Cloud Application Security

Question 1

List Steps in the SDLC

Answer 1

1. Initiation and Plan
2. Acquisition and Development
3. Deployment
4. Operations and Maintenance
5. Decommissioning

Question 2

What happens in the Initiation and Plan phase of the SDLC

Answer 2

1. Define software and security requirements
2. Create Software Requirements Specification (SRS)
3. Project Plan and Costs
4. Management Approval

Question 3

What happens in the Acquisition and Development and Plan phase of the SDLC

Answer 3

Analysis and Design and Thread Modeling
SLA/NDA
Programming and testing (code review, unit testing, static analysis)
Documentation

Question 4

What happens in the Deployment phase of the SDLC

Answer 4

1. QA & Security Testing
2. User Acceptance Testing
3. Certification and Accreditation
4. Roll-out Production

Question 5

What happens in the Operations & Maintenance phase of the SDLC

Answer 5

Auditing/Continuous Monitoring
Change Control/Change Management
Data backups

Question 6

What happens in the Decommissioning phase of the SDLC

Answer 6

Closing contracts

Data disposal

Question 7

List SDLC Frameworks

Answer 7

Microsoft’s Security Development Lifecycle
Open Web Application Security Project (OWASP)
NIST 800-64 Special Security Considerations in the System Development Lifecycle
ISO 27034-1 Information technology - Security techniques - Application security ONF/ANF

Question 8

Certification

AKA

Answer 8

Testing features and safeguards of a system to determine if it meets the organizations requirements

Applies to custom and COTS

AKA - Assessment

Question 9

Accreditation

AKA

Answer 9

Management’s APPROVAL to DEPLOY the system into production, perhaps with special conditions (e.g managers authorization, seal of approval)

AKA Authorization

Question 10

Certification and Accreditation AKA

Answer 10

Assessment and Authorization

Question 11

Security System Development Lifecycle

Answer 11

The SSDLC builds security into each and every phase of the cycle

Even better and more proactive approach to building secure systems and applications

Question 12

Organization Normative Framework (ONF)

Answer 12

ISO 27034

Used to help establish a framework with a security control library, required to build secure applications

Primary goal is to create seven containers that contain the policies and directions the organization uses during the development of operations of applications

Question 13

Organization Normative Framework - ONF - Containers

Answer 13

1. Business Context - security policy, standards and best practices adopted
2. Regulatory Context - standards, laws, and regulations that affect application security
3. Technical Context - includes required available technologies that are applicable to application security
4. Specification - documenting the organizations IT functional requirements and the solution that are appropriate to address them
5. Roles - factors related to IP applications
6. Process - for application security
7. Application Security Controls (ACS) Library - contains the approved controls that are required to protect an application based on the identified threats, the context, and the targeted level of trust

Question 14

Application Security Management Process (ASMP)

Answer 14

A component of ONF

Used to create, manage, maintain each Application Normative Framework (ANF)

ONF is used to produce an ANF with ASMP

Created in 5 steps:

1. Specify the application requirements and environment
2. Accessing application security risks
3. Creating and maintaining ANF
4. Provisioning and operating the application
5. Auditing the security of the application

Question 15

Application Normative Framework (ANF)

Answer 15

ANF maintains the applicable portions of the ONF that are needed to enable a specific application to achieve the required level of security or the target level of trust

ONF to ANF is a one to many relationship

Question 16

List common Software Development Methodologies

Answer 16

1. Waterfall - one process completes in its entirety before you go the next phase
2. Spiral - Cyclical process of Requirements, Risk Analysis, Prototype, and Validation until you get to the achieved goal
3. Agile Software Development

Question 17

List Agile Principles

Answer 17

1. Working software delivered frequently (weeks rather that months
2. Welcome changing requirements (even late in development)
3. Close daily cooperation between business and developers
4. Continuous attention to technical excellence and good design
5. Emphasizing teamwork

Question 18

List Agile Values

Answer 18

1. Individuals and interactions over processes and tools
2. Working software over comprehensive documentation
3. Customer collaboration over contract negotiation
4. Responding to change over following a plan

Question 19

Agile vs DevSecOps

Answer 19

Management goal for Agile are focused on completing development units called sprints

Agile divides development and operations teams and doesn’t emphasize automation, while DevSecOps combines development, operations and security and emphasizes automation

DevSecOps implements organizational change - business owners, developers, operators and security/quality assurance collaborate on the project;

DevSecOps implements cultural change - emphasizes training all team members to have wide variety of similar and equal skills

DevSecOps - overall project deadlines and major version release benchmarks have priority and automation is primary goal to maximize efficiency when deploying software

Question 20

Agile Scrum Roles

Answer 20

1. Product Owner - a person with vision for the final product - customer
2. Scum Master - manager/facilitator
3. Scrum Team - developers

Question 21

Verification and Validation Model (V-Model)

Answer 21

A model like waterfall but test planning and testing start at the earlier stage

Verification - determining through testing that what was built matches what was designed

Validation - through business analysis, determining that the application fits the needs of the organization. Often called Acceptance testing.

