Domain 4: Cloud Application Security Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 65). Wiley. Flashcards

Question

Ian wants to use a cloud-specific list of application issues. Which of the following options should he choose? A. The OWASP Top 10 B. The NIST Dirty Dozen C. The SANS Top 25 D. The MITRE ATT&CK-RS Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 70). Wiley. Kindle Edition.

Answer 1

A. The OWASP Top 10 Explanation: The OWASP Top 10 is a cloud specific list whereas the SANS top 25 describes software errors in general. The NIST Dirty Dozen and the MITRE ATT&CK RS were made up for this question

Answer 2

D. Major.minor.patch Explanationn: Major.minor.patch is a common format for versioning. While there is no industry standard, having the versioning numbers is an order of scale is a common practice

Answer 3

B. SBOM Explanation: A software bill of materials (SBOM) is a listing of all the components of a software package or program, and it is considered increasingly important as part of a software security program

Answer 4

B. A WAF Explanation: Web application firewalls (WAFs) typically have built in protection against common attacks like SQL injection. Valerie should choose a WAF to protect against both the SQL injection shes aware of and other common attacks against web applications

Answer 5

B. Containers Explanation: Containers allow applications to be moved easily because they contain the dependencies and components the application needs without requiring a complete OS to be packaged with them. Packages are software components, and virtual machines run on hypervisors

Answer 6

B. SSO Explanation: Charles is suing a SSO technology to allow him to log in once and use many systems, SAML and OpenID Connect are used for federation, while OTP is a one time password

Answer 7

A. API keys Explanation: Henrys organization should use API keys to ensure that only authorized users are able to use APIs that they expose for customer use

Answer 8

A. The license term Explanation: Nancy knows that she should keep track of the license term, or how long the license is valid for, so that the software does not disable itself when the license or contract expires. The cost, whether the terms can be disclosed and if there is a third party software involved are less likely to be the cause of service interruptions

Answer 9

B. FIPS 140-2 Explanation: FIPS 140-2, a Federal information Processing Standard, defines the requirements for cryptographic systems and its only the currently valid cryptographic standard listed here.

Answer 10

C. Use dynamic secrets. Explanation: Using dynamic secrets - secrets that are generated and used as they are needed -- allows for granular auditing of uses because each secret is created as needed and thus their specific usage can be reviewed as needed. Shared accounts dont allow auditing because actions cannot be provably linked to individual users

Answer 11

D. Security Explanation: Testing the performance and security of software and security of software is expected in the testing phase of the SDLC. The version complexity and size of the code are not commonly tested elements

Answer 12

A. KMS Explanation: Chris should look for a key management service (KMS). KMSs allow creation, storage, management and auditing of keys. A PKI is a public key infrastructure, a CA is a certification of authority

Answer 13

C. A containerization platform Explanation: Docker is a containerization tool

Answer 14

D. The vendor is responsible for the environment. Explanation: Yasmine knows that in a SaaS environment the vendor is responsible for the applications, data storage, runtime and middleware, OS and servers, storage and networking Yasmines company will be responsible for how they operate the software, who they provide access to and what rights they provide to their users, as well as ensuring that her data is safe and secure

Answer 15

B. A username, password, and app-generated code on a phone Explanation: MFA relies on using two different types of factors: something you know, like a password or a PIN; something you have like a hardware token or application generated PIN; or something you are, such as a biometric identifier. Jason knows that a password and an app generated PIN counts as using multiple factors

Answer 16

C. Git Explanation: Git provides version management as part of its capabilities. Jenkins is a CI/CD tool used for continuous integration. Puppet and Chef are both infrastructure automation tools

Answer 17

A. Federated identity Explanation: Ramons organizations is using Azures federation capability to leverage their existing on site credentials in the cloud. Structured, shared and constrained identity were made up

Answer 18

D. Software inventory Explanation: Having a complete software inventory allows organization like Gretchens to ensure that they are aware of their software license compliances, terms and conditions as well as their license expiration dates. While only using open source software might seem like an easy solution, there are multiple open source software licenses that have different requirements, making a software inventory necessary. Using only commercial software doesnt simplify the requirement and software versioning is important but would be part of a complete inventory

