Domain 10 - Application Security Flashcards

Question 1

Q

What opportunities does cloud present for application security?

Answer

A

Higher baseline security - CSPs have economic incentives to maintain high security levels; as trust is core to their business model. Multiple security standards and baselines from different verticals enhances overall security
Responsiveness - API based enables responsive security program -e.g. change firewall rules, or update servers
Isolation - each cloud application can be deployed in its own virtual network (VPC) limiting attack surface, and enabling granular security controls
Independent VMs - use of microservice on smaller VMs - smaller attack surface; granular security controls
Elasticity - auto scaling means manual processes won’t work; encourages use of immutable servers; increased operational security; remote admin can be disabled
DevOps - automation of application dev & deployment (e.g. CI/CD pipelines, IaC)
Unified Interface - for infra and application services; not managed by different teams reducing failures.

Question 2

Q

What are the challenges that Cloud presents to application security?

Answer

A

Limited detailed visibility
Increased application scope as dev and ops are integrated; both may need access to the management plane - e.g. Applications may need access to the management API such as creating or deleting an S3 bucket.
Changing threat model - needs to factor in cloud provider responsibilities
Reduced transparency (especially in PaaS where some services are provided by CSP - e.g. Message Queues)

Question 3

Q

What are the key phases of any SSDLC?

Answer

A

There are may SSDLC models (MSFT, NIST, ISO), but nearly all of them can be grouped as below:

Secure design and development - includes training, requirements, design, implementation, testing
Secure deployment - moving from dev to test to stage to production
Secure operations - continue operating securely - WAFs, Vulnerability assessment, change management, config management etc.

Question 4

Q

In SSDLC, what are the stages in secure design and development phase?

Answer

A

Training - secure coding practices, security tests, technical training (general and CSP specific). Dev, Sec and Ops team have to be trained
Define: Security functional requirements; regulations and policy driven requirements
Design - threat modeling, build in controls, leverage cloud capabilities (e.g. serverless).
Develop - CI/CD, code review, SAST/DAST
Test: SAST/DAST/IAST, Unit, Functional, Regression testing, staging; integration of testing into the CI/CD pipeline.

Question 5

Q

In SSDLC, what are the stages in secure deployment phase?

Answer

A

Automated security testing integrated into the CI/CD pipeline.
Code review: often manual; integrated via Approval Gates in the CI/CD stage
Testing: Unit, regression and functional tests
-SAST - examine APIs to see if there are embedded credentials
DAST - fuzzing, web vulnerabilities
IaC makes immutable architectures possible
IaC enhances security - operational environment can be more tightly locked down
Security testing can be integrated into the CI/CD pipeline.
Protecting the pipeline itself becomes important.

Question 6

Q

How does cloud impact application design and architectures?

Answer

A

Question 7

Q

What is DevOps?

Answer

A

Question 8

Q

What are the benefits of DevOps?

Answer

A

Standardization - CI/CD pipelines produce artifacts uniformly for Dev/Test/Prod
Automated testing - integration of testing with CI/CD pipelines
Immutable: pipelines produce master images for VMs, Containers, and Infra quickly for automated deployments
Improved auditing and change management - who did what, when? Gates for change approval
DevSecOps - integration of security within the Dev and Deployment process.

(8 cards)