Domain 10: Application Security

Question 1

Which incentive drives cloud providers to create higher baseline security for the application environment than a traditional environment?
A. celebratory
B. financial
C. emotional
D. honor

Answer 1

Answer: B
Cloud providers are typically operated for profit; higher security increases market shares and helps retain customers. See pages 108-109 of the CSA Cloud Security Guidance v4.
If you have a provider that is motivated by emotions, find another provider. Honor is not typically found as an incentive for provider performance. “Celebratory” has no meaning here, and is only used as a distractor.

Question 2

A security opportunity that may make the cloud computing environment advantageous compared to the traditional IT environment.
A. responsiveness
B. physical centralization
C. single point of failure
D. hardware homogeneity

Answer 2

Answer: A
Security measures in the cloud may be more responsive than their counterparts in the traditional environment. See page 109 of the CSA Cloud Security Guidance v4.
Physical centralization is a characteristic of the traditional environment, where cloud computing is typically distributed. Single points of failure are not benefits to a security program; they increase risk. Cloud environments are not typically homogeneous in terms of the underlying hardware, and they instead tend to be vendor neutral.

Question 3

A security opportunity that may make the cloud computing environment advantageous compared to the traditional IT environment.
A. cross-jurisdictional
B. isolated environments
C. single set of credentials
D. impenetrable physical security

Answer 3

Answer: B
Cloud environments offer the ability to easily and inexpensively create entire distinct application stacks, such that if one were compromised by an attacker, the others would remain untouched. See page 109 of the CSA Cloud Security Guidance v4.
When cloud providers/customers span jurisdictions, this may actually create risk, not a security opportunity. Having a single set of credentials is incredibly risky, and not recommended. There is no such thing as impenetrable physical security (or impenetrable logical or digital security, for that matter).

Question 4

A security opportunity that may make the cloud computing environment advantageous compared to the traditional IT environment.
A. regulatory capture
B. corporate financing
C. independent virtual machines
D. Internet connectivity

Answer 4

Answer: C
In a traditional environment, the cost and complexity of physical hosts often results in organizations putting multiple applications/datasets on the same physical device; in the cloud, the ease of deployment and hardening, and the reduced cost of virtual machines allows the customer to deploy individual applications on single-purpose virtual machines. See page 109 of the CSA Cloud Security Guidance v4.
Regulatory capture is an undesirable situation where the regulated entity subverts the regulator. Corporate financing is not a security advantage. Internet connectivity actually poses risk to the environment.

Question 5

A security opportunity that may make the cloud computing environment advantageous compared to the traditional IT environment.
A. elasticity
B. remote access
C. shared responsibilities
D. coercion

Answer 5

Answer: A
Elasticity allows autoscaling of the cloud environment but ensuring that all newly-created workloads have the same baseline security configurations. See page 109 of the CSA Cloud Security Guidance v4.
Remote access and shared responsibilities, which are intrinsic to the cloud environment, actually pose risks, not benefits. Coercion is an undesirable situation, but the term has no meaning in this context, and is used here only as a distractor.

Question 6

A security opportunity that may make the cloud computing environment advantageous compared to the traditional IT environment.
A. waterfall
B. spiral
C. angle
D. DevOps

Answer 6

Answer: D
As a software development approach, DevOps offers opportunities for applying security early in the development process. While not unique to the cloud, DevOps is ideally suited to that environment. See page 109 of the CSA Cloud Security Guidance v4.
Waterfall and spiral are software development models that don’t necessarily facilitate early inclusion of security, and are not particularly applicable to the cloud. “Angle” has no meaning in this context and is used here as a distractor.

Question 7

A security opportunity that may make the cloud computing environment advantageous compared to the traditional IT environment.
A. reverse identity
B. unified interface
C. shared responsibilities
D. provider administration

Answer 7

Answer: B
Traditional environments are typified by administration/configuration/monitoring that requires login and management of many disparate systems, creating opportunities for human error. Cloud computing typically offers a single, simplified interface for all administrative activity, streamlining security activities. See page 109 of the CSA Cloud Security Guidance v4.
“Reverse identity” has no meaning, and is used here only as a distractor. Shared responsibilities and provider administration are actually risks associated with the cloud environment.