Question 22

Prototype Model

Answer 22

Before the start of the actual software development, a prototype is created

The prototype is demonstrated to the customer

The customer gives feedback until the prototype is accepted

Question 23

Iterative/Non-Iterative

Answer 23

Waterfall is not iterative, each phase is discrete and finalized

Spiral, Agile, and SCRUM are all iterative (incremental) models with rounds of development

Question 24

CI/CD/CD

Answer 24

method of frequently deliver apps to customers by using automation during the stages of application development

Question 25

Continuous Integration

Answer 25

new code changes to an application are regularly built and merged into a shared repository

solves the problem of too many branches of application development at the same time which may conflict

once integrated into the main body of code static testing is performed

happens between development and testing

Question 26

Continuous Delivery

Answer 26

once static (automated) testing passes, the merged changes (e.g. updated application) gets automatically uploaded (and deployed) to staging environment, where final, dynamic testing is performed

happens between testing and staging

Question 27

Continuous Deployment

Answer 27

once software has passed all prior testing stages, it gets automatically deployed to production

happens between staging and production

Question 28

List and describe configuration management tools

Answer 28

1. Puppet - a configuration management system; you define the state of IT infrastructure then Puppet is used to enforce the correct state
2. Chef - you automate how you build, deploy and manage the architecture; The Chef server stores “recipes”. A Chef client is installed on each device and checks the Chef server periodically for any new or updated policies
3. Ansible - used for software provisioning, application deployment and configuration management

All are used to ensure application configurations are updated as needed and consistency in application versioning

Question 29

Sandbox

Answer 29

isolates and ensures the internal components will have an appropriate separation from any remaining components or sandboxes

An environment to fully test applications by executing them and observing them for malicious activity

PaaS can be used as a sandbox for developers by placing them in an isolated environment away from production

Question 30

Software Assurance

Answer 30

encompasses the development implementation of methods and process for ensuring that software functions as intended and mitigating the risks of vulnerabilities, malicious code, and defects that could bring harm to the user

utilizes a concept of testing each module to verify if it was built correctly

Question 31

Software Assurance Maturity Model (SAMM)

Answer 31

Open framework to help organizations CREATE and IMPLEMENT a STRATEGY for software SECURITY that is TAILORED to the specific RISK facing the organization.

Helps the organization to:

1. Evaluating existing software security practices
2. Building a software security assurance program
3. Demonstrate improvements to your security assurance program
4. Define and measure security related activities

Question 32

Functional Testing

Describe

List steps

Answer 32

Compares how the application performs to the functional description and requirements outlined in the SRS. The internal logic of the system being tested is not known to the tester.

Steps:

1. Identify functions the software is expected to perform
2. Create input information based on the function’s specification
3. Determine the output based on the function’s specification
4. Execute the test case
5. Compare the actual and expected results

Question 33

List and describe types of Application Security Testing Tools

Answer 33

Static Application Security Testing (SAST) Tools - Analyzing an application without executing the code. Analyzing the source code looking for vulnerabilities and coding errors. This is white box testing and is useful for XSS, SQL Injection and Backdoors

Dynamic Application Security Testing (DAST) Tools - The application is executed on a system and its behavior is observed for vulnerabilities. This black box testing and is useful to test exposed HTTP and HTML interfaces

Question 34

STRIDE

Answer 34

STRIDE Threat Model is a threat classification model to classify and categorize security threats against applications

First identify threats to an application and classify them with these SRIDE labels, asking "what would happen if"
Spoofing Identity
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege

Next, categorize them by understanding the criticality of the threats through DREAD:
Damage - how bad would the attack be?
Reproducibility - how easy is it to reproduce the attack?
Exploitability - how much work is it to launch an attack?
Affected users - how many people are impacted?
Discoverability - how easy is it to discover the threat?

Question 35

Runtime Application Self Protection

Answer 35

An application that possesses self protection controls
Prevents attacks by self protecting or reconfiguring without human intervention

AKA Self Healing

Question 36

Penetration Testing

Answer 36

A process used to collect information related to system vulnerabilities and exposures and then possibly attempt to actively exploit the vulnerabilities in a system

Question 37

What is required in order for authorization to perform ANY security testing?

Answer 37

Any form of security testing including penetration testing, written permission must always be obtained prior to undertaking the test and the testing scope must be determined ahead of time.

