Domain 10: Application Security Flashcards

1
Q

Which incentive drives cloud providers to create higher baseline security for the application environment than a traditional environment?
A. celebratory
B. financial
C. emotional
D. honor

A

Answer: B
Cloud providers are typically operated for profit; higher security increases market shares and helps retain customers. See pages 108-109 of the CSA Cloud Security Guidance v4.
If you have a provider that is motivated by emotions, find another provider. Honor is not typically found as an incentive for provider performance. “Celebratory” has no meaning here, and is only used as a distractor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A security opportunity that may make the cloud computing environment advantageous compared to the traditional IT environment.
A. responsiveness
B. physical centralization
C. single point of failure
D. hardware homogeneity

A

Answer: A
Security measures in the cloud may be more responsive than their counterparts in the traditional environment. See page 109 of the CSA Cloud Security Guidance v4.
Physical centralization is a characteristic of the traditional environment, where cloud computing is typically distributed. Single points of failure are not benefits to a security program; they increase risk. Cloud environments are not typically homogeneous in terms of the underlying hardware, and they instead tend to be vendor neutral.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A security opportunity that may make the cloud computing environment advantageous compared to the traditional IT environment.
A. cross-jurisdictional
B. isolated environments
C. single set of credentials
D. impenetrable physical security

A

Answer: B
Cloud environments offer the ability to easily and inexpensively create entire distinct application stacks, such that if one were compromised by an attacker, the others would remain untouched. See page 109 of the CSA Cloud Security Guidance v4.
When cloud providers/customers span jurisdictions, this may actually create risk, not a security opportunity. Having a single set of credentials is incredibly risky, and not recommended. There is no such thing as impenetrable physical security (or impenetrable logical or digital security, for that matter).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A security opportunity that may make the cloud computing environment advantageous compared to the traditional IT environment.
A. regulatory capture
B. corporate financing
C. independent virtual machines
D. Internet connectivity

A

Answer: C
In a traditional environment, the cost and complexity of physical hosts often results in organizations putting multiple applications/datasets on the same physical device; in the cloud, the ease of deployment and hardening, and the reduced cost of virtual machines allows the customer to deploy individual applications on single-purpose virtual machines. See page 109 of the CSA Cloud Security Guidance v4.
Regulatory capture is an undesirable situation where the regulated entity subverts the regulator. Corporate financing is not a security advantage. Internet connectivity actually poses risk to the environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A security opportunity that may make the cloud computing environment advantageous compared to the traditional IT environment.
A. elasticity
B. remote access
C. shared responsibilities
D. coercion

A

Answer: A
Elasticity allows autoscaling of the cloud environment but ensuring that all newly-created workloads have the same baseline security configurations. See page 109 of the CSA Cloud Security Guidance v4.
Remote access and shared responsibilities, which are intrinsic to the cloud environment, actually pose risks, not benefits. Coercion is an undesirable situation, but the term has no meaning in this context, and is used here only as a distractor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A security opportunity that may make the cloud computing environment advantageous compared to the traditional IT environment.
A. waterfall
B. spiral
C. angle
D. DevOps

A

Answer: D
As a software development approach, DevOps offers opportunities for applying security early in the development process. While not unique to the cloud, DevOps is ideally suited to that environment. See page 109 of the CSA Cloud Security Guidance v4.
Waterfall and spiral are software development models that don’t necessarily facilitate early inclusion of security, and are not particularly applicable to the cloud. “Angle” has no meaning in this context and is used here as a distractor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A security opportunity that may make the cloud computing environment advantageous compared to the traditional IT environment.
A. reverse identity
B. unified interface
C. shared responsibilities
D. provider administration

A

Answer: B
Traditional environments are typified by administration/configuration/monitoring that requires login and management of many disparate systems, creating opportunities for human error. Cloud computing typically offers a single, simplified interface for all administrative activity, streamlining security activities. See page 109 of the CSA Cloud Security Guidance v4.
“Reverse identity” has no meaning, and is used here only as a distractor. Shared responsibilities and provider administration are actually risks associated with the cloud environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A security challenge that may make the cloud computing environment risky compared to the traditional IT environment.
A. the use of software
B. limited detailed visibility
C. users
D. physical security

