created in 5 steps:

  1. Specify the application requirements and environment
  2. Accessing application security risks
  3. Creating and maintaining ANF
  4. Provisioning and operating the application
  5. Auditing the security of the application
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Application Normative Framework (ANF)

A

ANF maintains the applicable portions of the ONF that are needed to enable a specific application to achieve the required level of security or the target level of trust

ONF to ANF is a one to many relationship

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

List common Software Development Methodologies

A
  1. Waterfall - one process completes in its entirety before you go the next phase
  2. Spiral - Cyclical process of Requirements, Risk Analysis, Prototype, and Validation until you get to the achieved goal
  3. Agile Software Development
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

List Agile Principles

A
  1. Working software delivered frequently (weeks rather that months
  2. Welcome changing requirements (even late in development)
  3. Close daily cooperation between business and developers
  4. Continuous attention to technical excellence and good design
  5. Emphasizing teamwork
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

List Agile Values

A
  1. Individuals and interactions over processes and tools
  2. Working software over comprehensive documentation
  3. Customer collaboration over contract negotiation
  4. Responding to change over following a plan
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Agile vs DevSecOps

A

Management goal for Agile are focused on completing development units called sprints

Agile divides development and operations teams and doesn’t emphasize automation, while DevSecOps combines development, operations and security and emphasizes automation

DevSecOps implements organizational change - business owners, developers, operators and security/quality assurance collaborate on the project;

DevSecOps implements cultural change - emphasizes training all team members to have wide variety of similar and equal skills

DevSecOps - overall project deadlines and major version release benchmarks have priority and automation is primary goal to maximize efficiency when deploying software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Agile Scrum Roles

A
  1. Product Owner - a person with vision for the final product - customer
  2. Scum Master - manager/facilitator
  3. Scrum Team - developers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Verification and Validation Model (V-Model)

A

A model like waterfall but test planning and testing start at the earlier stage

Verification - determining through testing that what was built matches what was designed

Validation - through business analysis, determining that the application fits the needs of the organization. Often called Acceptance testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Prototype Model

A

Before the start of the actual software development, a prototype is created

The prototype is demonstrated to the customer

The customer gives feedback until the prototype is accepted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Iterative/Non-Iterative

A

Waterfall is not iterative, each phase is discrete and finalized

Spiral, Agile, and SCRUM are all iterative (incremental) models with rounds of development

24
Q

CI/CD/CD

A

method of frequently deliver apps to customers by using automation during the stages of application development

25
Q

Continuous Integration

A

new code changes to an application are regularly built and merged into a shared repository

solves the problem of too many branches of application development at the same time which may conflict

once integrated into the main body of code static testing is performed

happens between development and testing

26
Q

Continuous Delivery

A

once static (automated) testing passes, the merged changes (e.g. updated application) gets automatically uploaded (and deployed) to staging environment, where final, dynamic testing is performed

happens between testing and staging

27
Q

Continuous Deployment

A

once software has passed all prior testing stages, it gets automatically deployed to production

happens between staging and production

28
Q

List and describe configuration management tools

A
  1. Puppet - a configuration management system; you define the state of IT infrastructure then Puppet is used to enforce the correct state
  2. Chef - you automate how you build, deploy and manage the architecture; The Chef server stores “recipes”. A Chef client is installed on each device and checks the Chef server periodically for any new or updated policies
  3. Ansible - used for software provisioning, application deployment and configuration management

All are used to ensure application configurations are updated as needed and consistency in application versioning

29
Q

Sandbox

A

isolates and ensures the internal components will have an appropriate separation from any remaining components or sandboxes

An environment to fully test applications by executing them and observing them for malicious activity

PaaS can be used as a sandbox for developers by placing them in an isolated environment away from production

30
Q

Software Assurance

A

encompasses the development implementation of methods and process for ensuring that software functions as intended and mitigating the risks of vulnerabilities, malicious code, and defects that could bring harm to the user

utilizes a concept of testing each module to verify if it was built correctly

31
Q

Software Assurance Maturity Model (SAMM)

A

Open framework to help organizations CREATE and IMPLEMENT a STRATEGY for software SECURITY that is TAILORED to the specific RISK facing the organization.

Helps the organization to:

  1. Evaluating existing software security practices
  2. Building a software security assurance program
  3. Demonstrate improvements to your security assurance program
  4. Define and measure security related activities
32
Q

Functional Testing

Describe

List steps

A

Compares how the application performs to the functional description and requirements outlined in the SRS. The internal logic of the system being tested is not known to the tester.

Steps:

  1. Identify functions the software is expected to perform
  2. Create input information based on the function’s specification
  3. Determine the output based on the function’s specification
  4. Execute the test case
  5. Compare the actual and expected results
33
Q

List and describe types of Application Security Testing Tools

A

Static Application Security Testing (SAST) Tools - Analyzing an application without executing the code. Analyzing the source code looking for vulnerabilities and coding errors. This is white box testing and is useful for XSS, SQL Injection and Backdoors

Dynamic Application Security Testing (DAST) Tools - The application is executed on a system and its behavior is observed for vulnerabilities. This black box testing and is useful to test exposed HTTP and HTML interfaces

34
Q

STRIDE

A

STRIDE Threat Model is a threat classification model to classify and categorize security threats against applications

First identify threats to an application and classify them with these SRIDE labels, asking "what would happen if"
Spoofing Identity
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege

Next, categorize them by understanding the criticality of the threats through DREAD:
Damage - how bad would the attack be?
Reproducibility - how easy is it to reproduce the attack?
Exploitability - how much work is it to launch an attack?
Affected users - how many people are impacted?
Discoverability - how easy is it to discover the threat?

