Domain 4 Flashcards by Natasha WrightPope

During what phase should regulatory compliance be introduced?

Requirements gathering

How well did you know this?

Not at all

Perfectly

What testing methodology provides full access to an environment/system?

Full knowledge/white box

How well did you know this?

Not at all

Perfectly

What testing methodology provides some access to environment/system?

Grey box/partial knowledge

How well did you know this?

Not at all

Perfectly

What testing methodology requires testers to act like hackers w/out inside knowledge of system?

Black box/zero knowledge

How well did you know this?

Not at all

Perfectly

What allows secure storage and access to secrets, allowing them to be used when needed w/out hard-coding them?

KMS - key management service

How well did you know this?

Not at all

Perfectly

What avoids hard-coded credentials in cloud applications?

KMS - key management service

How well did you know this?

Not at all

Perfectly

What’s used to identify each component in a software package?

SBOM - software bill of materials

How well did you know this?

Not at all

Perfectly

What’s designed to aggregate API access, provide authentication for API use, rate-limit, and gather statistics and data about API usage?

API gateways

How well did you know this?

Not at all

Perfectly

What’s used to decouple software components?

API proxies

How well did you know this?

Not at all

Perfectly

What is a software element that connects to back-end services and creates a more modern and useful API to connect to the front end, and allows developers to define an API without having to change underlying services in the back end.

API proxy

How well did you know this?

Not at all

Perfectly

What acts as the security gateway to your enterprise architecture, and is the single point of entry and exit for all API calls

API firewall

How well did you know this?

Not at all

Perfectly

When is IAST - interactive application security testing - performed?

During QA/Testing phase of SDLC

How well did you know this?

Not at all

Perfectly

What uses software instrumentation to monitor applications as they run and then gathers info about what occurs/how the software performs?

IAST

How well did you know this?

Not at all

Perfectly

What aggregates API access, provides authentication for API use, rate-limit, and gathers statistics and data about API usage?

API gateways

How well did you know this?

Not at all

Perfectly

What is a commonly accepted and used standard for encryption of data at rest?

AES-256

How well did you know this?

Not at all

Perfectly

What is used for encryption in transit?

TLS

How well did you know this?

Not at all

Perfectly

What documents abuse of software functionality?

Abuse case testing

How well did you know this?

Not at all

Perfectly

What’s the best option to identify all components associated with software?

Software composition analysis (SCA)

How well did you know this?

Not at all

Perfectly

What testing reviews source code?

Static testing

How well did you know this?

Not at all

Perfectly

What looks at underlying components of software?

SCA - software composition analysis

How well did you know this?

Not at all

Perfectly

What is intended to be used as a metric to assess the degree of trust that can be placed in web applications to help developers build in security controls?

ASVS - Application Security Verification Standard

How well did you know this?

Not at all

Perfectly

What is major.minor.patch?

A common format for versioning.

How well did you know this?

Not at all

Perfectly

What’s a listing of all the components of a software package or program?

Software bill of materials (SBOM)

How well did you know this?

Not at all

Perfectly

What has built in protection against common attacks like SQL injection?

WAFs - web application firewalls

How well did you know this?

Not at all

Perfectly

What allows for the easy movement of applications b/c they contain the dependencies and components the app needs w/out requiring a complete OS?

Containers

What are two functionalities used for federation?

SAML and OpenID Connect

What defines the requirements for cryptographic modules and is commonly used to assess cryptographic systems?

FIPS 140-2

Secrets that are generated and used as needed

Dynamic secrets?

T/F: Shared accounts allow for auditing.

False - b/c actions cannot be provably linked to individual users

What consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.

Brute force attack

What happens in the testing phase of the SDLC?

Performance and security of software is tested.

What allows creation, storage, management, and auditing of keys?

KMS

What is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.

PKI - public key infrastructure

What is a CI/CD tool used for continuous integration tooling?

Jenkins

What provides awareness of software license compliance, terms and conditions, and license expiration dates?

A complete software inventory

What is used to control usage based on roles and rights?