Question 8

A security challenge that may make the cloud computing environment risky compared to the traditional IT environment.
A. the use of software
B. limited detailed visibility
C. users
D. physical security

Answer 8

Answer: B
The cloud user will typically have less access to log data and other monitoring capabilities than in the traditional environment. See page 109 of the CSA Cloud Security Guidance v4.
Software is used in both the traditional and cloud environments; users exist in both situations, too. Cloud customer will typically have less challenge with physical security, because that is the responsibility of the provider.

Question 9

A security challenge that may make the cloud computing environment risky compared to the traditional IT environment.
A. increased application scope
B. increased price of services
C. lack of processing power
D. limited number of providers

Answer 9

Answer: A
The security of the management plane will directly affect the security of any and all applications in the cloud environment. See page 110 of the CSA Cloud Security Guidance v4.
Typically, the price of services are decreased and the availability of processing power is increased in the cloud environment. There are many cloud providers, and more being created every day.

Question 10

A security challenge that may make the cloud computing environment risky compared to the traditional IT environment.
A. arbitrary enforcement
B. binary data
C. changing threat models
D. deletion of files

Answer 10

Answer: C
Customers in a cloud environment must consider additional threat vectors/risks not normally associated with traditional IT environments, such as whatever responsibilities are assigned to the provider. See page 110 of the CSA Cloud Security Guidance v4.
“Arbitrary enforcement” has no meaning in this context, and is only used here as a distractor. Data is in binary form in both the traditional and cloud environments; files can be deleted in both, as well.

Question 11

A security challenge that may make the cloud computing environment risky compared to the traditional IT environment.
A. reduced price
B. reduced remote access capability
C. reduced storage capacity
D. reduced transparency

Answer 11

Answer: D
Cloud customers will typically have less insight into measures used to protect the environment, compared to the traditional environment. See page 110 of the CSA Cloud Security Guidance v4.
Reduced price is not a security challenge; it is a business opportunity. Both storage capacity and remote access capability are typically increased in the cloud environment.

Question 12

Which of the following is not one of the CSA’s “meta-phases” used to describe the secure software development lifecycle (SSDLC) for the cloud environment?
A. secure design and development
B. secure testing
C. secure deployment
D. secure operations

Answer 12

Answer: B
This is not one of the CSA’s SSDLC “meta-phases”; all the other answers are. According to these “meta-phases,” testing is include in the Secure Deployment meta-phase. See page 111 of the CSA Cloud Security Guidance v4.

Question 13

Cloud computing affects __________ phase(s) of the secure software development lifecycle (SSDLC).
A. many
B. one
C. the secure operations
D. all

Answer 13

Answer: D
Cloud computing affects every aspect of the SSDLC. See page 111 of the CSA Cloud Security Guidance v4.

Question 14

One of the reasons cloud computing affects the secure software development lifecycle (SSDLC).
A. the shared responsibilities model
B. cloud entails operational expenditures instead of capital expenditures
C. regulatory mandates
D. only one SSDLC framework exists for cloud software development

Answer 14

Answer: A
Reliance on an external entity (the cloud provider) will affect how developers approach software creation. See page 111 of the CSA Cloud Security Guidance v4.
OpEx versus CapEx doesn’t really affect software development. Regulators do not typically dictate how software is created. There are many SSDLC frameworks for the cloud environment.

Question 15

Every cloud provider has __________ capabilities in terms of features, security, and security, which may affect the secure software development lifecycle (SSDLC).
A. the same
B. compliant
C. different
D. perfect

Answer 15

Answer: C
Each provider will have varying capabilities, which impacts the customer’s approach to the SSDLC. See page 111 of the CSA Cloud Security Guidance v4.
Providers definitely do not have uniform capabilities; A is incorrect. “Compliance” suggests a standard, but there are also different standards providers can use, so B is incorrect. And there is nothing on the planet that is perfect, so D is incorrect.

Question 16

Applying the secure software development lifecycle (SSDLC) in the cloud may differ from using it in the traditional IT environment because __________ might be included in the scope of application security.
A. users
B. external mandates
C. price
D. the management plane

Answer 16

Answer: D
The management plane is a core element of the cloud environment, but not typically a part of a traditional IT environment; the management plane must be considered while trying to apply the SSDLC in the cloud. See page 111 of the CSA Cloud Security Guidance v4.
Users and external mandates are considerations in both the cloud and traditional IT environments. Price is not usually an aspect included in the SSDLC.

