Cloud Application Security

Question 1

What are the different deployment Models for the cloud?

Answer 1

Public, Private, Community, Hybrid

Question 2

What are the different SDLC phases?

Answer 2

Defining, Designing, Development, Testing, Secure Operations, Disposal

Question 3

What is a Secure Application Development Standard?

Answer 3

ISO/IEC 27034-1, you have the following categories: Business Contet, Regulatory Context, Technical Context, Specifications, Roles, Reponsibilities and Qualifications, Processes, Application Security Control Library. ANF versus ONF. Every application has and ANF that maps back to the ONH. One ONH has many ANF, but the ANF has only one ONF

Question 4

What are the Ps for IAM

Answer 4

People, processes, procedures

Question 5

IAM elements?

Answer 5

Authentication, Authorization, User Management, Central User Repository

Question 6

Name widely used directory serices

Answer 6

X.500 and LDAP, A, Novell eDirecotry

Question 7

Name the different type of federation services and explain

Answer 7

1) Web-of-Trust Model: each member of the deferations has to review and approve each other member for inclusing in the federeations
2) third party identifier: third party approves on behave of the members

Question 8

What is an identify provider?

Answer 8

Party that validates users, provisioings user IDs and psws, deprovisioning them

Question 9

What is a relying party

Answer 9

Any member of the federation that shares resources based on authenticated identities

Question 10

Name the federation standards which are in use

Answer 10

Security Assertion Makeup Language (SAML): xml based and consists of a framework for communicating authentication, authorization or entitlemnet information and attribute information across organisations.
WS-Federation: realms to explain capabilities to allow organisations to trust each other identify information across organisations
Oauth: often used in authorization with mobile apps, the OAuth frameowrk provides third-part applications limited acccess to HTTP services
OpenID Connect: based on Oauth2. It allows developers to authenitcate their users accross websites and applicationsw ithout having to manage usernames and passwords.

Question 11

What are the two type of APIs in the cloud?

Answer 11

RESTful APIs and SOAP APis

Question 12

Describe what a RESTful API is

Answer 12

Is scalable and suitable for web-based application, light weighed, it uses simple urls, it is not reliant on XML, it outputs in many formats (CSV, JSON), it is efficeint, smaller mesgs than XML,

Question 13

In which situations doest RESTfull API work best?

Answer 13

situations where bandwidth is limited, when stateless operations are used, when caching is needed

Question 14

Describe what a SOAP API is

Answer 14

protocol to provide exchange of structuerd ifnormation or data in web services. Works over other protocols such as SMTP, FTP and HTTP, characteristics are standards-based, reliant on XML, highli intolerat of errors, slower, built-in error handling

Question 15

In which situations doest SOAP work best?

Answer 15

asynchronous processing, format contracts and statefull operations

Question 16

WAF - can they stop DDOS

Answer 16

Yes they can

Question 17

At which layer does a WAF (Web application firewall) filter data?

Answer 17

Layer 7

Question 18

At what layer does database activity monitoring filter?

Answer 18

Layer 7, it stops malicious CMDS being executed on the SQL server, it is network based,

Question 19

What are XML gateways

Answer 19

it is installed as a proxy or specific part of the application stack, it can help with access control, loggin and security filtering

Question 20

How can we best protect data in transit?

Answer 20

SSL/TLS, IPSEC, VPN

Question 21

How can we best protect data at rest?

Answer 21

Encrypt whole instance, volume, file/directory,

Question 22

How can we best protect data while in use?

Answer 22

Homomorphic encryption

Question 23

Describe TLS encryption

Answer 23

it used to ensure privacy when communication between applications

Question 24

Describe SSL

Answer 24

SSL was deprecated in 2015 but is still in use today

Question 25

Describe VPN

Answer 25

used by remote workers to securely access data on their companys internal networks

Question 26

What two type of VPNS exist?

Answer 26

Virtual and Virtual with Secuity. The first is that you still iee in the Multiprotocol Lbale Swithcing (MPLS). Furthermore, an encrypted PN should technically be referred to as an IPSec VPN. It has encryption end-to-end

Question 27

What is sandboxing related to cloud security?

Answer 27

concept o a protected area being ultilized for testing untested or untrusted code or to better understand if an application is working the way it was intended to work. These sandboxes are usually protected areas in memory that will not allow processes of any kind to run outside the environment or allow access inside from any other application or process.

Question 28

t.a.v. web application seurity testing, kan je STRIDE beschrijven?

Answer 28

STRIDE stands for Spoofing (impersonation such as IP or user spoofing), Tampering (with data output, data input or data that is stored), Repudiation (whtn the inability to deny ones action has been compromised), Information Disclosure (als data leakage), Denial of Service, Elevation of Privilege.

Stride is usefull in the SDLC to identify vulernabilities throughout the build processes.

Question 29

What is Cross-Site Scriptiong (XSS)

Answer 29

XSS is one of the most widely seen applications flaws. XSS occurs when an application allows untrsted data to be sent to a web browser without propoer validation or escaping. This then allows the malicious user to execute ode or hijack sessions in the users browser.

Question 30

What is Insecure Diret Object Access

Answer 30

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.

Question 31

What is Cross-Site Request Forger CSRF

Answer 31

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request

Question 32

Describe the CSA Notorius nigh for risks for web application development

Answer 32

Data Loss, Data breaches, account takeover or hijacking, insecure APIs, DoS, insider threats, abuse of cloud services, insufficent due diligence, shared technology issues

Question 33

In cloud model what dos QoS (Quality of Service) mean?

Answer 33

the idea of ensuring that you do not over-control your enviornment with security measure that degrade your application’s performance

Question 34

Describe SAST testing (static application security testing

Answer 34

white box, gefocused op code, offline

Question 35

Describe DAST testing (dynamics application security testing

Answer 35

blackbox, analyses code whle running, comibing DAST with SAST is the best (to hit black spots, SQL injecting, ccs, ldap injpection etc)

Question 36

Data masking, what is it?

Answer 36

a method for creating similar but ineuthentic datasets used for software testing and user training