Answer 19

A. DREAD Explanation: DREAD has been replaced with STRIDE by Microsoft

Answer 20

A. To control usage-based costs Explanation: CASBs are often used to control usage based on roles and rights, but they arent used to monitor based on costs in the cloud service itself - instead, cost limiting rules are often used in the cloud services themselves. They are also used to limit the potential for sensitive data loss and to detect anomalous usage patterns

Answer 21

C. Sandboxing Explanation: Kathleen knows that sandboxing, or creating a secure and isolated environment, is commonly used for malicious software testing.

Answer 22

A. Encryption Explanation: Using the CASBs to enforce encryption between an onpremises location and cloud providers will provide the most effective protection against third parties seeing the data in transit. Tokenization and masking help protect data while it is being accessed but do not prevent it from being exposed in transit.

Answer 23

A. The host kernel for the operating system Explanation: Containers contain elements of the OS, but share the hosts kernel. They also contain libraries, configuration files and the application files or binaries themselves.

Answer 24

A. Unique, random, and non-guessable Explanation: API keys should be unique, random and non guessable, to ensure that attackers cannot guess or otherwise identify them

Answer 25

C. Identity and service Explanation: Ian can filter based on user identity and the service the users are attempting to use to most effectively filter service usage by role.

Answer 26

A. Attacks Explanation: ATASM considers architecture, threats, attack surfaces (not attacks) and mitigation

Answer 27

A. Dynamic Explanation: Testing done against running code is called dynamic testing

Answer 28

D. Hypertext Transfer Protocol (HTTP) Explanation: WAFs focus on web traffic and thus typically scan HTTP traffic rather than BGP, ICMP or SMTP traffic

Answer 29

B. Design Explanation: The Design phase allows Henry to include security design elements that will help ensure that his application is secure. The Requirements phase should include the need for security but wont specify how it will be accomplished, and deployment and maintenance are too late as the architecture has already been designed and implemented

Answer 30

C. Running malware for analysis purposes Explanation: A sandbox can be used to run malware for analysis purposes as it won't affect (or infect) the production environment; it's worth nothing, though, that some malware is sandbox aware, so additional antimalware measures are advisable. Optimizing production by moving tasks isn't a typical use for a sandbox, remote secure access systems are called jumpboxes, and subnets are created using network configurations.

Answer 31

B. Use containers configured for the application to host the application. Explanation: Containerization best meets the platform agnostic approach that matches Valeries requirements. While serverless is powerful, moving between native serverless platforms typically requires building to each providers requirements.

Answer 32

D. A DAM Explanation: A Database Activity Monitor (DAM) solution provides database activity monitoring that includes privileged account usage logging and monitoring in addition to other security and monitoring features

Answer 33

D. Require authentication and set throttling limits and quotas Explanation: Requiring authentication and setting throttling limits and quotas help to prevent DoS attacks on APIs.

Answer 34

C. Testing software before putting it into production Explanation: Software that has either been purchased from a vendor or developed internally can be tested in a sandboxed environment to determine whether there will be any interoperability problems when it is installed into actual production

Answer 35

C. FIPS 140-2 Explanation: GIPS 140-2 is a US government standard that specifies the security requirements for cryptographic modules

Answer 36

B. Rotate secrets Explanation: Rotating secrets limits the blast radius of exposed or compromised secrets. Extending their lifecycle does the opposite.

Answer 37

B. Functional testing Explanation: Olivia is conducting functional testing that seeks to test whether software meets business requirements. This does not specify a load or stress test scenario.

Answer 38

C. SMS factors Explanation: SMS Factors are considered the least secure of these options because of SIM Swapping and VoIP based attacks on SMS messages

Answer 39

C. Use manual security testing of the source code Explanation: Review of the source code is static testing and does not meet Bens needs. The other answers all include dynamic testing options

Answer 40

B. Use a CAPTCHA before allowing user actions Explanation: CAPTCHA based security systems help to reduce the impact of bots by requriing human interaction. While there are ways to work around CAPTCHAs, Yariv knows that they require additional work from attackers and will help reduce the overall load from bots

Answer 41

D. Google is the identity provider Explanation: When Emily logs in using her Google credentials, Google acts as the identity provider and tells the third party service provider that she has logged in using her user ID and passwords successfully.

Answer 42

D. Randomizing customer data Explanation: Not all programs (or organizations) will require database access, or even use databases. and hashing is not a common requirement since the data will not be readable. Encryption at rest and in transit, as well as data masking, are all commonly employed to protect sensitive

Answer 43

C. An XML firewall Explanation: SAML is an XML based protocol, and Kristen knows that an XML firewall that is SAML aware with appropriate rules for identity based protection would be her best option. IDS systems cannot rate limit even if they are SAML aware. WAFs are designed for web applications rather than specifically for XML and SAML based filtering, and a DAM is a database specific tool

Answer 44

D. Makes end-user credential management easier Explanation: Using SSO does not prevent the use of MFA. In fact, it often makes it easier since organizations can centralize their use of MFA

Answer 45

D. Source code Explanation: Static testing reviews source code. Dynamic testing would test outcomes and performance

Answer 46

B. Biometric readers Explanation: Biometric readers are the least likely secondary factor to be supported by cloud vendors. Hardware and software tokens as well as SMS factors are commonly supported by cloud providers.

Answer 47

D. Requirements Gathering Explanation: Once planning is done, organizations typically move into the Requirements Gathering phase to ensure that they know what the software they will build will do. Design, Build, Test, Deploy and Maintain are common follow up phases.

Answer 48

B. The outcome of each phase serves as the input to the next phase. Explanation: Waterfall phases each serve as the input for the next phase and move only in one direction

Answer 49

B. Design Explanation: Requirements are typically mapped to the software in the Design phase. Requirements will be created in the Define phase, validated in the Test Phase, and of course the software will be run in production in the Operations phase.

Answer 50

D. Nonfunctional testing Explanation: Nonfunctional testing seeks to test to meet customer expectations and performance requirements, including how software behaves under abnormal conditions. Black box, or zero knowledge, testing attempts to replicate an attackers experience; white box, or full knowledge, testing provides complete insight into an environment or tool, including access to source code and documentation, and functional testing is conducted based on business requirements

Answer 51

D. Review the licenses for each component to ensure they are in compliance. Explanation: Since there are a number of different open source licenses, Gabriel's best bet is to ensure that his organization reviews the licenses that apply to each software package or component they use. This can be complex and time consuming, and organizations often limit the licenses they are willing to accept to reduce this burden

Answer 52

B. Malware Explanation: Injection, distributed DoS, cross site scripting, on path and credential stuffing attacks are all commonly aimed at APIs. Malware attacks, however are not a common API threat

Answer 53

B. Handling errors in a secure and graceful way Explanation: The SAFECode fundamental practices note that errors should be handled in a secure and graceful way. It recommends against providing too much information in errors and that unanticipated errors should be flagged to both users and admins but with different levels of information appropriate to each group

Answer 54

C. Jason should use a commercial certificate authority. Explanation: Jason should use a commercial certificate authority for any certificate used in production. This allows users to validate the certificate and the certificate chain to ensure trust

Answer 55

B. The cryptographic signature Explanation: A signature ensures that the file is both the correct file and that it has not been changed, and validates that it was provided by the signer. An SHA2 hash is the second best option, although attackers might modify the hash on the site or modify the file before it is hashed. File size and version number are the least useful options

Answer 56

A. IAST Explanation: Interactive application security testing (IAST) uses software instrumentation to validate performance and function and is typically conducted during the QA/Test phase of the SDLC. SCA or software composition analysis reviews the components that make up an application. Interactive and structured DST were made up for this question

Answer 57

A. Ensuring encryption algorithms cannot be changed easily Explanation: Changing encryption algorithms if a problem is found with one that is currently in use is actually a best practice that SAFECode recommends. They call it crytographic agility and note that you need to be able to transition to new mechanisms, libraries and keys when needed. Defining what to protect, what mechanisms will be used, and how keys and certificates will be managed are all common best practices and are also recommended by SAFECode

Answer 58

A. Cloud customer Explanation: In a PaaS environment, the customer is responsible for the security of applications in the production environment. The service provider will be responsible for the underlying hardware and platform itself

Answer 59

A. Abuse case testing Explanation: Abuse case testing will test how users could abuse the software, including the type of issues James is concerned about.

