Domain 4 Flashcards
During what phase should regulatory compliance be introduced?
Requirements gathering
What testing methodology provides full access to an environment/system?
Full knowledge/white box
What testing methodology provides some access to environment/system?
Grey box/partial knowledge
What testing methodology requires testers to act like hackers w/out inside knowledge of system?
Black box/zero knowledge
What allows secure storage and access to secrets, allowing them to be used when needed w/out hard-coding them?
KMS - key management service
What avoids hard-coded credentials in cloud applications?
KMS - key management service
What’s used to identify each component in a software package?
SBOM - software bill of materials
What’s designed to aggregate API access, provide authentication for API use, rate-limit, and gather statistics and data about API usage?
API gateways
What’s used to decouple software components?
API proxies
What is a software element that connects to back-end services and creates a more modern and useful API to connect to the front end, and allows developers to define an API without having to change underlying services in the back end.
API proxy
What acts as the security gateway to your enterprise architecture, and is the single point of entry and exit for all API calls
API firewall
When is IAST - interactive application security testing - performed?
During QA/Testing phase of SDLC
What uses software instrumentation to monitor applications as they run and then gathers info about what occurs/how the software performs?
IAST
What aggregates API access, provides authentication for API use, rate-limit, and gathers statistics and data about API usage?
API gateways
What is a commonly accepted and used standard for encryption of data at rest?
AES-256
What is used for encryption in transit?
TLS
What documents abuse of software functionality?
Abuse case testing
What’s the best option to identify all components associated with software?
Software composition analysis (SCA)
What testing reviews source code?
Static testing
What looks at underlying components of software?
SCA - software composition analysis
What is intended to be used as a metric to assess the degree of trust that can be placed in web applications to help developers build in security controls?
ASVS - Application Security Verification Standard
What is major.minor.patch?
A common format for versioning.
What’s a listing of all the components of a software package or program?
Software bill of materials (SBOM)
What has built in protection against common attacks like SQL injection?
WAFs - web application firewalls
What allows for the easy movement of applications b/c they contain the dependencies and components the app needs w/out requiring a complete OS?
Containers
What are two functionalities used for federation?
SAML and OpenID Connect
What defines the requirements for cryptographic modules and is commonly used to assess cryptographic systems?
FIPS 140-2
Secrets that are generated and used as needed
Dynamic secrets?
T/F: Shared accounts allow for auditing.
False - b/c actions cannot be provably linked to individual users
What consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.
Brute force attack
What happens in the testing phase of the SDLC?
Performance and security of software is tested.
What allows creation, storage, management, and auditing of keys?
KMS
What is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.
PKI - public key infrastructure
What is a CI/CD tool used for continuous integration tooling?
Jenkins
What provides awareness of software license compliance, terms and conditions, and license expiration dates?
A complete software inventory
What is used to control usage based on roles and rights?
CASB
What’s used to limit potential for sensitive data loss and to detect anomalous usage patterns?
Cost limiting rules
What’s commonly used for malicious software testing, also known as creating a secure and isolated environment to test?
Sandboxing
What’s used to centralize and correlate security events and information?
SIEM solutions
What can be used to enforce encryption b/w an on-premise location and cloud provider to prevent 3rd party from seeing data in transit?
CASB
What is on-premises or cloud based software that sits between cloud service users and cloud applications, and monitors all activity and enforces security policies including authentication, authorization, alerts and encryption?
CASB
Does tokenization and masking protect data while it’s being accessed or while it’s in transit?
Accessed
T/F: Containers contain elements of the OS, libraries, config files, and app files/binaries.
True
What does ATASM stand for?
Architecture, threats, attack surfaces, and mitigations
What is a seven-step process applicable to most application development methodologies, which is platform agnostic and aligns business objectives with technical requirements and takes into account compliance requirements, business impact analysis and a dynamic approach to threat management, enumeration and scoring.