CASB

What's used to limit potential for sensitive data loss and to detect anomalous usage patterns?

Cost limiting rules

What's commonly used for malicious software testing, also known as creating a secure and isolated environment to test?

Sandboxing

What's used to centralize and correlate security events and information?

SIEM solutions

What can be used to enforce encryption b/w an on-premise location and cloud provider to prevent 3rd party from seeing data in transit?

CASB

What is on-premises or cloud based software that sits between cloud service users and cloud applications, and monitors all activity and enforces security policies including authentication, authorization, alerts and encryption?

CASB

Does tokenization and masking protect data while it's being accessed or while it's in transit?

Accessed

T/F: Containers contain elements of the OS, libraries, config files, and app files/binaries.

True

What does ATASM stand for?

Architecture, threats, attack surfaces, and mitigations

What is a seven-step process applicable to most application development methodologies, which is platform agnostic and aligns business objectives with technical requirements and takes into account compliance requirements, business impact analysis and a dynamic approach to threat management, enumeration and scoring.

P.A.S.T.A. - Process for attack simulation and threat analysis

What is a methodology used to perform threat modeling that focuses on a requirements model designed to ensure that the level of risk assigned to each asset is classified as acceptable by the system’s stakeholders?

Trike

What is a threat-modeling approach that highlights the importance of structural understanding of a system for the purpose of threat modeling (architecture). The architecture is broken apart into its logical and functional components (decomposing and factoring) to discover all potential attackable surfaces and define points where defenses will be built?

ATASM

What is using a pre-defined set of common and prevalent threats, a team will try to identify instances of them in the product by tracking the triggers

Threat library/list approach

What is testing done against running code?

Dynamic testing

What reviews source code?

Static testing

T/F: Some malware is sandbox aware.

True

What can provide remote access to the LAN, and even to the devices on a LAN, and then acts as a mini gateway on the LAN and allows you to access the LAN and then jump, via SSH or other services, to other connected devices on that LAN.

Jumpbox

What provides database activity monitoring that includes privileged account usage logging and monitoring in addition to other security and monitoring features?

DAM - database activity monitor

What two things help prevent DOS attacks on APIs?

Setting throttling limits and quotas

What limits the blast radius of exposed or compromised secrets?

Rotating secrets

What are two types of attacks prevalent on SMS?

SIM swapping and VoIP based attacks

What type of attack is designed to overwhelm the resources of a system to the point where it is unable to reply to legitimate service requests.

DoS and DDoS

What type of attack makes it possible for an attacker to eavesdrop on the data sent back and forth between two people, networks, or computers.

MITM - man in the middle

What is the prevention for MITM attacks?

Using strong encryption on access points or to a virtual private network (VPN).

Prevention for DDoS attacks?

Use a firewall that detects whether requests sent to your site are legitimate.

What attack occurs when a malicious actor sends emails that seem to be coming from trusted, legitimate sources in an attempt to grab sensitive information from the target and they combine social engineering and technology?

Phishing

Mitigation for phishing?

- Think carefully about the kinds of emails you open and the links you click on. - Pay close attention to email headers, and do not click on anything that looks suspicious. - Check the parameters for “Reply-to” and “Return-path.” They need to connect to the same domain presented in the email.

What attack goes after the “big fish” or whales of an organization

Whale-phishing attack

Which attack does the attacker take the time to research their intended targets and then write messages the target is likely to find personally relevant.

Spear phishing

In what attack is the work station encrypted and then given back when money is paid?

Ransomware

An attacker intercepts network transmissions to grab passwords not encrypted by the network or uses brute force to guess.

Password attack

An attack where the command is inserted into a data plane in place of something else that normally goes there, such as a password or login, and then the server that holds the database runs the command and the system is penetrated.

SQL Injection attack

Attackers alter and fabricate certain URL addresses and use them to gain access to the target’s personal and professional data. The attacker knows the order in which a web-page’s URL information needs to be entered, they interpret the syntax, using it to figure out how to get into areas they do not have access to.