A

Answer: B
The cloud user will typically have less access to log data and other monitoring capabilities than in the traditional environment. See page 109 of the CSA Cloud Security Guidance v4.
Software is used in both the traditional and cloud environments; users exist in both situations, too. Cloud customer will typically have less challenge with physical security, because that is the responsibility of the provider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A security challenge that may make the cloud computing environment risky compared to the traditional IT environment.
A. increased application scope
B. increased price of services
C. lack of processing power
D. limited number of providers

A

Answer: A
The security of the management plane will directly affect the security of any and all applications in the cloud environment. See page 110 of the CSA Cloud Security Guidance v4.
Typically, the price of services are decreased and the availability of processing power is increased in the cloud environment. There are many cloud providers, and more being created every day.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A security challenge that may make the cloud computing environment risky compared to the traditional IT environment.
A. arbitrary enforcement
B. binary data
C. changing threat models
D. deletion of files

A

Answer: C
Customers in a cloud environment must consider additional threat vectors/risks not normally associated with traditional IT environments, such as whatever responsibilities are assigned to the provider. See page 110 of the CSA Cloud Security Guidance v4.
“Arbitrary enforcement” has no meaning in this context, and is only used here as a distractor. Data is in binary form in both the traditional and cloud environments; files can be deleted in both, as well.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A security challenge that may make the cloud computing environment risky compared to the traditional IT environment.
A. reduced price
B. reduced remote access capability
C. reduced storage capacity
D. reduced transparency

A

Answer: D
Cloud customers will typically have less insight into measures used to protect the environment, compared to the traditional environment. See page 110 of the CSA Cloud Security Guidance v4.
Reduced price is not a security challenge; it is a business opportunity. Both storage capacity and remote access capability are typically increased in the cloud environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following is not one of the CSA’s “meta-phases” used to describe the secure software development lifecycle (SSDLC) for the cloud environment?
A. secure design and development
B. secure testing
C. secure deployment
D. secure operations

A

Answer: B
This is not one of the CSA’s SSDLC “meta-phases”; all the other answers are. According to these “meta-phases,” testing is include in the Secure Deployment meta-phase. See page 111 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Cloud computing affects __________ phase(s) of the secure software development lifecycle (SSDLC).
A. many
B. one
C. the secure operations
D. all

A

Answer: D
Cloud computing affects every aspect of the SSDLC. See page 111 of the CSA Cloud Security Guidance v4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

One of the reasons cloud computing affects the secure software development lifecycle (SSDLC).
A. the shared responsibilities model
B. cloud entails operational expenditures instead of capital expenditures
C. regulatory mandates
D. only one SSDLC framework exists for cloud software development

A

Answer: A
Reliance on an external entity (the cloud provider) will affect how developers approach software creation. See page 111 of the CSA Cloud Security Guidance v4.
OpEx versus CapEx doesn’t really affect software development. Regulators do not typically dictate how software is created. There are many SSDLC frameworks for the cloud environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Every cloud provider has __________ capabilities in terms of features, security, and security, which may affect the secure software development lifecycle (SSDLC).
A. the same
B. compliant
C. different
D. perfect

A

Answer: C
Each provider will have varying capabilities, which impacts the customer’s approach to the SSDLC. See page 111 of the CSA Cloud Security Guidance v4.
Providers definitely do not have uniform capabilities; A is incorrect. “Compliance” suggests a standard, but there are also different standards providers can use, so B is incorrect. And there is nothing on the planet that is perfect, so D is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Applying the secure software development lifecycle (SSDLC) in the cloud may differ from using it in the traditional IT environment because __________ might be included in the scope of application security.
A. users
B. external mandates
C. price
D. the management plane

A

Answer: D
The management plane is a core element of the cloud environment, but not typically a part of a traditional IT environment; the management plane must be considered while trying to apply the SSDLC in the cloud. See page 111 of the CSA Cloud Security Guidance v4.
Users and external mandates are considerations in both the cloud and traditional IT environments. Price is not usually an aspect included in the SSDLC.

