Domain 4: Application Security Flashcards
API - 2 types
REST - Representative State Transfer:
Allows for cashing for for performance and scalability.
HTTP, JSON, XMF
SOAP - Simple Object Access Protocol
Structured Format. Only XML formatted data, no cashing, lower performance, no scalability
HTTP, FTP
Cloud environment challenges
Modern programming languages and development methodologies
OWASP Top 10
A1 - Broken Access Control
A2 - Cryptographic Failure
A3 - Injection
A4 - Insecure Design
A5 - Security MIsconfiguration
A6 - Vulnerable and Outdated Components
A7 - Identification and Authentication Failures
A8 - Software and Data Integrity Failures
A9 - Security Logging and Monitor Failures
A10 - Server Side Request Forgery (SSRF)
Function Testing
Test against a particular function or component of a system or application
Dynamic Application Security Testing (DAST)
- Black box
- Run against live systems
Runtime Application Self-Protection (RASP)
Run against systems that have the ability to tune and focus their security measures based on actual environment variables and particular attack methods being used against them.
Static Application Security Testing (SAST)
- White box - access to secure code
- Code is tested offline and not against production systems
- Particularly good for catching programming errors and vulnerabilities
Approved APIs
Ensure they undergo evaluation and security testing
Ensure TLS or SSL encryption used properly meet guidelines.
Software Development Lifecycle SDLC
- Requirement Gather and Feasibility
- Requirements Analysis
- Design
- Development and Coding
- Testing
- Maintenance
STRIDE
Spoofing Identity Tampering with Date Repudiation Information Disclosure Denial of Service Elevation of Privileges
DREAD
Damage Potential Reproducibility Exploitability Affected Users Discoverability
Web Application Firewall
Appliance or plug-in that parses and filters HTTP traffic from a browser or client and applies a set of rules before the traffic is allows to proceed to the actual application server
XML Appliances
- used to specifically consume, manipulate, accelerate or secure XML transactions and transaction data.
- used to broker communications between cloud services and enterprise applications.
- XML firewall: used to validate XML traffic before it reaches the actual application
- XML accelerator: designed to offload the processing of XML from the actual application and systems
Federated Identity
Each organization maintains its on identity and verification systems that are unique and separate from the other organizations, and only contains their population of users and information.
Two main components
- Identity Provider (IdP): holds authentication mechanism for its users to prove their identity to the system
- Relying Party (RP): take assertions provided by the IdP and uses it to make determinations whether to grant to a secure application and what type of access is granted.
SAML
- XML based.
- used to exchange information used in the authentication and authorization process between parties.
-used for information exchange between identity providers and service providers and it contains within the XML block the required information that each system needs or provides