URL interpretation or URL poisoning

A hacker alters DNS records to send traffic to a fake or “spoofed” website. Once on the fraudulent site, the victim may enter sensitive information that can be used or sold by the hacker. The hacker may also construct a poor-quality site with derogatory or inflammatory content to make a competitor company look bad.

DNS spoofing

Making sure DNS servers are kept up-to-date is how to prevent _____.

DNS Spoofing

How to prevent URL Interpretation?

Use secure authentication methods for any sensitive areas of your site.

Set up a lock-out to lock out access to devices, websites, or applications automatically after a certain number of failed attempts.

How to prevent brute-force and password attacks

What kind of attack takes over a session between a client and the server in which the computer being used in the attack substitutes its Internet Protocol (IP) address for that of the client computer, and the server continues the session without suspecting it is communicating with the attacker instead of the client.

Session hijacking

How to prevent session hijacking?

Use a VPN to access business-critical servers to encrypt all communication so attacker cannot gain access to the secure tunnel created by the VPN.

What's an attack where an attacker simply tries to guess the login credentials of someone with access to the target system.

Brute force attack

How to prevent brute force attack

Lock out policies and random passwords

What attacks refer to threats that target vulnerabilities in web-based applications, like SQL injection, XSS, and CSRF (cross-site request forgery)

Web attacks

What involves adjusting the parameters that programmers implement as security measures designed to protect specific operations.

Parameter tampering

How to prevent web attacks?

Inspect your web applications to check for—and fix—vulnerabilities.

Attacks that come from within an organization?

Insider threats

How to prevent insider threats?

Least privilege and MFA

What attack is when a hacker embeds malicious code into an insecure website, and when a user visits the site, the script is automatically executed on their computer, infecting it.

Drive by attack

An attack where the attacker transmits malicious scripts using clickable content that gets sent to the target’s browser, and when the victim clicks on the content, the script is executed.

XSS - cross-site scripting

How to prevent XSS attack?

Whitelist of allowable entities

Either active or passive, the bad actor intercepts traffic as it is sent through the network and then collects usernames, passwords, and other confidential information, like credit cards.

Eavesdropping attacks

An attack where the hacker inserts a piece of software within the network traffic path to collect information that the hacker analyzes for useful data.

Active eavesdropping

An attack where the hacker listens in on the transmissions looking for useful data they can steal.

Passive eavesdropping

T/F: Eavesdropping is a MITM attack

True

How to prevent eavesdropping attacks.

Encrypt data

An attack where the hacker can create a hash that is identical to what the sender has appended to their message and then simply replace the sender’s message with their own.

Birthday attack

How to prevent birthday attack.

Use longer hashes for verification

This attack infects a computer and changes how it functions, destroys data, or spies on the user or network traffic as it passes through and can either spread from one device to another or remain in place, only impacting its host device.

Malware attack

How do CAPTCHA-based security systems reduce the impact of bots?

By requiring human interaction.

Can IDS systems rate limit?

No, even if they are SAML-aware

What refers the number of API calls the client (API consumer) is able to make in a second.

Rate limiting

Does SSO prevent MFA?

What testing tests outcomes and performance?

Dynamic testing

What is the order of SDLC? Hint: 7 phases

Planning - Requirements Gathering - Design - Build - Test - Deploy - Maintain

What methodology is where phases serve as the input for the next phase and move only in one direction?

Waterfall

In what phase are requirements mapped to the software?

Design

In what phase are requirements created?

Define

In what phase are requirements validated?

Testing

In what phase does software run?

Operations

What test seeks to test performance requirements and whether customer expectations are met

Nonfunctional testing

The following attacks are associated with ______: injection, ddos, xss, on-path, and credential stuffing

API

Is malware attack associated with APIs?

Not commonly

This is a cyberattack method in which attackers use lists of compromised user credentials to breach into a system.

Credential stuffing

SAFECode is for ______

Secure software development

What allows users to validate a certificate and certificate chain to ensure trust?