P.A.S.T.A. - Process for attack simulation and threat analysis
What is a methodology used to perform threat modeling that focuses on a requirements model designed to ensure that the level of risk assigned to each asset is classified as acceptable by the system’s stakeholders?
Trike
What is a threat-modeling approach that highlights the importance of structural understanding of a system for the purpose of threat modeling (architecture). The architecture is broken apart into its logical and functional components (decomposing and factoring) to discover all potential attackable surfaces and define points where defenses will be built?
ATASM
What is using a pre-defined set of common and prevalent threats, a team will try to identify instances of them in the product by tracking the triggers
Threat library/list approach
What is testing done against running code?
Dynamic testing
What reviews source code?
Static testing
T/F: Some malware is sandbox aware.
True
What can provide remote access to the LAN, and even to the devices on a LAN, and then acts as a mini gateway on the LAN and allows you to access the LAN and then jump, via SSH or other services, to other connected devices on that LAN.
Jumpbox
What provides database activity monitoring that includes privileged account usage logging and monitoring in addition to other security and monitoring features?
DAM - database activity monitor
What two things help prevent DOS attacks on APIs?
Setting throttling limits and quotas
What limits the blast radius of exposed or compromised secrets?
Rotating secrets
What are two types of attacks prevalent on SMS?
SIM swapping and VoIP based attacks
What type of attack is designed to overwhelm the resources of a system to the point where it is unable to reply to legitimate service requests.
DoS and DDoS
What type of attack makes it possible for an attacker to eavesdrop on the data sent back and forth between two people, networks, or computers.
MITM - man in the middle
What is the prevention for MITM attacks?
Using strong encryption on access points or to a virtual private network (VPN).
Prevention for DDoS attacks?
Use a firewall that detects whether requests sent to your site are legitimate.
What attack occurs when a malicious actor sends emails that seem to be coming from trusted, legitimate sources in an attempt to grab sensitive information from the target and they combine social engineering and technology?
Phishing
Mitigation for phishing?
- Think carefully about the kinds of emails you open and the links you click on.
- Pay close attention to email headers, and do not click on anything that looks suspicious.
- Check the parameters for “Reply-to” and “Return-path.” They need to connect to the same domain presented in the email.
What attack goes after the “big fish” or whales of an organization
Whale-phishing attack
Which attack does the attacker take the time to research their intended targets and then write messages the target is likely to find personally relevant.
Spear phishing
In what attack is the work station encrypted and then given back when money is paid?
Ransomware
An attacker intercepts network transmissions to grab passwords not encrypted by the network or uses brute force to guess.
Password attack
An attack where the command is inserted into a data plane in place of something else that normally goes there, such as a password or login, and then the server that holds the database runs the command and the system is penetrated.
SQL Injection attack
Attackers alter and fabricate certain URL addresses and use them to gain access to the target’s personal and professional data. The attacker knows the order in which a web-page’s URL information needs to be entered, they interpret the syntax, using it to figure out how to get into areas they do not have access to.
URL interpretation or URL poisoning
A hacker alters DNS records to send traffic to a fake or “spoofed” website. Once on the fraudulent site, the victim may enter sensitive information that can be used or sold by the hacker. The hacker may also construct a poor-quality site with derogatory or inflammatory content to make a competitor company look bad.
DNS spoofing
Making sure DNS servers are kept up-to-date is how to prevent _____.
DNS Spoofing
How to prevent URL Interpretation?
Use secure authentication methods for any sensitive areas of your site.
Set up a lock-out to lock out access to devices, websites, or applications automatically after a certain number of failed attempts.
How to prevent brute-force and password attacks
What kind of attack takes over a session between a client and the server in which the computer being used in the attack substitutes its Internet Protocol (IP) address for that of the client computer, and the server continues the session without suspecting it is communicating with the attacker instead of the client.
Session hijacking
How to prevent session hijacking?