Question 17

Which of the following is not an organizational department that will need new, specific training to learn how to handle the secure software development lifecycle (SSDLC) in the cloud environment when the organization migrates from the traditional environment?
A. development
B. operations
C. security
D. regulatory

Answer 17

Answer: D
Organizations do not typically train regulators. All the other answers are roles within the organization that will need cloud-specific SSDLC training after migration (or, preferably, before). See page 112 of the CSA Cloud Security Guidance v4.

Question 18

In which step of the secure software development (SSDLC) process should the deployment process(es) first be determined?
A. deploy
B. design
C. define
D. test

Answer 18

Answer: C
According to the CSA Cloud Security Guidance v4 (page 112), the deployment process is defined in the Define phase, although it might be modified later in the SSDLC.

Question 19

In which step of the secure software development (SSDLC) process should threat modeling be applied?
A. define
B. develop
C. destroy
D. design

Answer 19

Answer: D
According to the CSA Cloud Security Guidance v4 (page 112), threat modeling is applied at the Design phase of the SSDLC.

Question 20

The development environment should never contain __________.
A. management plane access to the cloud environment
B. developers
C. virtual machines
D. production data

Answer 20

Answer: B
Developers should include application logging capabilities in cloud-based applications in order to compensate for the loss of other logging sources. See page 112 of the CSA Cloud Security Guidance v4.
SIEM, DRM, and DLP are all worthwhile tools, but do not provide log data to offset the sources that may not be available in the cloud, the way application logging does.

Question 21

What tool might be used to compensate for the lack of network, system, or service logs in a PaaS cloud application development environment?
A. security incident and event management (SIEM) solutions
B. application logs
C. digital rights management (DRM)
D. data loss prevention (DLP) solutions

Answer 21

Answer: B
Developers should include application logging capabilities in cloud-based applications in order to compensate for the loss of other logging sources. See page 112 of the CSA Cloud Security Guidance v4.
SIEM, DRM, and DLP are all worthwhile tools, but do not provide log data to offset the sources that may not be available in the cloud, the way application logging does.

Question 22

Cloud customers engaged in application development for a cloud environment should rely more on __________ testing.
A. manual
B. vendor-based
C. physical
D. automated

Answer 22

Answer: D
See page 112 of the CSA Cloud Security Guidance v4.
Manual testing is less efficient and introduces greater potential for human error. “Vendor-based” testing is a misnomer if you’re building your own application. Physical testing is unlikely in the cloud.

Question 23

One form of manual testing that might be very useful in cloud application development.
A. vulnerability scans
B. fuzz testing
C. code review
D. pressure tests

Answer 23

Answer: C
Code review is manual testing that is useful in cloud application development. See page 113 of the CSA Cloud Security Guidance v4.
Vulnerability scans and fuzz testing are usually automated tests. “Pressure testing” has no meaning in this context, and is only a distractor.

Question 24

Benefits of using a continuous integration/continuous deployment (CI/CD) pipeline model of cloud application development include: [select all that apply]
A. reduce costs
B. enhance market acceptance
C. capture increased market share
D. support immutable infrastructure
E. automate security testing
F. offer opportunity to log application and infrastructure changes

Answer 24

Answer: D, E, F
CI/CD models do not typically modify the cost of development or affect the marketability of the final product. All the other answers are benefits offered by use of a CI/CD model. See page 114 of the CSA Cloud Security Guidance v4.

Question 25

A security benefit of using the DevOps approach to application development in the cloud.
A. standardizing the development, testing, and operational environments
B. reducing overall costs for the organization
C. removing user input from the development process
D. guaranteeing approval of all audits

Answer 25

Answer: A
DevOps supports uniformity across the organization’s environments (including the development environment, the test environment, and the production environment) by using the same templates and approved code to build each environment. See page 118 of the CSA Cloud Security Guidance v4.
DevOps does not necessarily reduce costs. Users are more involved in the development process in a DevOps model than in other (more traditional) development approaches. Nothing guarantees passing an audit.