Commercial certificate authority

A signature ensures what?

That the file is correct and hasn't been changed and is provided by the signer.

T/F: SHA2 is preferred over MD5.

True

What is a family of hashing algorithms that feature a higher level of security than its predecessor and was designed through The National Institute of Standards and Technology (NIST) and the National Security Agency (NSA).

SHA2

What uses software instrumentation to validate performance/function and is typically conducted during the QA/Test phase?

Interactive application security testing - IAST

T/F: Changing encryption algorithms if a problem is found w/ one that is currently in use is a best practice recommended by SAFECode.

True

What is the act of changing encryption algorithms if a problem is found w/ one that is currently in use?

Cryptographic agility

In a PaaS environment, who is responsible for the security of applications in the production environment?

Customer

In PaaS environment, who is responsible for hardware and platform?

Provider

Use case testing validates what?

How software is supposed to be used.

Is LDAP a commonly supported SSO option for most cloud vendors?

What SSO options are commonly supported by cloud providers?

Active directory, SAML, and vendor-native SSO

In what phase does the org determine the purpose of software and what it needs to do to meet user needs?

Define

How do you fix containers running as root?

Setting a non-privileged user as process owner

The following are examples of ______: Publicly open cloud storage buckets Imrpoper permissions set on cloud storage buckets Container runs as root Container shares resources with the host (network interface, etc.) Insecure Infrastructure-as-Code (IaC) configuration

Insecure cloud, container or orchestration configuration

The following are examples of _______: SQL injection XXE NoSQL injection OS command injection Serverless event data injection

Injection flaws (app layer, cloud events, cloud services)

The following are examples of _______: Unauthenticated API access on a microservice Over-permissive cloud IAM role Lack of orchestrator node trust rules (e.g. unauthorized hosts joining the cluster) Unauthenticated orchestrator console access Unauthrized or overly-permissive orchestrator access

Improper authentication & authorization

The following are examples of __________: Insufficient authentication on CI/CD pipeline systems Use of untrusted images Use of stale images Insecure communication channels to registries Overly-permissive registry access Using a single environment to run CI/CD tasks for projects requiring different levels of security

CI/CD pipeline & software supply chain flaws

The following are examples of _____: Orchestrator secrets stored unencrypted API keys or passwords stored unencrypted inside containers Hardcoded application secrets Poorly encrypted secrets (e.g. use of obsolete encryption methods, use of encoding instead of encryption, etc.) Mounting of storage containing sensitive information

Insecure secrets storage

The following are examples of _____: Over-permissive pod to pod communication allowed Internal microservices exposed to the public Internet No network segmentation defined End-to-end communications not encrypted Network traffic to unknown or potentially malicious domains not monitored and blocked

Over-permissive or insecure network policies

The following are examples of _____: Vulnerable 3rd party open source packages Vulnerable versions of application components Use of known vulnerable container images

Using components with known vulnerabilities

The following are examples of _____: Undocumented microservices & APIs Obsolete & unmanaged cloud resources

Improper assets management

The following are examples of _____: Resource-unbound containers Over-permissive request quota set on APIs

Inadequate ‘compute’ resource quota limits

The following are examples of _____: No container or host process activity monitoring No network communications monitoring among microservices No resource consumption monitoring to ensure availability of critical resources Lack of monitoring on orchestration configuration propagation and stale configs

Ineffective logging & monitoring (e.g. runtime activity)

What identifies code quality issues by reviewing the source code for the app?

Static testing

Does dynamic testing identify code quality/business logic flaws?

Does black box testing allow access to code?

What does STRIDE stand for?

Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege

STRIDE focuses on:

Modeling threats to systems

Involves a hacker pretending to be another person with the intention of theft of important data or gaining access to highly encrypted portals.

Spoofing

Involves the attacker or hacker manipulating, removing, or modifying important data to attack a system or network.

Tampering

Involves a bad actor attacking the system without accepting their involvement in such malicious activity.

Repudiation

Refers to the unauthorized release of confidential information.