Use a VPN to access business-critical servers to encrypt all communication so attacker cannot gain access to the secure tunnel created by the VPN.
What’s an attack where an attacker simply tries to guess the login credentials of someone with access to the target system.
Brute force attack
How to prevent brute force attack
Lock out policies and random passwords
What attacks refer to threats that target vulnerabilities in web-based applications, like SQL injection, XSS, and CSRF (cross-site request forgery)
Web attacks
What involves adjusting the parameters that programmers implement as security measures designed to protect specific operations.
Parameter tampering
How to prevent web attacks?
Inspect your web applications to check for—and fix—vulnerabilities.
Attacks that come from within an organization?
Insider threats
How to prevent insider threats?
Least privilege and MFA
What attack is when a hacker embeds malicious code into an insecure website, and when a user visits the site, the script is automatically executed on their computer, infecting it.
Drive by attack
An attack where the attacker transmits malicious scripts using clickable content that gets sent to the target’s browser, and when the victim clicks on the content, the script is executed.
XSS - cross-site scripting
How to prevent XSS attack?
Whitelist of allowable entities
Either active or passive, the bad actor intercepts traffic as it is sent through the network and then collects usernames, passwords, and other confidential information, like credit cards.
Eavesdropping attacks
An attack where the hacker inserts a piece of software within the network traffic path to collect information that the hacker analyzes for useful data.
Active eavesdropping
An attack where the hacker listens in on the transmissions looking for useful data they can steal.
Passive eavesdropping
T/F: Eavesdropping is a MITM attack
True
How to prevent eavesdropping attacks.
Encrypt data
An attack where the hacker can create a hash that is identical to what the sender has appended to their message and then simply replace the sender’s message with their own.
Birthday attack
How to prevent birthday attack.
Use longer hashes for verification
This attack infects a computer and changes how it functions, destroys data, or spies on the user or network traffic as it passes through and can either spread from one device to another or remain in place, only impacting its host device.
Malware attack
How do CAPTCHA-based security systems reduce the impact of bots?
By requiring human interaction.
Can IDS systems rate limit?
No, even if they are SAML-aware
What refers the number of API calls the client (API consumer) is able to make in a second.
Rate limiting
Does SSO prevent MFA?
No
What testing tests outcomes and performance?
Dynamic testing
What is the order of SDLC? Hint: 7 phases
Planning - Requirements Gathering - Design - Build - Test - Deploy - Maintain
What methodology is where phases serve as the input for the next phase and move only in one direction?
Waterfall
In what phase are requirements mapped to the software?
Design
In what phase are requirements created?
Define
In what phase are requirements validated?
Testing
In what phase does software run?
Operations
What test seeks to test performance requirements and whether customer expectations are met
Nonfunctional testing
The following attacks are associated with ______: injection, ddos, xss, on-path, and credential stuffing
API
Is malware attack associated with APIs?
Not commonly
This is a cyberattack method in which attackers use lists of compromised user credentials to breach into a system.
Credential stuffing
SAFECode is for ______
Secure software development
What allows users to validate a certificate and certificate chain to ensure trust?
Commercial certificate authority
A signature ensures what?
That the file is correct and hasn’t been changed and is provided by the signer.
T/F: SHA2 is preferred over MD5.
True
What is a family of hashing algorithms that feature a higher level of security than its predecessor and was designed through The National Institute of Standards and Technology (NIST) and the National Security Agency (NSA).
SHA2
What uses software instrumentation to validate performance/function and is typically conducted during the QA/Test phase?
Interactive application security testing - IAST
T/F: Changing encryption algorithms if a problem is found w/ one that is currently in use is a best practice recommended by SAFECode.
True
What is the act of changing encryption algorithms if a problem is found w/ one that is currently in use?
Cryptographic agility
In a PaaS environment, who is responsible for the security of applications in the production environment?
Customer
In PaaS environment, who is responsible for hardware and platform?
Provider
Use case testing validates what?
