Cloud Application Security Domain A

Which stage of the BCDR process takes into account the RPO and RTO requirements set forth by management and stakeholders? A. Gathering requirements B. Define scope C. Analyze D. Implement

Gathering requirements When you are gathering initial requirements for a business continuity and disaster recovery (BCDR) process, the recovery point objective (RPO) and recovery time objective (RTO) will be the two primary factors that drive all your decisions and planning. There are many ways to accomplish continuity and disaster recovery, but the requirements for the point and time are the ultimate drivers that determine which solutions will meet management objectives.

It was discovered that an attacker was able to send properly formatted SQL code through your web application in order to obtain the entire schema of the underlying database. What type of attack does this best represent? A. Injection B. Sensitive data exposure C. Security misconfiguration D. Insecure direct object references

Injection Explanation: An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. This can trick an application into exposing data that is not intended or authorized, or it can potentially allow an attacker to gain insight into configurations or security controls.

You have been tasked by management to run security tests against an application using the same toolsets and methodologies that a legitimate attacker would use, including actually attempting to leverage successful exploits. Which type of testing would this entail? A. Dynamic application security testing B. Penetration testing C. Simulation testing D. Static application security testing

Penetration testing Penetration (or pen) testing is done as a "black-box" test but using the same tools and methodologies an attacker would use in order to evaluate the security of the application. It is designed to test vulnerabilities with various types of real-world scenarios and to actually execute exploits.

Which of the following represents the R component of the DREAD threat risk modeling system? A. Reproducibility B. Repudiation C. Redundancy D. Reversibility

Reproducibility Explanation: Reproducibility is the measure of how easy it is to reproduce an exploit. On the low end, a value of 0 signifies a near impossibility of exploit, even with administrative access. This would likely occur where other defensive measures prevent access or exploit. On the high end, a value of 10 signifies an easy exploit, such as simply accessing the application with a client, without needing authentication or other methods. Any value in the middle will be subjective and determined based on the particulars of the application, as well as any other mitigating factors from other defensive mechanisms.

At which phase of the SDLC process should security begin participating? A. Requirements gathering B. Requirements analysis C. Design D. Testing

Requirements gathering Explanation: Because the requirements-gathering phase is the earliest phase, when the crucial decisions will be made that will drive and dictate every phase thereafter, it is vital to include security from this earliest point. By including security from the beginning, an organization can ensure that proper security controls and designs are being implemented, thus lessening the change of having to redo parts of the project later or incurring significant loss of time or money addressing security concerns.

Which concept is often used to isolate and separate information or processes within an environment for either security concerns or regulatory requirements? A. Virtualization B. Segregation C. Sandboxing D. Honeypots

Sandboxing Explanation: Sandboxing involves the segregation and isolation of information or processes from others within the same system or application, typically for security concerns. Sandboxing typically is used for data isolation, such as keeping different communities and populations of users with similar data isolated from each other. The need for sandboxing can be due to internal reasons, such as policies, or it can come from external sources, such as regulatory or legal requirements.

Which type of testing tends to produce the best and most comprehensive results for discovering system vulnerabilities? A. Static B. Dynamic C. Pen D. Vulnerability

Static Explanation: Static application security testing (SAST) tests both the source code and components of an application. It is done as a "white-box" test, as those running the tests have full access to the actual source code and configuration documentation of the application. Also, tests are done against an offline system. SAST is considered the most comprehensive type of testing due to the knowledge of the systems and access to source code by the testers.

You have a new application that is about to be put into production and used by customers. Management would like to undertake an exhaustive test of the system by assessing the known controls and configurations as well as reviewing the source code and components. Which type of testing would this represent? A. SAST B. DAST C. Pen D. RASP

SAST Static application security testing (SAST) assesses both the source code and components of an application. It is done as a "white-box" test, as those performing the tests have full access to the actual source code and configuration documentation of the application. Tests are done against an offline syst

Many organizations will have different environments for development versus production, even using different cloud providers or different systems between the two. Which of the following would be the BEST reason to have both production systems and development systems hosted within the same cloud environment? A. Operating systems B. VPN access C. Storage systems D. APIs

APIs Explanation: Cloud providers have their own suite of APIs that are offered and maintained within their environments and are available to customers. Having both production and development systems hosted within the same cloud provider will ensure that the same APIs are available and used throughout the system, thus lessening the possibility of problems originating when code is moved into a new environment for production release.

Where would be the most appropriate location for an XML firewall within a system architecture? A. Between the presentation and application layers B. Between the application and data layers C. Between the firewalls and application servers D. Before the firewalls

Between the firewalls and application servers An XML firewall validates XML data before it reaches an application server. The appliance can perform validation as well as control what users or services are allowed to access specific XML functions of an application. Positioning the XML firewall between the firewalls and applications allows for initial network filtering based on origination and destination of packets before the content analysis of the appliance is performed and before the traffic is allowed to reach the application servers.

Which of the following types of threats is focused on compromising the client rather than the server or application itself? A. Cross-site scripting B. Insecure direct object references C. Injection D. Cross-site request forgery

Cross-site scripting Cross-site scripting (XSS) is an attack where a malicious actor is able to send untrusted data to a user's browser without it going through any validation or sanitization processes, or perhaps the code is not properly escaped from processing by the browser. The code is then executed on the user's browser with their own access and permissions, thus allowing an attacker to redirect the user's web traffic, steal data from their session, or potentially access information on the user's own computer that their browser has the ability to access

Which type of testing involves externally attacking the security of a system but without actually attempting to alter systems or fully execute malicious actions? A. DAST B. SAST C. Pen D. RASP

DAST Dynamic application security testing (DAST) is run as a "black-box" test where those running the test have no internal or particular knowledge of the system and must discover everything they know about it through the use of utilities. DAST does not attempt to fully execute malicious actions in the same manner as pen testing does

Which of the following choices represents the D component of the STRIDE threat model from OWASP? A. Data loss B. Data breach C. Denial of service D. Disclosure

Denial of service

It is vital during the initial requirements gathering for a new project or application to include all the pertinent stakeholders who will both drive the requirements and determine whether the critical success factors have been achieved. Which of the following would NOT be a key stakeholder to include during these initial stages? A. Developers B. Management C. Security D. Users

Developers Explanation: During the requirements-gathering stage, developers are not typically included. Before a project reaches the developers, a detailed plan must be developed to define the project, what constitutes success, and what the specific requirements are before developers are consulted. In many instances, the specific requirements of the project may even define who the developers will be based on skillsets, expertise, and chosen technologies and budgets.

What is the primary security mechanism used to protect SOAP and REST APIs? A. Firewalls B. XML firewalls C. Encryption D. WAFs

Encryption Explanation: The SOAP and REST APIs do not have built-in security mechanisms and must rely on external mechanisms. The primary means to protect both APIs is through the use of encryption, typically through the use of TLS to secure the transmission of data across the networks between the clients and services.

Which of the following types of organizations is most likely to make use of open source software technologies? A. Government agencies B. Corporations C. Universities D. Military

Explanation: Universities make extensive use of open source technologies, especially compared to other types of organizations. There are multiple reasons why this is the case. One reason is that the open and research-oriented nature of universities makes them more accepting of open source technologies. Another reason is the more stringent budgetary realities that many universities face.

What type of identity system allows trust and verifications between the authentication systems of multiple organizations? A. Federated B. Collaborative C. Integrated D. Bidirectional

Federated Explanation: Federated identity systems work by allowing an identity provider at a user's organization to be trusted by relying parties connected to applications and services for authentication and then providing appropriate authorization based on attributes released from the identity provider.

A federated identity system is composed of two main components. Which of the following pairs represents the correct two components? A. Identity provider and relying party B. Authentication provider and service provider C. Identity provider and relying provider D. Single sign-on and application

Identity provider and relying party Explanation: The two components that comprise a federated identity system are the identity provider, which handles the authentication and release of attributes about a user, and the relying party, which accepts the authentication and consumes the attributes about the user, typically then mak

During an incident investigation from a suspected breach, it was discovered that some application code contained the names of underlying databases and systems that were able to be read by the attacker. What type of vulnerability does this best represent? A. Injection B. Sensitive data exposure C. Security misconfigurations D. Insecure direct object references

Insecure direct object references Insecure direct object references occur when a developer has in their code a reference to something on the application side such as a database key, the directory structure of the application, configuration information about the hosting system, or any other information that pertains to the workings of the application that should not be exposed to users or the network.

When you are changing to a different data center for a disaster recovery scenario, which of the following could pose a challenge to the authentication systems over a geographic distance? A. Regulations B. Latency C. Redundancy D. Interoperability

Latency Authentication systems, as a security check, enforce limited time requirements for authentication tokens and any checks to be performed and validated. If it takes longer than the allowed time, the request will be considered stale and invalid, and it will likely loop back to try the process again. If a large geographic distance exists and network latency occurs, it is possible on some systems, if they have short validity periods, for authentications to fail and for system access to be denied.

Which of the following threats from the OWASP Top Ten is the most difficult for an organization to protect against? A. Advanced persistent threats B. Account hijacking C. Malicious insiders D. Denial of service

Malicious insiders Malicious insiders are individuals with trusted and valid access to a system or application who then misuse that access for malicious ends. This can include stealing data, using it for their own purposes, selling it, or granting others unauthorized access to it.

An employee of your company submitted a security ticket claiming that he was able to access areas of an application by going through certain functions that he should not be able to. What type of security vulnerability does this best illustrate? A. Missing function-level access control B. Security misconfiguration C. Sensitive data exposure D. Unvalidated redirects and forwards

Missing function-level access control Many applications will do authorization checks and assign access rights when a user first accesses the application. As the user traverses the application and accesses different functions, if the application does not verify authorization for each function, it is possible for the user to be able to elevate access, either intentionally or accidentally. The application should verify authorization as a user accesses each new function or piece of data.

Which of the following options would be possible, in conjunction with a USB drive, to fulfill an application's multifactor authentication requirements? A. RFID chip card B. Password C. RSA token D. Access card

Password Explanation: A USB thumb drive represents something that a user possesses. Because a password is something that a user knows, it would be an appropriate factor to use with a USB drive for multifactor authentication.

Which concept involves the ability for a system to respond to attack methods being used against it and automatically alter security configurations and countermeasures to compensate for them? A. DAST B. Pen C. RASP D. SAST

RASP Explanation: Runtime application self-protection (RASP) involves testing against systems that have the capability to detect attacks and threats and to automatically adjust their security settings or other configurations to compensate for and mitigate these attacks and threats. RASP is designed to be done in real time on live systems.

During a periodic or specific testing of a BCDR plan, which of the following pairs of objectives is the main metric used for the overall evaluation of the plan? A. RPO and SRE B. RSL and RTO C. RTO and RPO D. ARO and RSL

RTO and RPO Explanation: During a BCDR test, the recovery time objective (RTO) and the recovery point objective (RPO) are the two main objectives that are tested and evaluated. The RPO is defined by management as the point where a successful restore of an environment will have occurred, and the RTO represents the acceptable amount of time required to do so.

Which component consumes assertions from identity providers and makes a determination as to whether to grant access, and at what level, if applicable to a user? A. Service party B. Application provider C. Service broker D. Relying party

Relying party Explanation: A relying party consumes security assertions from identity providers and then makes decisions as to whether to grant access and at what level. The decisions can be based on anything about the user that is presented in the attributes from the identity provider, such as status, organization, and location.

Which concept refers to the ability to validate and prove that a specific entity did not perform operations on a system? A. Repudiation B. Validation C. Integrity D. Authentication

Repudiation Repudiation relates to the ability to prove that a specific user or entity did not perform specific functions or access specific data within a system or application. With comprehensive logging, any transaction on a system is open to dispute or challenge by a user, who can claim they never performed the type of transaction the system says they did or challenge the data contained on the system

A common strategy to mitigate costs when using a cloud solution for disaster recovery is to leave images offline at the DR provider and only turn them on when needed. Which of the following would be the least significant concern with this approach? A. Integrity B. Patching C. Confidentiality D. Reversibility

Reversibility With images at a disaster recovery (DR) site, reversibility is still a concern, but in almost all cases it should be trivial to quickly delete them and remove them from the system, if needed. Although still a concern in any cloud deployment, of the possible choices, reversibility would be the least concern for a DR focus.

What standard is used between different entities within a federated system to exchange information about authentication and user attributes? A. SAML B. XML C. HTML D. TLS

SAML The Security Assertion Markup Language (SAML) is an open standard for exchanging information for authentication and authorization between an identity provider and a relying party. SAML provides information to ensure that authentication has been completed successfully. It also provides the identification for the identity provider and organization as well as a set of attributes about the user to be given to the relying party.

Which of the following software applications is not a utility for managing code or system configurations? A. Puppet B. Chef C. Shibboleth D. GitHub

Shibboleth Shibboleth is an open source, federated identity system that is widely used by universities, nonprofits, government agencies, and other resource- or technology-related organizations.

Single sign-on systems work by authenticating users from a centralized location or using a centralized method, and then allowing applications that trust the system to grant those users access. What would be passed between the authentication system and the applications to grant a user access? A. Ticket B. Certificate C. Credential D. Token

Token Explanation: Single sign-on systems use tokens to pass authentication information between systems that can be trusted to allow the user access and to confirm their identity.

Which type of threat is often used in conjunction with phishing attempts and is often viewed as greatly increasing the likeliness of success? A. Unvalidated redirects and forwards B. Cross-site request forgery C. Cross-site scripting D. Insecure direct object references

Unvalidated redirects and forwards Explanation: Unvalidated redirects and forwards occur when an application allows external links or redirects but does not properly validate or secure them. This allows an attacker to potentially redirect users through a legitimate and secure application to an external site for phishing attempts or other malware attacks. The site will appear to be safe and legitimate to the user because it originated from within a trusted application.

Which of the following is NOT part of the OWASP Top Ten list of critical web application security risks? A. Injection B. Sensitive data exposure C. Insecure direct object references D. User ID and password authentication schemes

User ID and password authentication schemes Explanation: User ID and password authentication schemes are not a specific component of the OWASP Top Ten list of critical web application security risks. Many other components will incorporate threats to authentication schemes and systems, but the list does not treat them as their own entity.

With cloud systems making exclusive use of broad network access, which technology is commonly used for support personnel to access systems for maintenance and administration? A. IPSec B. TLS C. SSH D. VPN

VPN Explanation: A virtual private network (VPN) is used to create a secure network tunnel from outside of a cloud environment into the internal networks, and in many instances it's used to access trusted zones that are not accessible to the public. VPNs are crucial for systems support personnel and administrators to maintain and configure servers.

What type of testing runs known attacks and signatures against a system to determine a risk rating based upon discovered weaknesses? A. Vulnerability scanning B. Pen testing C. Baseline scanning D. Compliance scanning

Vulnerability scanning Explanation: Vulnerability scanning is done using a predefined set of signatures and parameters to evaluate a system and give a risk rating based on its findings. It does not have extensive knowledge of a system or go beyond the preconfigured tests that it runs for compliance.

Your application has been a continued target for SQL injection attempts. Which of the following technologies would be best used to combat the likeliness of a successful SQL injection exploit from occurring? A. XML accelerator B. WAF C. Sandbox D. Firewall

WAF Explanation: A web application firewall (WAF) is an appliance or plug-in that parses and filters HTTP traffic from a browser or client and applies a set of rules before the traffic is allowed to proceed to the actual application server. The most common uses for a WAF are to find and block SQL injection and cross-site scripting attacks before they reach an application.

The Simple Object Access Protocol (SOAP) allows programs from different environments or platforms to communicate seamlessly with each other over HTTP. If you are using SOAP, which data format are you using for information exchange? A. SAML B. XML C. JSON D. HTML

XML Explanation: The SOAP protocol exclusively uses the Extensible Markup Language (XML) for its data encoding and information exchange.

What type of device is often leveraged to assist legacy applications that may not have the programmatic capability to process assertions from modern web services? A. Web application firewall B. XML accelerator C. Relying party D. XML firewall

XML accelerator Explanation: XML accelerators are appliances designed to offload the processing of XML from the actual applications and systems and instead leverage optimized and dedicated appliances designed just for that purpose. In most instances, especially for a heavily used application, an XML accelerator can drastically improve system performance and provide possible security benefits as well because the XML processing is done on a dedicated resource, away from the actual application. This allows for the parsing and verification of inputs and values before the actual application code is hit, much in the same way as an XML firewall. This is particularly useful in situations where enterprise applications might not be designed or equipped to handle the typical XML assertions and web services traffic that cloud applications often use, and it can provide for integration without the need for complete application changes or coding.