Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Certified Cloud Security Professional > Domain 4 - Cloud Application Security > Flashcards

Domain 4 - Cloud Application Security Flashcards

1
Q

What are the essential components of a security culture per SAFECode?

A
  1. Executive support and engagement
  2. Program design and implementation
  3. Program sustainment and measurement.
  4. Training and awareness are important steps in developing a security culture.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How does an organization build a security conscious culture?

A
  1. Secure by design - security is part of every step; not a bolt-on
  2. Shared security responsibility - security is everyone’s job from most junior to senior management
  3. Security as a business objective - security is not something in addition to what we do; secure computing is what we do!
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are pitfalls associated with developing a security conscious culture?

A
  • Lack of exec support (no budgets for security staffing/programs)
  • Failing to understand organizational culture - security program must be tailored to the org’s unique culture
  • Staffing - insufficient security staff who are spread across multiple projects
  • Framework for SDLC - lack of a well defined process
  • Budget constraints leading to training cuts.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the top 11 threats to cloud computing according to the CSA?

A
  1. Data breaches
  2. Misconfiguration and inadequate change control
  3. Lack of cloud security architecture and strategy
  4. Insufficient id, credential, access and key management
  5. Account hijacking
  6. Insider threat
  7. Insecure interfaces and APIs
  8. Weak Control Plane
  9. Metastructure and Applistructure failures
  10. Limited cloud usage visibility
  11. Abuse and Nefarious use of cloud services.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the top 10 OWASP identified threats in web application security?

A
  1. Injection flaws (SQL, NoSQL, OS, and LDAP) - allows attacker to run malicious commands and access data
  2. Broken authentication- leads to compromise of passwords, keys and tokens
  3. Sensitive data exposure - due to insecure protocols and lack of encryption
  4. XML external entities - remote code execution?
  5. Broken access controls - poor practices allow authN users to view unauthorized sensitive data.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the steps in a SW Development Life Cycle?

A
  1. Requirements
  2. Design
  3. Development
  4. Testing
  5. Deployment - includes specifying standard configs.
  6. Operations & Maintenance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Per NIST Secure SW Development Framework, what the components of a SSDLC?

A
  1. Prepare the organization - people, processes and technologies
  2. Protect the SW - protection from tampering and unauthorized access
  3. Produce well-secure SW - minimum vulnerabilities
  4. Respond to vulnerabilities - including preventing them in future releases.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does the OWASP say about Software Assurance Maturity Model (SAMM)?

A
  1. Assess current security posture
  2. Define a strategy (security target)
  3. Implement a roadmap
  4. Offer prescriptive advice on activity implementation.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

CSA Security Issue: Data Breach- How can this be mitigated using SSDLC?

A
  • Requirements: identify data to be protected and users that need access; involve a security architect
  • Design & Development: use of encryption; AuthZ/N
  • Testing: traditional test, pen tests and vulnerability scans
  • Deployment: secure by default; monitor and alert changes in config; monitor for new risks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

CSA Security Issue: Misconfig/Change Control- How can this be mitigated using SSDLC?

A
  • Default deployment configuration must be secure
  • Monitor changes and alert
  • Continuous monitoring (e.g. via AWS Config)
  • Effective Change Control involving security experts on the CC committee.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What security vulnerabilities arise during deployment phase of services?

A
  • Data storage and transmission (unencrypted)
  • Excessive permissions
  • Default credentials and settings
  • Standard security controls being disabled.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

CSA Security Issue: Lack of cloud security architecture/strategy - How can this be mitigated using SSDLC?

A
  • Cloud Adoption framework
  • Security focused architecture

These controls precede SSDLC - having this in place first enables SSDLC to deliver to those requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

CSA Security Issue: Insufficient ID, Credentials, Access and Key Management - How can this be mitigated using SSDLC?

A
  • Concerns: Scalable IAM, use of MFA, protection/rotation of crypto keys, password policy enforcement, credential protection etc.
  • Requirements phase: MFA, strong passwd, etc. should be part of the requirements
  • Design/Dev/Test - implementation and testing of these safeguards
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How does the role of QA change in the cloud?

A

Traditional QA was the testing phase separate from development.

Modern QA is embedded in the DevSecOps team. QA occurs at each phase of the SSDLC.

Testing involves both functional and security testing; load test, performance test, stress test, and vuln. mgmt.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is STRIDE?

A

STRIDE is a model for identifying computer security threats. The six threat categories are:

  1. Spoofing (Authenticity)
  2. Tampering (Integrity)
  3. Repudiation (Non-repudiability)
  4. Information disclosure (Confidentiality)
  5. Denial of Service (Availability)
  6. Elevation of privilege (Authorization)

The STRIDE model can be used to define security requirements as SSDLC progresses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the phases in threat modeling?