Information Disclosure

Aims to overload and disrupt the normal functioning of a targeted system by overwhelming it with excessive traffic and can occur at both application and network layers.

Denial of Service - mitigated by firewalls

Occurs when an unprivileged or unauthorized attacker gains access by getting through every defense mechanism against such access and is done by exploiting vulns and misconfigs.

Elevation of Privilege

Tampering is an attack on _____.

Integrity

What is a form of a spoofing attack that hackers use to intercept data. This attack is committed by tricking one device into sending messages to the hacker instead of the intended recipient.

ARP spoofing (Address resolution protocol)

Attackers hijack a DNS server configured to return a malicious IP address and then gain control over the DNS resolution process to manipulate the responses to redirect users to malicious sites.

DNS compromise

API gateways focus on:

Service discovery and API security

OTP is:

one-time password

ASVS sets standards for:

Application validation and security testing.

During which phase does IAST occur?

Testing

What could help prevent staff from reusing passwords or ones that are easily guessed?

Using automated creation tools

What is commonly used to enable identity federation?

SAML

What is a community-driven effort to establish a framework of security requirements and controls that focus on defining the functional and non-functional security controls required when designing, developing and testing modern web applications and web services.

ASVS

What are two goals of ASVS?

- to help organizations develop and maintain secure applications - to allow security service vendors, security tools vendors, and consumers to align their requirements and offerings.

What level of ASVS requires the application to adequately defend against application security vulnerabilities that are easy to discover and included in the OWASP Top 10 and other similar checklists”.

Level 1

What level of ASVS requires apps to adequately defend against most of the risks associated with software today” by having security controls in place, effective and used within the application.

Level 2

What level of ASVS requires application to adequately defend against advanced application of security vulnerabilities and also demonstrate principles of good security design, as well as be meaningfully modularized with multiple layers of security and controls to ensure confidentiality, integrity, availability, authentication, authorization, non-repudiation and auditing.

Level 3

Supplies user IDs, authenticates them, and then provides a token or validation to confirm the user's identity.

3rd party identity provider

T/F: You don't gather user requirements or feedback from documentation.

True

When should regulatory requirements be introduced in the SDLC?

Requirements gathering

What kind of testing provides full access to the system?

White box

What do API gateways do?

1. Aggregate API access 2. Authenticate API use 3. Rate limit 4. Provide stats and data on usage

What refers to the number of API calls the client (API consumer) is able to make in a second?

Rate limiting

What decouples software components?

API proxies

What checks code for many kinds of vulnerabilities and compliance with the organization’s coding standards?

Static analysis

What tests can addres: -functional specifications/requirements -negative tests (testing what software should not do) -denial of service -overload attempts -input boundary analysis -input combinations

Black box

What's used as a metric to assess the degree of trust you should put in a web app?

ASVS

What's used as guidance to help developers build in security controls and during procurement to specify app security requirements?

ASVS

OWASP Top 10 is ________ and SANS Top 25 is __________.

Cloud specific / General software errors

What's used to ensure only authorized users access APIs?

API keys

Cloud software development often relies on loosely coupled services. Makes designing for and meeting performance goals more complex, as multiple components may interact in unexpected ways. Verify through end to end load and stress testing

performance pitfall of app security

One of the key features of the cloud is the ability to scale allowing applications and services to grow and shrink as demand fluctuates. This requires developers to think about how to retain state across instances and handle faults with individual servers. Also, scale out is better than scale up in the cloud.

scalability pitfall of app security

Is the ability to work across platforms, services, or systems and can be very important, especially multi vendor and multi cloud scenarios. Interoperability across platforms increases service provider choice and can reduce costs

interoperability pitfall of app security

Designing software that can move between on premises and cloud environments or between cloud providers makes it portable. Portability in a hybrid scenario requires avoiding use of certain environment and provider specific APIs and tools. The additional effort can make it harder to leverage some cloud advantages, and may require compromises

portability pitfall of app security

Application programming interfaces (APIs), are relied on throughout cloud application design, development, and operation. Designing APIs to work well with cloud architectures while remaining secure are both common challenges for developers and architects.

api security pitfall of app security

Access control Data encryption Throttling Rate limiting Are all _____ security considerations.