Question 38

List and describe Penetration Testing Strategies

Answer 38

1. Zero-knowledge - Black-box from the outsider or hacker perspective
2. Partial knowledge - Grey-box; Have some knowledge, typically have a user account. From an insider perspective; insider threats tend to have the highest impact
3. Full knowledge - White-box; Typically have an admin account. From the system administrator perspective. Also this test equipment much more thoroughly

Question 39

List Pen Testing Steps In Order

Answer 39

1. Discovery (Reconnaissance)
2. Enumeration
3. Vulnerability Mapping
4. Exploitation (execution)
5. Document Findings

Question 40

Describe the Pen Testing Step Discovery (Reconnaissance)

Answer 40

Research and reconnaissance e.g. Google, DNS, WHOIS, job postings, Facebook, Linkedin, dumpster diving to collect information

Question 41

Describe the Pen Testing Step Enumeration

Answer 41

Investigating or Probing the environment (mapping IPs, platforms, OS’s, ports, users, etc.)

Use tools like Nmap

Question 42

Describe the Pen Testing Step Vulnerability mapping

Answer 42

Look for vulnerabilities:
Open ports, protocols
Patches installed
Weak passwords
Any defenses in place

Use tools like Nessus, SAINT, Retina, etc

CVE - Common Vulnerability and Exposure - Database of all known vulnerabilities; maintained by mitre.org

Question 43

Describe the Pen Testing Step Exploitation (execution)

Answer 43

Attempt to exploit the vulnerabilities identified

e.g. seizing control of system and exfiltrating data or disabling system or pivot to other network, scorched earth

Use tools like metasploit

Question 44

Describe the Pen Testing Step Document Findings

Answer 44

Report should include:

1. Identified problems and vulnerabilities
2. Whether defenses worked. Was anyone aware of the pen-test activities, did they respond, when
3. Any recommendations

Question 45

Open Web Application Security Project (OWASP)

Answer 45

Community driven effort to teach web developers how to make more secure web applications

Question 46

OWASP Top Ten

Answer 46

1. Injection - injecting malicious database commands
2. Broken Authentication - poorly implemented Authentication system
3. Sensitive Data Exposure - not properly protecting sensitive data
4. XML External Entities - XXE - XML problems with un-sanitized input that could lead to an attacker referencing or obtaining sensitive files, info, launching commands
5. Broken Access Control - not properly enforcing authorization
6. Security Misconfiguration - using default configurations, or making config mistakes
7. Cross Site Scripting (XSS) - unauthorized scripts being placed on your website that attacks users
8. Insecure Deserialization - malicious variables are added into a string of variables and they go un-noticed on the backend during processing
9. Using Components with Known Vulnerabilities - not updating or patching software
10. Insufficient logging and monitoring - not reviewing log files means attacks go unnoticed

Question 47

OWASP Recommendations

Answer 47

Create a testing guide with 11 types of active security testing categories

1. Information gathering
2. Configuration and deployment management testing
3. Identity Management testing
4. Authentication testing
5. Authorization testing
6. Session management testing
7. Input validation testing
8. Testing for error handling
9. Testing for weak cryptography
10. Business logic testing
11. Client-side testing

Question 48

API - Application Programming Interface

Answer 48

method for transferring information from one place to another typically between a user and a program or between process to process

Primary method to avoid vendor lock in

Question 49

Representational State Transfer (REST)

Answer 49

API standard

an architecture style that relies exclusively on transferring data using Internet based UrL addressing scheme

makes use of the HTTP verbs

supports many different formats: JSON, XML, YAML, etc.

encrypts externally with TLS/HTTPS

Good performance and scaling, uses caching

Widely used

Question 50

Simple Object Access Protocol (SOAP)

Answer 50

API standard

an architectural style that relies exclusively on XML to provide messaging services and makes use of header and an envelop format that encases the message

Supports one message format: XML

Message level cryptography included

Slower performance that REST, scaling is complex, caching is not possible

Used where REST is not possible, provides WS-* features

Question 51

Containerization

Answer 51

Packing up software and all its dependencies so that it can be run uniformly and consistently on any infrastructure

Makes apps portable, scalable, more secure, and faster to deploy

Question 52

List the two popular container tools

Answer 52

Docker - a coupled SaaS and PaaS product that uses OS-level virtualization to develop and deliver software containers

Kubernetes - an open source orchestration system for automating application deployment, scaling and management

Question 53

Microservices

Answer 53

Architecture style where an application is arranged as a loose collection of different services, possibly by different providers across the cloud

Services are fine grained and the protocols are lightweight
Services are owned by small, self contained teams
Makes applications easier to scale and faster to develop

Question 54

Serverless

Answer 54

Cloud computing model where a cloud provider allocates machine resources on demand, taking care of the servers on behalf of the customer

Developers need not be concerned with capacity planning, configuration management, maintenance or scaling of containers, VMs, or physical servers; this is all handled by the provider

Question 55

Function as a Service (FaaS)

Answer 55

Focused on the event-driven computing paradigm wherein application code, source code, and containers only run in response to events or requests

Question 56

Infrastructure as Code (IaC)

Answer 56

Automates the provisioning of infrastructure within data centers

Provides the ability to design, implement, and deploy application infrastructure with greater speed, reduction of cost and automation and avoid human errors

It uses software definition files that are machine readable by software aware networking devices