Domain 4 Flashcards
During what phase should regulatory compliance be introduced?
Requirements gathering
What testing methodology provides full access to an environment/system?
Full knowledge/white box
What testing methodology provides some access to environment/system?
Grey box/partial knowledge
What testing methodology requires testers to act like hackers w/out inside knowledge of system?
Black box/zero knowledge
What allows secure storage and access to secrets, allowing them to be used when needed w/out hard-coding them?
KMS - key management service
What avoids hard-coded credentials in cloud applications?
KMS - key management service
What’s used to identify each component in a software package?
SBOM - software bill of materials
What’s designed to aggregate API access, provide authentication for API use, rate-limit, and gather statistics and data about API usage?
API gateways
What’s used to decouple software components?
API proxies
What is a software element that connects to back-end services and creates a more modern and useful API to connect to the front end, and allows developers to define an API without having to change underlying services in the back end.
API proxy
What acts as the security gateway to your enterprise architecture, and is the single point of entry and exit for all API calls
API firewall
When is IAST - interactive application security testing - performed?
During QA/Testing phase of SDLC
What uses software instrumentation to monitor applications as they run and then gathers info about what occurs/how the software performs?
IAST
What aggregates API access, provides authentication for API use, rate-limit, and gathers statistics and data about API usage?
API gateways
What is a commonly accepted and used standard for encryption of data at rest?
AES-256
What is used for encryption in transit?
TLS
What documents abuse of software functionality?
Abuse case testing
What’s the best option to identify all components associated with software?
Software composition analysis (SCA)
What testing reviews source code?
Static testing
What looks at underlying components of software?
SCA - software composition analysis
What is intended to be used as a metric to assess the degree of trust that can be placed in web applications to help developers build in security controls?
ASVS - Application Security Verification Standard
What is major.minor.patch?
A common format for versioning.
What’s a listing of all the components of a software package or program?
Software bill of materials (SBOM)
What has built in protection against common attacks like SQL injection?
WAFs - web application firewalls