How software is supposed to be used.
Is LDAP a commonly supported SSO option for most cloud vendors?
No
What SSO options are commonly supported by cloud providers?
Active directory, SAML, and vendor-native SSO
In what phase does the org determine the purpose of software and what it needs to do to meet user needs?
Define
How do you fix containers running as root?
Setting a non-privileged user as process owner
The following are examples of ______:
Publicly open cloud storage buckets
Imrpoper permissions set on cloud storage buckets
Container runs as root
Container shares resources with the host (network interface, etc.)
Insecure Infrastructure-as-Code (IaC) configuration
Insecure cloud, container or orchestration configuration
The following are examples of _______:
SQL injection
XXE
NoSQL injection
OS command injection
Serverless event data injection
Injection flaws (app layer, cloud events, cloud services)
The following are examples of _______:
Unauthenticated API access on a microservice
Over-permissive cloud IAM role
Lack of orchestrator node trust rules (e.g. unauthorized hosts joining the cluster)
Unauthenticated orchestrator console access
Unauthrized or overly-permissive orchestrator access
Improper authentication & authorization
The following are examples of __________:
Insufficient authentication on CI/CD pipeline systems
Use of untrusted images
Use of stale images
Insecure communication channels to registries
Overly-permissive registry access
Using a single environment to run CI/CD tasks for projects requiring different levels of security
CI/CD pipeline & software supply chain flaws
The following are examples of _____:
Orchestrator secrets stored unencrypted
API keys or passwords stored unencrypted inside containers
Hardcoded application secrets
Poorly encrypted secrets (e.g. use of obsolete encryption methods, use of encoding instead of encryption, etc.)
Mounting of storage containing sensitive information
Insecure secrets storage
The following are examples of _____:
Over-permissive pod to pod communication allowed
Internal microservices exposed to the public Internet
No network segmentation defined
End-to-end communications not encrypted
Network traffic to unknown or potentially malicious domains not monitored and blocked
Over-permissive or insecure network policies
The following are examples of _____:
Vulnerable 3rd party open source packages
Vulnerable versions of application components
Use of known vulnerable container images
Using components with known vulnerabilities
The following are examples of _____:
Undocumented microservices & APIs
Obsolete & unmanaged cloud resources
Improper assets management
The following are examples of _____:
Resource-unbound containers
Over-permissive request quota set on APIs
Inadequate ‘compute’ resource quota limits
The following are examples of _____:
No container or host process activity monitoring
No network communications monitoring among microservices
No resource consumption monitoring to ensure availability of critical resources
Lack of monitoring on orchestration configuration propagation and stale configs
Ineffective logging & monitoring (e.g. runtime activity)
What identifies code quality issues by reviewing the source code for the app?
Static testing
Does dynamic testing identify code quality/business logic flaws?
No
Does black box testing allow access to code?
No
What does STRIDE stand for?
Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege
STRIDE focuses on:
Modeling threats to systems
Involves a hacker pretending to be another person with the intention of theft of important data or gaining access to highly encrypted portals.
Spoofing
Involves the attacker or hacker manipulating, removing, or modifying important data to attack a system or network.
Tampering
Involves a bad actor attacking the system without accepting their involvement in such malicious activity.
Repudiation
Refers to the unauthorized release of confidential information.
Information Disclosure
Aims to overload and disrupt the normal functioning of a targeted system by overwhelming it with excessive traffic and can occur at both application and network layers.
Denial of Service - mitigated by firewalls
Occurs when an unprivileged or unauthorized attacker gains access by getting through every defense mechanism against such access and is done by exploiting vulns and misconfigs.
Elevation of Privilege
Tampering is an attack on _____.
Integrity
What is a form of a spoofing attack that hackers use to intercept data. This attack is committed by tricking one device into sending messages to the hacker instead of the intended recipient.