API

Data breaches Data integrity Insecure application programming interfaces (APIs) Denial of Service

common cloud vulnerabilities

_____ capture what the organization needs its information systems to do.

Business requirements

_____ detail what the solution must do, such as supporting up as max concurrent user requirements.

Functional requirements

Pretty cute, mmmm. SDLC

Planning, requirements, **design, coding, testing, maintenance**

Considers potential development work, focusing on determining need, feasibility, and cost.

Planning

Once an effort has been deemed feasible, user and business functionality requirements are captured. Involves user, customer and stakeholder input to determine desired functionality, current system or app functionality, and desired improvements.

Requirements definition

Functionality, architecture, integration points and techniques, data flows, and business processes.

Design

Ongoing maintenance updates, patching, and checks to ensure software remains functional and secure

Maintain

Places an emphasis on the needs of the customer and quickly developing new functionality that meets those needs in an iterative fashion.

agile

Describes a sequential development process that results in the development of a finished product.

waterfall

Individuals and interactions over ____ Working software over ____ Customer collaboration over ____ Responding to change over ____

processes and tools comprehensive documentation contract negotiation following a plan

Allows security practitioners to identify potential threats and security vulnerabilities. Can be proactive or reactive , but in either case, goal is to eliminate or reduce threats

threat modeling

Focused on Assets - using asset valuation Focused on Attackers Focused on Software

3 approaches to threat modeling

Which threat modeling method focuses on developing countermeasures based on asset value?

PASTA

Stage I: Definition of Objectives Stage II: Definition of Technical Scope Stage III: App Decomposition & Analysis Stage IV: Threat Analysis Stage V:Weakness & Vulnerability Analysis Stage VI: Attack Modeling & Simulation Stage VII: Risk Analysis & Management

PASTA

What "threat model" is actually not a threat model and can be used with other threat models?

ATASM - A series of process steps for performing threat modeling

The practice of designing systems and software to avoid security risks. Essentially a proactive risk mitigation practice Standards and organizations exist that work to mature these practices

secure coding

Base finding, environmental, and attack surface

CWSS scores- thru MITRE

Improper input handling. Used to compromise web front-end and backend databases. Use unexpected input to a web application to gain unauthorized access to an underlying database.

Injection (SQL) attacks - prevented w/ good code practices, input validation, prepared statements, and limiting account privileges

Attackers use to exploit poorly written software. Exists when a developer does not validate user input to ensure that it is of an appropriate size (allows Input that is too large can “overflow” memory buffer).

Buffer overflow - prevent with input validation

If an attacker is able to gain access to restricted directories through HTTP, it is known as a _____. Performed easily by using command injection attack, and could get to root directory.

directory traversal attack - secure by running scanner and keeping web server software patched

Firewalls, routers, intrusion prevention (IDPS), SIEM, disable broadcast packets entering/leaving, disable echo replies, patching are countermeasures for _____.

DoS

A condition where the system's behavior is dependent on the sequence or timing of other uncontrollable events.

Race conditions

A timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request. Problem occurs when the state of the resource changes between the time of the check and the time it is actually used

Time-of-check-to-time-of-use TICTOU

First published “Fundamental Practices for Secure Software Development ”. Informed by existing models, including OWASP, CVE, CWE and the Microsoft SDL. Designed to help software industry adopt and use these best practices effectively

SAFECode

This is where source code and related artifacts (such as libraries) are stored

code repositories

✓ Do not commit sensitive information ✓ Protect access to ✓ Sign your work ✓ Keep your development tools (IDE) up-to-date

how to handle source code securely

_____ is an important component of configuration management. It is a _____of a system or application at a given point in time and should also create _____ that may be used to help understand system configuration, system and component level versioning.