17
Q

Which of the following is not an organizational department that will need new, specific training to learn how to handle the secure software development lifecycle (SSDLC) in the cloud environment when the organization migrates from the traditional environment?
A. development
B. operations
C. security
D. regulatory

A

Answer: D
Organizations do not typically train regulators. All the other answers are roles within the organization that will need cloud-specific SSDLC training after migration (or, preferably, before). See page 112 of the CSA Cloud Security Guidance v4.

18
Q

In which step of the secure software development (SSDLC) process should the deployment process(es) first be determined?
A. deploy
B. design
C. define
D. test

A

Answer: C
According to the CSA Cloud Security Guidance v4 (page 112), the deployment process is defined in the Define phase, although it might be modified later in the SSDLC.

19
Q

In which step of the secure software development (SSDLC) process should threat modeling be applied?
A. define
B. develop
C. destroy
D. design

A

Answer: D
According to the CSA Cloud Security Guidance v4 (page 112), threat modeling is applied at the Design phase of the SSDLC.

20
Q

The development environment should never contain __________.
A. management plane access to the cloud environment
B. developers
C. virtual machines
D. production data

A

Answer: B
Developers should include application logging capabilities in cloud-based applications in order to compensate for the loss of other logging sources. See page 112 of the CSA Cloud Security Guidance v4.
SIEM, DRM, and DLP are all worthwhile tools, but do not provide log data to offset the sources that may not be available in the cloud, the way application logging does.

21
Q

What tool might be used to compensate for the lack of network, system, or service logs in a PaaS cloud application development environment?
A. security incident and event management (SIEM) solutions
B. application logs
C. digital rights management (DRM)
D. data loss prevention (DLP) solutions

A

Answer: B
Developers should include application logging capabilities in cloud-based applications in order to compensate for the loss of other logging sources. See page 112 of the CSA Cloud Security Guidance v4.
SIEM, DRM, and DLP are all worthwhile tools, but do not provide log data to offset the sources that may not be available in the cloud, the way application logging does.

22
Q

Cloud customers engaged in application development for a cloud environment should rely more on __________ testing.
A. manual
B. vendor-based
C. physical
D. automated

A

Answer: D
See page 112 of the CSA Cloud Security Guidance v4.
Manual testing is less efficient and introduces greater potential for human error. “Vendor-based” testing is a misnomer if you’re building your own application. Physical testing is unlikely in the cloud.

23
Q

One form of manual testing that might be very useful in cloud application development.
A. vulnerability scans
B. fuzz testing
C. code review
D. pressure tests

A

Answer: C
Code review is manual testing that is useful in cloud application development. See page 113 of the CSA Cloud Security Guidance v4.
Vulnerability scans and fuzz testing are usually automated tests. “Pressure testing” has no meaning in this context, and is only a distractor.

24
Q

Benefits of using a continuous integration/continuous deployment (CI/CD) pipeline model of cloud application development include: [select all that apply]
A. reduce costs
B. enhance market acceptance
C. capture increased market share
D. support immutable infrastructure
E. automate security testing
F. offer opportunity to log application and infrastructure changes

A

Answer: D, E, F
CI/CD models do not typically modify the cost of development or affect the marketability of the final product. All the other answers are benefits offered by use of a CI/CD model. See page 114 of the CSA Cloud Security Guidance v4.

25
Q

A security benefit of using the DevOps approach to application development in the cloud.
A. standardizing the development, testing, and operational environments
B. reducing overall costs for the organization
C. removing user input from the development process
D. guaranteeing approval of all audits

A

Answer: A
DevOps supports uniformity across the organization’s environments (including the development environment, the test environment, and the production environment) by using the same templates and approved code to build each environment. See page 118 of the CSA Cloud Security Guidance v4.
DevOps does not necessarily reduce costs. Users are more involved in the development process in a DevOps model than in other (more traditional) development approaches. Nothing guarantees passing an audit.