Domain 10 - Application Security Flashcards
What are Cloud Computing Opportunities to Application Security?
- Higher Baseline Security
- Responsiveness
- Isolated Environments
- Independent Virtual Machines
- Elasticity
- DevOps
- Unified Interface
True/False: In a cloud environment, major baseline security failures completely undermine the trust
that a public cloud provider needs in order to maintain relationships with its customer base.
True
_______ is a new application development methodology and philosophy focused
on automation of application development and deployment.
DevOps
What are the cloud computing challenges to Application Security?
- Limited Detailed Visibility
- Increased Application Scope
- Changing Threat Models
- Reduced Transparency
What are some of SDLC Frameworks?
- Microsoft Developent Lifecycle
- NIST 800-64
- ISO/IEC 27034
- OWASP
What are the CSA Meta phases of SDLC?
- Secure Design and Development
- Secure Deployment
- Secure Operations
5 Main Phases in Secure Design and Development
- Training
- Define
- Design
- Develop
- Test
Multiple Kind of Application Security Test
- Code Review
- Unit, regression and functional test
- SAST
- DAST
CSA Cloud Penetration Testing Recommendations
- Use experienced cloud provider testing firm
- Include developer and adminitrator in scoping
- In multi-tenant app, all testers to act as tenant
Impact of Cloud in Application Design and Architectures
- Segregation by Default
- Immutable Infrastructure
- Increased use of micro-services
- PaaS and Serverless architectures
- Software Defined Security
- Event Driven Security
________refers to the deeper integration of development and operations teams through better
collaboration and communications, with a heavy focus on automating application deployment and
infrastructure operations.
DevOps
Security Implications and Advantages of DevOps
- Standardisation
- Automated Testing
- Immutable
- Improved Auditing and Change Management
- SecDevOps/DevSecOps and Rugged DevOps
__________ sometimes refers to the
use of DevOps automation techniques to improve security operations. These two terms are emerging to describe the integration of security activities into DevOps
SecDevOps/DevSecOps
In DevOps, _________ refers
to integration of security testing into the application development process to produce harder,
more secure, and more resilient applications
Rugged DevOps