ARP spoofing (Address resolution protocol)
Attackers hijack a DNS server configured to return a malicious IP address and then gain control over the DNS resolution process to manipulate the responses to redirect users to malicious sites.
DNS compromise
API gateways focus on:
Service discovery and API security
OTP is:
one-time password
ASVS sets standards for:
Application validation and security testing.
During which phase does IAST occur?
Testing
What could help prevent staff from reusing passwords or ones that are easily guessed?
Using automated creation tools
What is commonly used to enable identity federation?
SAML
What is a community-driven effort to establish a framework of security requirements and controls that focus on defining the functional and non-functional security controls required when designing, developing and testing modern web applications and web services.
ASVS
What are two goals of ASVS?
- to help organizations develop and maintain secure applications
- to allow security service vendors, security tools vendors, and consumers to align their requirements and offerings.
What level of ASVS requires the application to adequately defend against application security vulnerabilities that are easy to discover and included in the OWASP Top 10 and other similar checklists”.
Level 1
What level of ASVS requires apps to adequately defend against most of the risks associated with software today” by having security controls in place, effective and used within the application.
Level 2
What level of ASVS requires application to adequately defend against advanced application of security vulnerabilities and also demonstrate principles of good security design, as well as be meaningfully modularized with multiple layers of security and controls to ensure confidentiality, integrity, availability, authentication, authorization, non-repudiation and auditing.
Level 3
Supplies user IDs, authenticates them, and then provides a token or validation to confirm the user’s identity.
3rd party identity provider
T/F: You don’t gather user requirements or feedback from documentation.
True
When should regulatory requirements be introduced in the SDLC?
Requirements gathering
What kind of testing provides full access to the system?
White box
What do API gateways do?
- Aggregate API access
- Authenticate API use
- Rate limit
- Provide stats and data on usage
What refers tothe number of API calls the client (API consumer) is able to make in a second?
Rate limiting
What decouples software components?
API proxies
What checks code for many kinds of vulnerabilities and compliance with the organization’s coding standards?
Static analysis
What tests can addres:
-functional specifications/requirements
-negative tests (testing what software should not do)
-denial of service
-overload attempts
-input boundary analysis
-input combinations
Black box
What’s used as a metric to assess the degree of trust you should put in a web app?
ASVS
What’s used as guidance to help developers build in security controls and during procurement to specify app security requirements?
ASVS
OWASP Top 10 is ________ and SANS Top 25 is __________.
Cloud specific / General software errors
What’s used to ensure only authorized users access APIs?
API keys
Cloud software development often relies on loosely coupled services. Makes designing for and meeting performance goals more complex, as multiple components may interact in unexpected ways. Verify through end to end load and stress testing
performance pitfall of app security
One of the key features of the cloud is the ability to scale allowing applications and services to grow and shrink as demand fluctuates. This requires developers to think about how to retain state across instances and handle faults with individual servers. Also, scale out is better than scale up in the cloud.
scalability pitfall of app security
Is the ability to work across platforms, services, or systems and can be very important, especially multi vendor and multi cloud scenarios. Interoperability across platforms increases service provider choice and can reduce costs
interoperability pitfall of app security
Designing software that can move between on premises and cloud environments or between cloud providers makes it portable. Portability in a hybrid scenario requires avoiding use of certain environment and provider specific APIs and tools. The additional effort can make it harder to leverage some cloud advantages, and may require compromises
portability pitfall of app security
Application programming interfaces (APIs), are relied on throughout cloud application design, development, and operation. Designing APIs to work well with cloud architectures while remaining secure are both common challenges for developers and architects.
api security pitfall of app security
Access control
Data encryption
Throttling
Rate limiting
Are all _____ security considerations.
API
Data breaches
Data integrity
Insecure application programming interfaces (APIs)
Denial of Service
common cloud vulnerabilities
_____ capture what the organization needs its information systems to do.
Business requirements
_____ detail what the solution must do, such as supporting up as max concurrent user requirements.
Functional requirements
Pretty cute, mmmm. SDLC
Planning, requirements, design, coding, testing, maintenance
Considers potential development work, focusing on determining need, feasibility, and cost.