35
Q

Runtime Application Self Protection

A

An application that possesses self protection controls
Prevents attacks by self protecting or reconfiguring without human intervention

AKA Self Healing

36
Q

Penetration Testing

A

A process used to collect information related to system vulnerabilities and exposures and then possibly attempt to actively exploit the vulnerabilities in a system

37
Q

What is required in order for authorization to perform ANY security testing?

A

Any form of security testing including penetration testing, written permission must always be obtained prior to undertaking the test and the testing scope must be determined ahead of time.

38
Q

List and describe Penetration Testing Strategies

A
  1. Zero-knowledge - Black-box from the outsider or hacker perspective
  2. Partial knowledge - Grey-box; Have some knowledge, typically have a user account. From an insider perspective; insider threats tend to have the highest impact
  3. Full knowledge - White-box; Typically have an admin account. From the system administrator perspective. Also this test equipment much more thoroughly
39
Q

List Pen Testing Steps In Order

A
  1. Discovery (Reconnaissance)
  2. Enumeration
  3. Vulnerability Mapping
  4. Exploitation (execution)
  5. Document Findings
40
Q

Describe the Pen Testing Step Discovery (Reconnaissance)

A

Research and reconnaissance e.g. Google, DNS, WHOIS, job postings, Facebook, Linkedin, dumpster diving to collect information

41
Q

Describe the Pen Testing Step Enumeration

A

Investigating or Probing the environment (mapping IPs, platforms, OS’s, ports, users, etc.)

Use tools like Nmap

42
Q

Describe the Pen Testing Step Vulnerability mapping

A
Look for vulnerabilities:
Open ports, protocols
Patches installed
Weak passwords
Any defenses in place

Use tools like Nessus, SAINT, Retina, etc

CVE - Common Vulnerability and Exposure - Database of all known vulnerabilities; maintained by mitre.org

43
Q

Describe the Pen Testing Step Exploitation (execution)

A

Attempt to exploit the vulnerabilities identified

e.g. seizing control of system and exfiltrating data or disabling system or pivot to other network, scorched earth

Use tools like metasploit

44
Q

Describe the Pen Testing Step Document Findings

A

Report should include:

  1. Identified problems and vulnerabilities
  2. Whether defenses worked. Was anyone aware of the pen-test activities, did they respond, when
  3. Any recommendations
45
Q

Open Web Application Security Project (OWASP)

A

Community driven effort to teach web developers how to make more secure web applications

46
Q

OWASP Top Ten

A
  1. Injection - injecting malicious database commands
  2. Broken Authentication - poorly implemented Authentication system
  3. Sensitive Data Exposure - not properly protecting sensitive data
  4. XML External Entities - XXE - XML problems with un-sanitized input that could lead to an attacker referencing or obtaining sensitive files, info, launching commands
  5. Broken Access Control - not properly enforcing authorization
  6. Security Misconfiguration - using default configurations, or making config mistakes
  7. Cross Site Scripting (XSS) - unauthorized scripts being placed on your website that attacks users
  8. Insecure Deserialization - malicious variables are added into a string of variables and they go un-noticed on the backend during processing
  9. Using Components with Known Vulnerabilities - not updating or patching software
  10. Insufficient logging and monitoring - not reviewing log files means attacks go unnoticed
47
Q

OWASP Recommendations

A

Create a testing guide with 11 types of active security testing categories

  1. Information gathering
  2. Configuration and deployment management testing
  3. Identity Management testing
  4. Authentication testing
  5. Authorization testing
  6. Session management testing
  7. Input validation testing
  8. Testing for error handling
  9. Testing for weak cryptography
  10. Business logic testing
  11. Client-side testing
48
Q

API - Application Programming Interface

A

method for transferring information from one place to another typically between a user and a program or between process to process

Primary method to avoid vendor lock in

49
Q

Representational State Transfer (REST)

A

API standard

an architecture style that relies exclusively on transferring data using Internet based UrL addressing scheme

makes use of the HTTP verbs

supports many different formats: JSON, XML, YAML, etc.

encrypts externally with TLS/HTTPS

Good performance and scaling, uses caching

Widely used

50
Q

Simple Object Access Protocol (SOAP)

A

API standard

an architectural style that relies exclusively on XML to provide messaging services and makes use of header and an envelop format that encases the message

Supports one message format: XML

Message level cryptography included

Slower performance that REST, scaling is complex, caching is not possible

Used where REST is not possible, provides WS-* features

51
Q

Containerization

A

Packing up software and all its dependencies so that it can be run uniformly and consistently on any infrastructure

Makes apps portable, scalable, more secure, and faster to deploy

52
Q

List the two popular container tools

A

Docker - a coupled SaaS and PaaS product that uses OS-level virtualization to develop and deliver software containers

Kubernetes - an open source orchestration system for automating application deployment, scaling and management

53
Q

Microservices

A

Architecture style where an application is arranged as a loose collection of different services, possibly by different providers across the cloud

Services are fine grained and the protocols are lightweight
Services are owned by small, self contained teams
Makes applications easier to scale and faster to develop

54
Q

Serverless

A

Cloud computing model where a cloud provider allocates machine resources on demand, taking care of the servers on behalf of the customer

Developers need not be concerned with capacity planning, configuration management, maintenance or scaling of containers, VMs, or physical servers; this is all handled by the provider

55
Q

Function as a Service (FaaS)

A

Focused on the event-driven computing paradigm wherein application code, source code, and containers only run in response to events or requests

56
Q

Infrastructure as Code (IaC)

A

Automates the provisioning of infrastructure within data centers

Provides the ability to design, implement, and deploy application infrastructure with greater speed, reduction of cost and automation and avoid human errors

It uses software definition files that are machine readable by software aware networking devices