A

These steps are refined through each of the 5 phases of the SSDLC:

  1. Define security requirements - precise definitions helps
  2. Create application overview - review application architecture, characteristics and users to identify relevant threats
  3. Identify threats
  4. Mitigate threats - identify controls that mitigate threats
  5. Validate threat mitigation - monitor and review controls to ensure they lower risk below acceptable threshold.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is Software Configuration Management and why is it important?

A
  • The role of SCM is to manage SW assets.
  • It makes rolling back changes possible.
  • Versioning can keep track of different releases for different markets.
  • SCM can provide artifacts that prove processes are followed
  • Done via a Config Management Database (CMDB)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is SAST?

A

Static Application Security Testing aka White-box testing.
Reviewing source code for vulnerabilities; static scanning of source code.
Access to source code is needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is DAST?

A
  • Dynamic Application Security Testing aka Black-box testing.
  • DAST is a program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses.
  • No access to source code; hence vulnerabilities are detected via actual attacks.
20
Q

What is IAST?

A 
Interactive Application Security Testing - a combo of white and black box testing.
Used in integration and pen testing. 
Newer and better than SAST and DAST. 
Uses an agent in the application. 
Analyzes code and runtime behavior
21
Q

What is RASP?

A

Runtime Application Self-protection
Security tool that runs on the same server as the application.
Intercepts all requests to/from application and validates them.
Additional layer of security.

22
Q

What is SW Assurance and Validation?

A

SW Assurance defines the level to which SW is free from vulnerabilities. Confidence level in the absence of errors.

  • Done via a) Functional testing and b) Security Testing.
23
Q

In SW Assurance/Validation what is the role of Functional Testing?

A
  • Assures that SW meets functional requirements.
  • Unit test -> Integration test -> Usability Test -> Functional testing.
  • Multiple lanes -e.g. Dev, Test, Stage, Prod
  • Functional testing is done in Testing/Staging envs.
  • Functional Testing must be realistic
  • FT must pass acceptance - i.e. demonstrate that it meets all requirements.
  • FT must be free of (major) bugs.
  • Bugs may be fixed; requires regression testing.
24
Q

In SW Assurance/Validation what is the role of Security Testing?

A
  • Assures that security strategy, architecture and requirements are met.
  • Done via White-box, black-box and grey-box testing.
  • SAST, DAST, and IAST.
  • Use of RASP for additional layer of security.
25
Q

What are the key steps in using verified secure software?

A
  • Approved API: Use only approved API configurations and automate monitoring of those configs. Develop approved configuration and enforce its use via policies.
  • Supply Chain Management - address operational and security requirements in contracts with vendors; secure supply chain management SW in the cloud
  • 3P SW Mgmt: security language in contract; review SOC reports, pen test, vuln scans; assess org’s security maturity; address fourth party risks
  • Validate Open Source SW - use only well known OSS packages; Use SAST/IAST in testing
26
Q

What are the unique characteristics of cloud architectures?

A
  • Microservices, orchestration using K8s
  • API front ends (RESTful, stateless)
  • Lend themselves to DevOps and CI/CD processes
  • Serverless and event-driven architectures
27
Q

What is a WAF?

A

Web Application Firewall

  • Analyzes HTTP GET/POST requests for specific signatures
  • Prevents XSS, SQL injection and other attack
  • Different from an Intrusion Detection System
28
Q

What are DAM tools?

A

Database Activity Monitoring tools

  • DB security technology that monitors and analyzes DB activity; like a firewall specifically for Databases
  • Separate from native DB audit and logging tools.
  • Combines network-based monitor with native DB audit logs
  • Monitors privileged user activity.
  • Assists in compliance (e.g. PCI/DSS, HIPAA, etc.)
  • Detective tools used for incident detection.
29
Q

What is XML?

A

Extensible Markup Language

  • Provides a standard way for applications to exchange data.
  • XML formatted data can be carried in any protocol e.g. HTTP/HTTPS.
30
Q

What is an XML Firewall?

A
  • Firewalls that work at the application layer
  • Protects XML-based APIs and applications by standing in front and inspecting traffic.
  • Can implement complex security rules through XSLT (Extensible Stylesheet Language Transformation).
31
Q

What do API Gateways do?

A
  • API gateways allow traffic to application backend services.
  • Features include rate limiting, access logging, authZ (key validation) and authN
  • Ensures confidentiality of data
32
Q

What are supplementary security components that cloud-based applications can use?

A
  • WAF
  • DAM
  • XML Firewalls
  • API Gateways.
33
Q

What are the important components of cryptography in the cloud?

A
  • Encrypting data at rest
  • Encrypting data in motion (TLS, VPN)
  • Key Management (for sensitive data, may be best to separate managing encrypted data from managing encryption keys - e.g. using a third party).
34
Q

What is a sandbox?

A

An isolated environment to develop and test code safely.
May have Limited functionality/connectivity
Temporary environment

35
Q

How can application virtualization be achieved?