Planning
Once an effort has been deemed feasible, user and business functionality requirements are captured. Involves user, customer and stakeholder input to
determine desired functionality, current system or app functionality, and desired improvements.
Requirements definition
Functionality, architecture, integration points and techniques, data flows, and business processes.
Design
Ongoing maintenance updates, patching, and checks to ensure software remains functional and secure
Maintain
Places an emphasis on the needs of the customer and quickly developing new functionality that meets those needs in an iterative fashion.
agile
Describes a sequential development process that results in the development of a finished product.
waterfall
Individuals and interactions over ____
Working software over ____
Customer collaboration over ____
Responding to change over ____
processes and tools
comprehensive documentation
contract negotiation
following a plan
Allows security practitioners to identify potential threats and security vulnerabilities. Can be proactive or reactive , but in either case, goal is to eliminate or reduce threats
threat modeling
Focused on Assets - using asset valuation
Focused on Attackers
Focused on Software
3 approaches to threat modeling
Which threat modeling method focuses on developing countermeasures based on asset value?
PASTA
Stage I: Definition of Objectives
Stage II: Definition of Technical Scope
Stage III: App Decomposition & Analysis
Stage IV: Threat Analysis
Stage V:Weakness & Vulnerability Analysis
Stage VI: Attack Modeling & Simulation
Stage VII: Risk Analysis & Management
PASTA
What “threat model” is actually not a threat model and can be used with other threat models?
ATASM - A series of process steps for performing threat modeling
The practice of designing systems and software to avoid security risks. Essentially a proactive risk mitigation practice Standards and organizations exist that work to mature these practices
secure coding
Base finding, environmental, and attack surface
CWSS scores- thru MITRE
Improper input handling. Used to compromise web front-end and backend databases. Use unexpected input to a web application to gain unauthorized access to an underlying database.
Injection (SQL) attacks - prevented w/ good code practices, input validation, prepared statements, and limiting account privileges
Attackers use to exploit poorly written software. Exists when a developer does not validate user input to ensure that it is of an appropriate size (allows Input that is too large can “overflow” memory buffer).
Buffer overflow - prevent with input validation
If an attacker is able to gain access to restricted directories through
HTTP, it is known as a _____. Performed easily by using command injection attack, and could get to root directory.
directory traversal attack - secure by running scanner and keeping web server software patched
Firewalls, routers, intrusion prevention (IDPS), SIEM, disable broadcast packets entering/leaving, disable echo replies, patching are countermeasures for _____.
DoS
A condition where the system’s behavior is dependent on the sequence or timing of other uncontrollable events.
Race conditions
A timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request. Problem occurs when the state of the resource changes between the time of the check and the time it is actually used
Time-of-check-to-time-of-use TICTOU
First published “Fundamental Practices for Secure Software Development ”. Informed by existing models, including OWASP, CVE, CWE and the Microsoft SDL. Designed to help software industry adopt and use these best practices effectively
SAFECode
This is where source code and related artifacts (such as libraries) are stored
code repositories
✓ Do not commit sensitive information
✓ Protect access to
✓ Sign your work
✓ Keep your development tools (IDE) up-to-date
how to handle source code securely
_____ is an important component of configuration management. It is a _____of a system or application at a given point in time and should also create _____ that may be used to help understand system configuration, system and component level versioning.
Baselining
snapshot
artifacts
An emerging strategy and standard in tracking software versions is _____. It lists all of the components in an application or service, including open source or proprietary code libraries.
software bill of materials (SBOM)
App dev phases. DTSP
Development, testing, staging (QA), production
Determines if software meets functionality requirements defined earlier in the SSDLC. Includes integration, regression, and user acceptance.
Functional testing
Focuses on the quality of the software, looks at software qualities like stability and performance, methods include load, stress, recovery, and volume tests
Non functional testing
Define a system or its component and specifies what it must do. Captured in use cases, defined at a component level. EXAMPLE: application forms must protect against injection attacks.
functional security requirements
Specify the system’s quality, characteristics, or attributes. Apply to the whole system (system level). EXAMPLE: security certifications
non functional security requirements
Analysis of computer software performed without actually executing programs. Tester has access to the underlying framework, design, and implementation.
static application security testing - inside out testing - requires source code
A program which communicates with a web application (executes the application). Tester has no knowledge of the technologies or frameworks that the application is built on. No source code required.
Dynamic app security testing - outside in testing
Analyzes code for vulnerabilities while it’s being used. Focuses on real time reporting to optimize testing and analysis process. Analyzes the internal functions of the application while it is running.
IAST - interactive app security testing
Is used to track the components of a software package or application. Is of special concern for apps built with open-source software components. Because open-source components often involve reusable code libraries. These tools identify flaws/vulnerabilities in these included components, ensures latest versions are in use, etc.
Software Composition Analysis
_____ is responsible for ensuring that the code delivered to the customer through the cloud environment is quality code, defect free, and secure.
QA
Should be involved in many testing activities, such as load, performance and stress testing, as well as vulnerability management.
QA
This is a standard communication protocol system that uses XML technologies
SOAP
This is an architectural model that uses HTTPS for web communications to offer API endpoints
REST
On Site Assessment
Document Exchange and Review
Process/Policy Review
Third party Audit .
Supply chain evaluation
– Where in the cloud is the software running? Is this on a well known CSP, or does the provider use their own cloud service?
– Is the data encrypted at rest and in transit, and what encryption technology is used?
– How is access management handled?
– What event logging can you receive?
– What auditing options exist?
things a third party software assessment includes
One in which the vendor makes the license freely available and allows access to the source code, though it might ask for an optional donation. There is no vendor support, so you might pay a third party to support in a production environment.
opens source
More expensive but tend to provide more/better protection and more functionality and support (at a cost). Many vendors in this space, including Cisco, Checkpoint, Pal Alto, Barracuda. But “no source code access”
proprietary
- Sandbox testing
- Vulnerability scans
- Third party verifications
Testing to validate open source software
Protects web applications by filtering and monitoring HTTP traffic between a web
application and the Internet. Typically protects web applications from common
attacks like XSS, CSRF, and SQL injection. Often include OWASP core rule sets (CRS).
web app firewall
Protects web applications by filtering and monitoring HTTP traffic between a web application and the Internet. Typically protects web applications from common attacks like XSS, CSRF, and SQL injection. Usually implemented as a proxy.
xml firewall
Combines network data and database audit info in real time to analyze database activity for unwanted, anomalous, or unexpected behavior. Monitors application
activity, privileged access, and detects attacks through behavioral analysis.
database activity monitoring (dam)
Monitors traffic to your application services, exposed as API endpoints. Provides authentication and key validation services that control API access.
api gateway
Cost
Need for segmentation - filter traffic b/w VNs and the internet
Open systems interconnection (osi) layers - network firewall works on layer 3 - stateful packet on 3/4 - waf works on layer 7
firewall considerations
Places the systems or code into an isolated, secured environment where testing can be performed. These architectures often create independent, ephemeral environments for testing. Enables patch and test and ensures a system is secure
before putting it into a production environment. Also facilitates investigating dangerous malware and provide an environment for evaluating the security of code without impacting other systems.
sandboxing
A container orchestration platform for scheduling and automating the deployment, management, and scaling of containerized applications.
Kubernetes
Allows the automation of workflows, management of accounts in addition to the deployment of cloud and containerized applications. Implements automation in a way that manages cost and enforces corporate policy in and across clouds.
orchestration
Creates, maintains, and manages identity information while providing authentication services to applications.
identity providers - Azure AD for O365