Answer 60

D. LDAP Explanation: Active Directory, SAML and vendor native SSO options are all commonly supported, but LDAP is not a commonly supported SSO option for most cloud vendors

Answer 61

A. Define Explanation: In the Define phase, organizations work to determine the purpose of the software and what it needs to do to meet the needs of users. Design and Development stages then work to architect and build software that meets those requirements. Detect is not an SDLC phase

Answer 62

C. Set a non privileged user as the process owner Explanation: Setting a nonprivileged user as the process owner will work in many cases. Setting the container owner as nonprivileged user wont stop root from running it in a poor configuration. Limiting root login or requiring MFA wont stop a process as running as root either

Answer 63

A. Static testing Explanation: Jessica should perform static testing to help her organization identify code quality issues by reviewing the source code for the application. Dynamic testing can identify functional issues but may not identify code quality or business logic flows.

Answer 64

B. The ability of internal personnel to trigger business continuity/disaster recovery activities Explanation: The STRIDE threat model does not deal with business continuity and disaster recovery (BC/DR) actions. All the other options are elements of STRIDE: escalation of privilege, repudiation and spoofing

Answer 65

D. API Gateway Explanation: API Gateways are well suited for this type of architecture because they focus on service discovery and API security as well as rate limiting and other security controls like authentication. XML firewalls and cloud application security brokers are both used for other purposes and RPC gateways allow remote procedure calls to other networks and services

Answer 66

A. Define Explanation: The earlier security inputs are included in the project, the more efficient and less costly security controls are overall.

Answer 67

A. Dynamic, nonfunctional testing Explanation: Tahir is conducting a nonfunctional test that checks for behavior under load and since the program is actually running, it is dynamic testing rather than static testing of source code

Answer 68

B. SSO Explanation: Joanna is using a single sign on infrastructure to allow her to sign on in one location and to use those credentials in multiple locations and to use those credentials in multiple locations with various service providers. RDP is used for graphical access to Windows systems, OTP is a one time password and MFA is authentication

Answer 69

A. Integrity Explanation: Tampering impacts the integrity of data by modifying it

Answer 70

C. OWASP Explanation: OWASP, The Open Web Application Security Project, provides both cloud and web application security top 10 lists that are community sourced and which are well suited to awareness training. ASVS sets standards for application validation and security testing. CVE and NIST are not community-based web application security guides

Answer 71

D. Testing Explanation: Interactive application security testing (IAST) would be most likely to occur during the Testing phase of the SDLC

Answer 72

C. Generate passphrases randomly Explanation: Using automated creation tools for passphrases will prevent staff members from reusing passwords or falling into habits that result in easily guessed passphrases and passwords. Using a word list, shared passphrases, or simply adding complexity will not meet Malika's needs

Answer 73

A. SAML Explanation: SAML is commonly used to enable identity federation. FIPS 140-2 is a US government encryption mechanism standard, XML may be needed but is a very broad standard for extensible markup languages, and FIM is federated identity management, a generic term describing the overall concept, not a technology or technological capability

Answer 74

C. Replicate the production environment for QA testing, then promote to production after testing Explanation: Replicating production for QA testing, then promoting from QA to production once testing is complete, is a common design practice in application development environments. Adding software going through QA to production environments or allowing users to use QA systems instead of production can lead to a negative user experience, and creating a QA environment that doesnt match production may invalidate testing

Answer 75

A. ASVS Explanation: ASVS uses a three level code validation assurance level model, with level 3 requiring critical applications to meet in depth validation and testing requirements