A

Normally through containerization.
- Containers can be used to run corporate applications separately from user application in a BYOD model.
Risk: containerization SW (e.g. K8s) must be kept up to date.

36
Q

What are the key ways to develop secure cloud-applications using cloud-specific techniques?

A
  • Use of microservices/API front ends
  • Leveraging supplementary security services (e.g. WAF, DAM, XML FWs and API GWs)
  • Using cryptography
  • Sandboxing (for dev and test)
  • Application virtualization to provide separate/isolated environments for corporate applications
37
Q

What is OAuth2.0?

A

Open Authorization - standard allows web apps to access resources hosted by other web apps on behalf of an user.

  • NOT an authentication protocol.
  • Uses access tokens (normally JWT) instead of user credentials
  • Multiple roles - Resource Owner, Client, Authorization Server, and Resource Server.

If the client requests access to resources controlled by the Owner and hosted by the resource server, instead of using the Owner’s credentials to access protected resources, the client gets an access token.

38
Q

What is SAML?

A

Security Assertion Markup Language (SAML).

  • Allows access to multiple websites using one set of login creds. So, unlike OAuth2 - it is an authN protocol.
  • Authentication information passed between identity provider (Google, FB, Apple) and service provider (web application).
  • Service providers don’t need to store username/pwd info.
  • Users only sign in once.
  • Identity provider and service provider have a trusted relationship.
  • Identity providers have economies of scale to invest in fortifying their servers.
39
Q

What is LDAP?

A

Lightweight Directory Access Protocol
Used to access directories which store user authentication information.
LDAP is a vendor-neutral protocol - can be used with multiple directories. Most common is MSFT’s Active Directory.
LDAP and AD are NOT the same thing.

40
Q

What is Kerberos?

A

Network security protocol that authenticates service requests between two or more trusted hosts across an untrusted network, like the internet. It uses secret-key cryptography and a trusted third party for authenticating client-server applications and verifying users’ identities

  • Three roles: Server, Client and Key Distribution Center
  • KDC is the trusted 3rd party.
41
Q

What is identity federation?

What are risks associated with identity federation?

A

ID federation is where a single digital identity is used to access multiple system. The systems can be across organizations.

Federation extends SSO across multiple IAM systems.

Main risk:

  • if the identity is compromised, all federated systems are compromised.
  • Trust level may not be the same across all systems/organizations.
42
Q

What is a CASB?

A

Cloud Access Security Broker

  • SW (on -prem or cloud-based) between cloud users and cloud services/applications and monitors all activity and enforces security policies.
  • Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on
  • CASBs that deliver security must be in the path of data access, between the user and the cloud provider. Architecturally, this might be achieved with proxy agents on each end-point device
  • Agentless CASBs are also available. Better for BYOD use cases.
  • Not meant to replace firewalls, IDS/IPS.
43
Q

What are the pros and cons of single sign on?

A
  • Only one set of credentials to monitor and safeguard.
  • If compromised, can be changed easily
  • Multiple credentials - risk is that users reuse passwords.
  • However, if compromised, all systems using it are affected.
44
Q

What are the key elements of designing an appropriate IAM solution?

A
  • Using federated identity
  • Use Identity providers for multi-cloud
  • Using SSO
  • Using MFA
  • Using CASB
45
Q

Overall summary: Cloud Application Security

A
  1. Training and Awareness for Application Security
    • Basic, common pitfalls, vulnerabilities (CSA and OWASP)
  2. Secure SDLC
    * NIST 4 Step proces
  3. Secure SDLC
    * Avoid common vuln
    * Be aware of Cloud specific risks (CSA Egg-11, OWASP 10)
    * Quality Assurance
    * Threat Modeling
    * SW Config Mgmt and Versioning
  4. Cloud Software Assurance
    * Functional testing
    * Security testing methodology (SAST/DAST/IAST)
  5. Use verified secure SW
    * Approved APIs
    * Supply chain mgmt
    * 3P SW Mgmt
    * Validate OSS
  6. Comprehend specifics of cloud architecture
    * Microservices/containers
    * Supplementary Security (WAF, DAM, XMLFW, API GW)
    * Cryptography
    * Sandboxing
    * Application virtualization and Orchestration
  7. Design appropriate IAM
    * Federation, IdProviders, SSO, MFA, CASB
46
Q

What is OIDC?

A

OIDC = Open ID Connect

OpenID is a an authN protocol that extends OAuth.
OID & SAML are both AuthN protocols.
SAML uses XML.
OID is based on REST/JSON.

47
Q

What are the various components of the web application testing that OWASP recommends?

A
  1. Information Gathering
  2. Config and Deployment Management testing
  3. Identity Management Testing
  4. Authentication Testing
  5. Authorization Testing
  6. Session Management Testing
  7. Input Validation Testing
  8. Error Handling
  9. Weak Cryptography
  10. Business Logic Testing
  11. Client Side Testing
  12. API Testing

Certified Cloud Security Professional (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions