Cloud Applications

Question 1

Qualitative risk analysis

Answer 1

is the process of rating or scoring risk based on a person’s perception of the severity and likelihood of its consequences.

Question 2

Quantitative risk analysis

Answer 2

is the process of calculating risk based on data gathered.

Question 3

What is the S.T.R.I.D.E threat model?

Answer 3

Spoofing Identity, Tampering with data, Repudiation, Information Disclosure, Denial of Service, Elevation of privileges.

Question 4

Spoofing Identity

Answer 4

illegally accessing and then using another user’s authentication information, such as username and password.

Question 5

Tampering with data

Answer 5

involves the malicious modification of data.

Question 6

Repudiation

Answer 6

users who deny performing an action without other parties having any way to prove otherwise—for example, a user performs an illegal operation in a system that lacks the ability to trace the prohibited operations.

Question 7

Information disclosure

Answer 7

the exposure of information to individuals who are not supposed to have access to it

Question 8

Elevation of privilege

Answer 8

an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system

Question 9

D.R.E.A.D (Risk Assessment Model)

Answer 9

Damage, Reproducibility, Exploitability, Affected users, Discoverability

Question 10

What is D.R.E.A.D?

Answer 10

is part of a system for risk-assessing computer security threats previously used at Microsoft and although currently used by OpenStack and other corporations

Question 11

What is PTA?

Answer 11

PTA (Practical Threat Analysis) is a risk assessment methodology and a suite of software tools that enable users to find the most beneficial and cost-effective way to secure systems and applications according to their specific functionality and environment.

Question 12

Rapid Application Development

Answer 12

is a form of agile softwaredevelopmentmethodology that prioritizesrapidprototype releases and iterations

Question 13

Security Systems Development Life Cycle (SecSDLC)

Answer 13

a methodology for the design and implementation of an information system in an organization.

Question 14

OpenID

Answer 14

it allows users to be authenticated by co-operating sites using a third-party service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log into multiple unrelated websites without having to have a separate identity and password for each

Question 15

OAuth

Answer 15

is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords

Question 16

WS-Federation (Web Services Federation)

Answer 16

is an Identity Federation specification, developed by a group of companies: BEA Systems, BMC Software, CA Inc. (along with Layer 7 Technologies now a part of CA Inc.), IBM, Microsoft, Novell, HP Enterprise, and VeriSign.

Question 17

web application firewall (WAF)

Answer 17

is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation.

Question 18

XML appliance

Answer 18

is a special-purpose network device used to secure, manage and mediate XML traffic

Question 19

Tokenization

Answer 19

is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value.

Question 20

Data masking

Answer 20

is the process of hiding original data with modified content (characters or other data.)

Question 21

SQL injection

Answer 21

is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

Question 22

Weak Authentication

Answer 22

Weak authentication has many facets, ranging from brute forcing of the user interface to insecure storage of the database credentials used by an application.

Question 23

Privilege abuse

Answer 23

Users may abuse legitimate data access privileges for unauthorized purposes

Question 24

Excessive privileges

Answer 24

If users hold privileges that exceed the requirements of their job function, these privileges may be abused by the individual or an attacker who compromises their account.

Question 25

Inadequate logging and weak auditing

Answer 25

Logging and auditing are key to deterring and detecting misuse and enabling adequate investigation of suspected data compromise.

Question 26

Denial of service

Answer 26

attacks from the internet, can overwhelm your system regardless of the capacity of its internet connection

Question 27

Exploiting unpatched services

Answer 27

While up-to-date patching won’t make you secure, operating vulnerable unpatched services will significantly increase the likelihood of being compromised.

Question 28

Inference Attack

Answer 28

is a data mining technique performed by analyzing data in order to illegitimately gain knowledge about a subject or database.

Question 29

Directory Traversal attack

Answer 29

is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory.

Question 30

Cross-site scripting

Answer 30

attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites