Domain 4 - Cloud Application Security

Question 1

What are the essential components of a security culture per SAFECode?

Answer 1

1. Executive support and engagement
2. Program design and implementation
3. Program sustainment and measurement.
4. Training and awareness are important steps in developing a security culture.

Question 2

How does an organization build a security conscious culture?

Answer 2

1. Secure by design - security is part of every step; not a bolt-on
2. Shared security responsibility - security is everyone’s job from most junior to senior management
3. Security as a business objective - security is not something in addition to what we do; secure computing is what we do!

Question 3

What are pitfalls associated with developing a security conscious culture?

Answer 3

• Lack of exec support (no budgets for security staffing/programs)
• Failing to understand organizational culture - security program must be tailored to the org’s unique culture
• Staffing - insufficient security staff who are spread across multiple projects
• Framework for SDLC - lack of a well defined process
• Budget constraints leading to training cuts.

Question 4

What are the top 11 threats to cloud computing according to the CSA?

Answer 4

1. Data breaches
2. Misconfiguration and inadequate change control
3. Lack of cloud security architecture and strategy
4. Insufficient id, credential, access and key management
5. Account hijacking
6. Insider threat
7. Insecure interfaces and APIs
8. Weak Control Plane
9. Metastructure and Applistructure failures
10. Limited cloud usage visibility
11. Abuse and Nefarious use of cloud services.

Question 5

What are the top 10 OWASP identified threats in web application security?

Answer 5

1. Injection flaws (SQL, NoSQL, OS, and LDAP) - allows attacker to run malicious commands and access data
2. Broken authentication- leads to compromise of passwords, keys and tokens
3. Sensitive data exposure - due to insecure protocols and lack of encryption
4. XML external entities - remote code execution?
5. Broken access controls - poor practices allow authN users to view unauthorized sensitive data.

Question 6

What are the steps in a SW Development Life Cycle?

Answer 6

1. Requirements
2. Design
3. Development
4. Testing
5. Deployment - includes specifying standard configs.
6. Operations & Maintenance

Question 7

Per NIST Secure SW Development Framework, what the components of a SSDLC?

Answer 7

1. Prepare the organization - people, processes and technologies
2. Protect the SW - protection from tampering and unauthorized access
3. Produce well-secure SW - minimum vulnerabilities
4. Respond to vulnerabilities - including preventing them in future releases.

Question 8

What does the OWASP say about Software Assurance Maturity Model (SAMM)?

Answer 8

1. Assess current security posture
2. Define a strategy (security target)
3. Implement a roadmap
4. Offer prescriptive advice on activity implementation.

Question 9

CSA Security Issue: Data Breach- How can this be mitigated using SSDLC?

Answer 9

• Requirements: identify data to be protected and users that need access; involve a security architect
• Design & Development: use of encryption; AuthZ/N
• Testing: traditional test, pen tests and vulnerability scans
• Deployment: secure by default; monitor and alert changes in config; monitor for new risks

Question 10

CSA Security Issue: Misconfig/Change Control- How can this be mitigated using SSDLC?

Answer 10

• Default deployment configuration must be secure
• Monitor changes and alert
• Continuous monitoring (e.g. via AWS Config)
• Effective Change Control involving security experts on the CC committee.

Question 11

What security vulnerabilities arise during deployment phase of services?

Answer 11

• Data storage and transmission (unencrypted)
• Excessive permissions
• Default credentials and settings
• Standard security controls being disabled.

Question 12

CSA Security Issue: Lack of cloud security architecture/strategy - How can this be mitigated using SSDLC?

Answer 12

• Cloud Adoption framework
• Security focused architecture

These controls precede SSDLC - having this in place first enables SSDLC to deliver to those requirements.

Question 13

CSA Security Issue: Insufficient ID, Credentials, Access and Key Management - How can this be mitigated using SSDLC?

Answer 13

• Concerns: Scalable IAM, use of MFA, protection/rotation of crypto keys, password policy enforcement, credential protection etc.
• Requirements phase: MFA, strong passwd, etc. should be part of the requirements
• Design/Dev/Test - implementation and testing of these safeguards

Question 14

How does the role of QA change in the cloud?

Answer 14

Traditional QA was the testing phase separate from development.

Modern QA is embedded in the DevSecOps team. QA occurs at each phase of the SSDLC.

Testing involves both functional and security testing; load test, performance test, stress test, and vuln. mgmt.

Question 15

What is STRIDE?

Answer 15

STRIDE is a model for identifying computer security threats. The six threat categories are:

1. Spoofing (Authenticity)
2. Tampering (Integrity)
3. Repudiation (Non-repudiability)
4. Information disclosure (Confidentiality)
5. Denial of Service (Availability)
6. Elevation of privilege (Authorization)

The STRIDE model can be used to define security requirements as SSDLC progresses.

Question 16

What are the phases in threat modeling?

Answer 16

These steps are refined through each of the 5 phases of the SSDLC:

1. Define security requirements - precise definitions helps
2. Create application overview - review application architecture, characteristics and users to identify relevant threats
3. Identify threats
4. Mitigate threats - identify controls that mitigate threats
5. Validate threat mitigation - monitor and review controls to ensure they lower risk below acceptable threshold.

Question 17

What is Software Configuration Management and why is it important?

Answer 17

• The role of SCM is to manage SW assets.
• It makes rolling back changes possible.
• Versioning can keep track of different releases for different markets.
• SCM can provide artifacts that prove processes are followed
• Done via a Config Management Database (CMDB)

Question 18

What is SAST?

Answer 18

Static Application Security Testing aka White-box testing.
Reviewing source code for vulnerabilities; static scanning of source code.
Access to source code is needed.

Question 19

What is DAST?

Answer 19

• Dynamic Application Security Testing aka Black-box testing.
• DAST is a program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses.
• No access to source code; hence vulnerabilities are detected via actual attacks.

Question 20

What is IAST?

Answer 20

Interactive Application Security Testing - a combo of white and black box testing.
Used in integration and pen testing. 
Newer and better than SAST and DAST. 
Uses an agent in the application. 
Analyzes code and runtime behavior

Question 21

What is RASP?

Answer 21

Runtime Application Self-protection
Security tool that runs on the same server as the application.
Intercepts all requests to/from application and validates them.
Additional layer of security.

Question 22

What is SW Assurance and Validation?

Answer 22

SW Assurance defines the level to which SW is free from vulnerabilities. Confidence level in the absence of errors.

• Done via a) Functional testing and b) Security Testing.

Question 23

In SW Assurance/Validation what is the role of Functional Testing?

Answer 23

• Assures that SW meets functional requirements.
• Unit test -> Integration test -> Usability Test -> Functional testing.
• Multiple lanes -e.g. Dev, Test, Stage, Prod
• Functional testing is done in Testing/Staging envs.
• Functional Testing must be realistic
• FT must pass acceptance - i.e. demonstrate that it meets all requirements.
• FT must be free of (major) bugs.
• Bugs may be fixed; requires regression testing.

Question 24

In SW Assurance/Validation what is the role of Security Testing?

Answer 24

• Assures that security strategy, architecture and requirements are met.
• Done via White-box, black-box and grey-box testing.
• SAST, DAST, and IAST.
• Use of RASP for additional layer of security.

Question 25

What are the key steps in using verified secure software?

Answer 25

- Approved API: Use only approved API configurations and automate monitoring of those configs. Develop approved configuration and enforce its use via policies. - Supply Chain Management - address operational and security requirements in contracts with vendors; secure supply chain management SW in the cloud - 3P SW Mgmt: security language in contract; review SOC reports, pen test, vuln scans; assess org's security maturity; address fourth party risks - Validate Open Source SW - use only well known OSS packages; Use SAST/IAST in testing

Question 26

What are the unique characteristics of cloud architectures?

Answer 26

- Microservices, orchestration using K8s - API front ends (RESTful, stateless) - Lend themselves to DevOps and CI/CD processes - Serverless and event-driven architectures

Question 27

What is a WAF?

Answer 27

Web Application Firewall - Analyzes HTTP GET/POST requests for specific signatures - Prevents XSS, SQL injection and other attack - Different from an Intrusion Detection System

Question 28

What are DAM tools?

Answer 28

Database Activity Monitoring tools - DB security technology that monitors and analyzes DB activity; like a firewall specifically for Databases - Separate from native DB audit and logging tools. - Combines network-based monitor with native DB audit logs - Monitors privileged user activity. - Assists in compliance (e.g. PCI/DSS, HIPAA, etc.) - Detective tools used for incident detection.

Question 29

What is XML?

Answer 29

Extensible Markup Language - Provides a standard way for applications to exchange data. - XML formatted data can be carried in any protocol e.g. HTTP/HTTPS.

Question 30

What is an XML Firewall?

Answer 30

- Firewalls that work at the application layer - Protects XML-based APIs and applications by standing in front and inspecting traffic. - Can implement complex security rules through XSLT (Extensible Stylesheet Language Transformation).

Question 31

What do API Gateways do?

Answer 31

- API gateways allow traffic to application backend services. - Features include rate limiting, access logging, authZ (key validation) and authN - Ensures confidentiality of data

Question 32

What are supplementary security components that cloud-based applications can use?

Answer 32

- WAF - DAM - XML Firewalls - API Gateways.

Question 33

What are the important components of cryptography in the cloud?

Answer 33

- Encrypting data at rest - Encrypting data in motion (TLS, VPN) - Key Management (for sensitive data, may be best to separate managing encrypted data from managing encryption keys - e.g. using a third party).

Question 34

What is a sandbox?

Answer 34

An isolated environment to develop and test code safely. May have Limited functionality/connectivity Temporary environment

Question 35

How can application virtualization be achieved?

Answer 35

Normally through containerization. - Containers can be used to run corporate applications separately from user application in a BYOD model. Risk: containerization SW (e.g. K8s) must be kept up to date.

Question 36

What are the key ways to develop secure cloud-applications using cloud-specific techniques?

Answer 36

- Use of microservices/API front ends - Leveraging supplementary security services (e.g. WAF, DAM, XML FWs and API GWs) - Using cryptography - Sandboxing (for dev and test) - Application virtualization to provide separate/isolated environments for corporate applications

Question 37

What is OAuth2.0?

Answer 37

Open Authorization - standard allows web apps to access resources hosted by other web apps on behalf of an user. - NOT an authentication protocol. - Uses access tokens (normally JWT) instead of user credentials - Multiple roles - Resource Owner, Client, Authorization Server, and Resource Server. If the client requests access to resources controlled by the Owner and hosted by the resource server, instead of using the Owner's credentials to access protected resources, the client gets an access token.

Question 38

What is SAML?

Answer 38

Security Assertion Markup Language (SAML). - Allows access to multiple websites using one set of login creds. So, unlike OAuth2 - it is an authN protocol. - Authentication information passed between identity provider (Google, FB, Apple) and service provider (web application). - Service providers don't need to store username/pwd info. - Users only sign in once. - Identity provider and service provider have a trusted relationship. - Identity providers have economies of scale to invest in fortifying their servers.

Question 39

What is LDAP?

Answer 39

Lightweight Directory Access Protocol Used to access directories which store user authentication information. LDAP is a vendor-neutral protocol - can be used with multiple directories. Most common is MSFT's Active Directory. LDAP and AD are NOT the same thing.

Question 40

What is Kerberos?

Answer 40

Network security protocol that authenticates service requests between two or more trusted hosts across an untrusted network, like the internet. It uses secret-key cryptography and a trusted third party for authenticating client-server applications and verifying users' identities - Three roles: Server, Client and Key Distribution Center - KDC is the trusted 3rd party.

Question 41

What is identity federation? | What are risks associated with identity federation?

Answer 41

ID federation is where a single digital identity is used to access multiple system. The systems can be across organizations. Federation extends SSO across multiple IAM systems. Main risk: - if the identity is compromised, all federated systems are compromised. - Trust level may not be the same across all systems/organizations.

Question 42

What is a CASB?

Answer 42

Cloud Access Security Broker - SW (on -prem or cloud-based) between cloud users and cloud services/applications and monitors all activity and enforces security policies. - Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on - CASBs that deliver security must be in the path of data access, between the user and the cloud provider. Architecturally, this might be achieved with proxy agents on each end-point device - Agentless CASBs are also available. Better for BYOD use cases. - Not meant to replace firewalls, IDS/IPS.

Question 43

What are the pros and cons of single sign on?

Answer 43

- Only one set of credentials to monitor and safeguard. - If compromised, can be changed easily - Multiple credentials - risk is that users reuse passwords. - However, if compromised, all systems using it are affected.

Question 44

What are the key elements of designing an appropriate IAM solution?

Answer 44

- Using federated identity - Use Identity providers for multi-cloud - Using SSO - Using MFA - Using CASB

Question 45

Overall summary: Cloud Application Security

Answer 45

1. Training and Awareness for Application Security - Basic, common pitfalls, vulnerabilities (CSA and OWASP) 2. Secure SDLC * NIST 4 Step proces 3. Secure SDLC * Avoid common vuln * Be aware of Cloud specific risks (CSA Egg-11, OWASP 10) * Quality Assurance * Threat Modeling * SW Config Mgmt and Versioning 4. Cloud Software Assurance * Functional testing * Security testing methodology (SAST/DAST/IAST) 5. Use verified secure SW * Approved APIs * Supply chain mgmt * 3P SW Mgmt * Validate OSS 6. Comprehend specifics of cloud architecture * Microservices/containers * Supplementary Security (WAF, DAM, XMLFW, API GW) * Cryptography * Sandboxing * Application virtualization and Orchestration 7. Design appropriate IAM * Federation, IdProviders, SSO, MFA, CASB

Question 46

What is OIDC?

Answer 46

OIDC = Open ID Connect OpenID is a an authN protocol that extends OAuth. OID & SAML are both AuthN protocols. SAML uses XML. OID is based on REST/JSON.

Question 47

What are the various components of the web application testing that OWASP recommends?

Answer 47

1. Information Gathering 2. Config and Deployment Management testing 3. Identity Management Testing 4. Authentication Testing 5. Authorization Testing 6. Session Management Testing 7. Input Validation Testing 8. Error Handling 9. Weak Cryptography 10. Business Logic Testing 11. Client Side Testing 12. API Testing