Unit 4:Understand Cloud Software Assurance and Validation

Question 1

What is ISO/IEC 27034-1?

Answer 1

This standard defines concepts, frameworks, and processes to help organizations integrate security within their Software Development Life Cycle.

Question 2

What is the ONF?

Answer 2

This is the Organizational Normative Framework. It consists of the following:
Business Context
Regulatory Context ( if the industry is regulated)
Technical Context
Specifications
Roles
Processes
Application Security Control. (ASC) library

Question 3

What is the ANF?

Answer 3

The ANF is the Application Normative Framework. This maintains the applicable portions of the ONF that are needed to enable a specific application to achieve a required level of security or the targeted level of trust.

Question 4

What is ASMP?

Answer 4

This is the Application Security Management Process (ASMP) which results from both the ONF and ANF.

Question 5

What is involved in Application Security Testing?

Answer 5

1. Static Application Security Testing (SAST)
2. Dynamic Application Security Testing (DAST)
3. Vulnerability assessments and Penetration Testing
4. OWASP Recommendations

Question 6

What is are the differences between DAST vs SAST?

Answer 6

DAST is used for black-box testing. It is used when the applications are running.

SAST, is used for white box testing. This is used when the application is not running.

Question 7

What does OWASP recommend for Active Security Testing?

Answer 7

1. Configuration Management Testing
2. Business Logic Testing
3. Authentication Testing
4. Authorization Testing
5. Session management Testing
6. Data Validation Testing
7. Denial of Service Testing
8. Web Services Testing
9. Ajax Testing