Domain 10: Application Security Flashcards
Which incentive drives cloud providers to create higher baseline security for the application environment than a traditional environment?
A. celebratory
B. financial
C. emotional
D. honor
Answer: B
Cloud providers are typically operated for profit; higher security increases market shares and helps retain customers. See pages 108-109 of the CSA Cloud Security Guidance v4.
If you have a provider that is motivated by emotions, find another provider. Honor is not typically found as an incentive for provider performance. “Celebratory” has no meaning here, and is only used as a distractor.
A security opportunity that may make the cloud computing environment advantageous compared to the traditional IT environment.
A. responsiveness
B. physical centralization
C. single point of failure
D. hardware homogeneity
Answer: A
Security measures in the cloud may be more responsive than their counterparts in the traditional environment. See page 109 of the CSA Cloud Security Guidance v4.
Physical centralization is a characteristic of the traditional environment, where cloud computing is typically distributed. Single points of failure are not benefits to a security program; they increase risk. Cloud environments are not typically homogeneous in terms of the underlying hardware, and they instead tend to be vendor neutral.
A security opportunity that may make the cloud computing environment advantageous compared to the traditional IT environment.
A. cross-jurisdictional
B. isolated environments
C. single set of credentials
D. impenetrable physical security
Answer: B
Cloud environments offer the ability to easily and inexpensively create entire distinct application stacks, such that if one were compromised by an attacker, the others would remain untouched. See page 109 of the CSA Cloud Security Guidance v4.
When cloud providers/customers span jurisdictions, this may actually create risk, not a security opportunity. Having a single set of credentials is incredibly risky, and not recommended. There is no such thing as impenetrable physical security (or impenetrable logical or digital security, for that matter).
A security opportunity that may make the cloud computing environment advantageous compared to the traditional IT environment.
A. regulatory capture
B. corporate financing
C. independent virtual machines
D. Internet connectivity
Answer: C
In a traditional environment, the cost and complexity of physical hosts often results in organizations putting multiple applications/datasets on the same physical device; in the cloud, the ease of deployment and hardening, and the reduced cost of virtual machines allows the customer to deploy individual applications on single-purpose virtual machines. See page 109 of the CSA Cloud Security Guidance v4.
Regulatory capture is an undesirable situation where the regulated entity subverts the regulator. Corporate financing is not a security advantage. Internet connectivity actually poses risk to the environment.
A security opportunity that may make the cloud computing environment advantageous compared to the traditional IT environment.
A. elasticity
B. remote access
C. shared responsibilities
D. coercion
Answer: A
Elasticity allows autoscaling of the cloud environment but ensuring that all newly-created workloads have the same baseline security configurations. See page 109 of the CSA Cloud Security Guidance v4.
Remote access and shared responsibilities, which are intrinsic to the cloud environment, actually pose risks, not benefits. Coercion is an undesirable situation, but the term has no meaning in this context, and is used here only as a distractor.
A security opportunity that may make the cloud computing environment advantageous compared to the traditional IT environment.
A. waterfall
B. spiral
C. angle
D. DevOps
Answer: D
As a software development approach, DevOps offers opportunities for applying security early in the development process. While not unique to the cloud, DevOps is ideally suited to that environment. See page 109 of the CSA Cloud Security Guidance v4.
Waterfall and spiral are software development models that don’t necessarily facilitate early inclusion of security, and are not particularly applicable to the cloud. “Angle” has no meaning in this context and is used here as a distractor.
A security opportunity that may make the cloud computing environment advantageous compared to the traditional IT environment.
A. reverse identity
B. unified interface
C. shared responsibilities
D. provider administration
Answer: B
Traditional environments are typified by administration/configuration/monitoring that requires login and management of many disparate systems, creating opportunities for human error. Cloud computing typically offers a single, simplified interface for all administrative activity, streamlining security activities. See page 109 of the CSA Cloud Security Guidance v4.
“Reverse identity” has no meaning, and is used here only as a distractor. Shared responsibilities and provider administration are actually risks associated with the cloud environment.
A security challenge that may make the cloud computing environment risky compared to the traditional IT environment.
A. the use of software
B. limited detailed visibility
C. users
D. physical security
Answer: B
The cloud user will typically have less access to log data and other monitoring capabilities than in the traditional environment. See page 109 of the CSA Cloud Security Guidance v4.
Software is used in both the traditional and cloud environments; users exist in both situations, too. Cloud customer will typically have less challenge with physical security, because that is the responsibility of the provider.
A security challenge that may make the cloud computing environment risky compared to the traditional IT environment.
A. increased application scope
B. increased price of services
C. lack of processing power
D. limited number of providers
Answer: A
The security of the management plane will directly affect the security of any and all applications in the cloud environment. See page 110 of the CSA Cloud Security Guidance v4.
Typically, the price of services are decreased and the availability of processing power is increased in the cloud environment. There are many cloud providers, and more being created every day.
A security challenge that may make the cloud computing environment risky compared to the traditional IT environment.
A. arbitrary enforcement
B. binary data
C. changing threat models
D. deletion of files
Answer: C
Customers in a cloud environment must consider additional threat vectors/risks not normally associated with traditional IT environments, such as whatever responsibilities are assigned to the provider. See page 110 of the CSA Cloud Security Guidance v4.
“Arbitrary enforcement” has no meaning in this context, and is only used here as a distractor. Data is in binary form in both the traditional and cloud environments; files can be deleted in both, as well.
A security challenge that may make the cloud computing environment risky compared to the traditional IT environment.
A. reduced price
B. reduced remote access capability
C. reduced storage capacity
D. reduced transparency
Answer: D
Cloud customers will typically have less insight into measures used to protect the environment, compared to the traditional environment. See page 110 of the CSA Cloud Security Guidance v4.
Reduced price is not a security challenge; it is a business opportunity. Both storage capacity and remote access capability are typically increased in the cloud environment.
Which of the following is not one of the CSA’s “meta-phases” used to describe the secure software development lifecycle (SSDLC) for the cloud environment?
A. secure design and development
B. secure testing
C. secure deployment
D. secure operations
Answer: B
This is not one of the CSA’s SSDLC “meta-phases”; all the other answers are. According to these “meta-phases,” testing is include in the Secure Deployment meta-phase. See page 111 of the CSA Cloud Security Guidance v4.
Cloud computing affects __________ phase(s) of the secure software development lifecycle (SSDLC).
A. many
B. one
C. the secure operations
D. all
Answer: D
Cloud computing affects every aspect of the SSDLC. See page 111 of the CSA Cloud Security Guidance v4.
One of the reasons cloud computing affects the secure software development lifecycle (SSDLC).
A. the shared responsibilities model
B. cloud entails operational expenditures instead of capital expenditures
C. regulatory mandates
D. only one SSDLC framework exists for cloud software development
Answer: A
Reliance on an external entity (the cloud provider) will affect how developers approach software creation. See page 111 of the CSA Cloud Security Guidance v4.
OpEx versus CapEx doesn’t really affect software development. Regulators do not typically dictate how software is created. There are many SSDLC frameworks for the cloud environment.
Every cloud provider has __________ capabilities in terms of features, security, and security, which may affect the secure software development lifecycle (SSDLC).
A. the same
B. compliant
C. different
D. perfect
Answer: C
Each provider will have varying capabilities, which impacts the customer’s approach to the SSDLC. See page 111 of the CSA Cloud Security Guidance v4.
Providers definitely do not have uniform capabilities; A is incorrect. “Compliance” suggests a standard, but there are also different standards providers can use, so B is incorrect. And there is nothing on the planet that is perfect, so D is incorrect.