Baselining snapshot artifacts

An emerging strategy and standard in tracking software versions is _____. It lists all of the components in an application or service, including open source or proprietary code libraries.

software bill of materials (SBOM)

App dev phases. DTSP

Development, testing, staging (QA), production

Determines if software meets functionality requirements defined earlier in the SSDLC. Includes integration, regression, and user acceptance.

Functional testing

Focuses on the quality of the software, looks at software qualities like stability and performance, methods include load, stress, recovery, and volume tests

Non functional testing

Define a system or its component and specifies what it must do. Captured in use cases, defined at a component level. EXAMPLE: application forms must protect against injection attacks.

functional security requirements

Specify the system’s quality, characteristics, or attributes. Apply to the whole system (system level). EXAMPLE: security certifications

non functional security requirements

Analysis of computer software performed without actually executing programs. Tester has access to the underlying framework, design, and implementation.

static application security testing - inside out testing - requires source code

A program which communicates with a web application (executes the application). Tester has no knowledge of the technologies or frameworks that the application is built on. No source code required.

Dynamic app security testing - outside in testing

Analyzes code for vulnerabilities while it's being used. Focuses on real time reporting to optimize testing and analysis process. Analyzes the internal functions of the application while it is running.

IAST - interactive app security testing

Is used to track the components of a software package or application. Is of special concern for apps built with open-source software components. Because open-source components often involve reusable code libraries. These tools identify flaws/vulnerabilities in these included components, ensures latest versions are in use, etc.

Software Composition Analysis

_____ is responsible for ensuring that the code delivered to the customer through the cloud environment is quality code, defect free, and secure.

Should be involved in many testing activities, such as load, performance and stress testing, as well as vulnerability management.

This is a standard communication protocol system that uses XML technologies

SOAP

This is an architectural model that uses HTTPS for web communications to offer API endpoints

REST

On Site Assessment Document Exchange and Review Process/Policy Review Third party Audit .

Supply chain evaluation

– Where in the cloud is the software running? Is this on a well known CSP, or does the provider use their own cloud service? – Is the data encrypted at rest and in transit, and what encryption technology is used? – How is access management handled? – What event logging can you receive? – What auditing options exist?

things a third party software assessment includes

One in which the vendor makes the license freely available and allows access to the source code, though it might ask for an optional donation. There is no vendor support, so you might pay a third party to support in a production environment.

opens source

More expensive but tend to provide more/better protection and more functionality and support (at a cost). Many vendors in this space, including Cisco, Checkpoint, Pal Alto, Barracuda. But “no source code access”

proprietary

- Sandbox testing - Vulnerability scans - Third party verifications

Testing to validate open source software

Protects web applications by filtering and monitoring HTTP traffic between a web application and the Internet. Typically protects web applications from common attacks like XSS, CSRF, and SQL injection. Often include OWASP core rule sets (CRS).

web app firewall

xml firewall

Combines network data and database audit info in real time to analyze database activity for unwanted, anomalous, or unexpected behavior. Monitors application activity, privileged access, and detects attacks through behavioral analysis.

database activity monitoring (dam)

Monitors traffic to your application services, exposed as API endpoints. Provides authentication and key validation services that control API access.

api gateway

Cost Need for segmentation - filter traffic b/w VNs and the internet Open systems interconnection (osi) layers - network firewall works on layer 3 - stateful packet on 3/4 - waf works on layer 7

firewall considerations

Places the systems or code into an isolated, secured environment where testing can be performed. These architectures often create independent, ephemeral environments for testing. Enables patch and test and ensures a system is secure before putting it into a production environment. Also facilitates investigating dangerous malware and provide an environment for evaluating the security of code without impacting other systems.

sandboxing

A container orchestration platform for scheduling and automating the deployment, management, and scaling of containerized applications.

Kubernetes

Allows the automation of workflows, management of accounts in addition to the deployment of cloud and containerized applications. Implements automation in a way that manages cost and enforces corporate policy in and across clouds.

orchestration

Creates, maintains, and manages identity information while providing authentication services to applications.

identity providers - Azure AD for O365