7. Cloud Application Security (This one was hard) 80%
database activity monitoring (DAM)
Again, as with the web application firewall, the idea is to have a piece of software or a dedicated appliance watching databases for any type of unusual requests or activity and then to be able to send alerts and even take actions to stop malicious activity. These DAMs can be either agent based or network based, meaning an agent resides on the machine or instance of the database or a network agent monitors traffic to and from the database.
Directory service
Allows the administrator to customize user roles, identities, and so on
Which of the following best describes the Organizational Normative Framework (ONF)? A set of application security, and best practices, catalogued and leveraged by the organization A framework of containers for all components of application security, best practices, catalogued and leveraged by the organization A container for components of an application's security, best practices, catalogued and leveraged by the organization A framework of containers for some of the components of application security, best practices, catalogued and leveraged by the organization
B. Option C is incorrect, because it refers to a specific applications security elements, meaning it is about an ANF, not the ONF. A is true, but not as complete as B, making B the better choice. D suggests that the framework contains only "some" of the components, which is why B (which describes "all" components) is better.
The application normative framework is best described as which of the following? A stand-alone framework for storing security practices for the ONF A subset of the ONF A superset of the ONF The complete ONF
B. Remember, there is a one-to-many ratio of ONF to ANF; each organization has one ONF and many ANFs (one for each application in the organization). Therefore, the ANF is a subset of the ONF.
SOAP is a protocol specification providing for the exchange of structured information or data in web services. Which of the following is not true of SOAP? Reliant on XML Extremely fast Works over numerous protocols Standards-based
B. The other answers are true of SOAP.
Which of the following best describes the purpose and scope of ISO/IEC 27034-1? Serves as a newer replacement for NIST 800-53 r4 Provides an overview of network and infrastructure security designed to secure cloud applications Describes international privacy standards for cloud computing Provides an overview of application security that introduces definitive concepts, principles, and processes involved in application security
D. Option D is a description of the standard; the others are not.
Identity and access management (IAM) is a security discipline that ensures which of the following? That all users are properly authenticated That unauthorized users will get access to the right resources at the right time for the right reasons That all users are properly authorized That the right individual gets access to the right resources at the right time for the right reasons
D. Options C and A are also correct, but included in D, making D the best choice. B is incorrect, because we don't want unauthorized users gaining access.
Web application firewalls (WAFs) are designed primarily to protect applications from common attacks like: Password cracking Syn floods Ransomware XSS and SQL injection
D. WAFs detect how the application interacts with the environment, so they are optimal for detecting and refuting things like SQL injection and XSS. Password cracking, syn floods, and ransomware usually aren't taking place in the same way as injection and XSS, and they are better addressed with controls at the router and through the use of HIDS, NIDS, and antimalware tools.
Common Cloud Application Deployment Pitfalls
On-Premise Apps Do Not Always Transfer (and Vice Versa) Poor Documentation Not All Apps Are Cloud Ready Tenancy Separation- In the legacy enterprise, where all infrastructure and resources are owned and controlled by the organization, there is no risk of other tenants (including the organization's competitors!) accessing the organization's data through inadvertent "data bleed" between applications, OSs, guest images, and users. The exact opposite is true of the cloud environment: all those possibilities exist, so the risk of each must be addressed by significant use of countermeasures that ensure access control, process isolation, and denial of guest/host escape attempts...and all these countermeasures will be dependent on remote administration (and will most likely require significant negotiation and cooperation with the provider). Use of Secure, Validated APIs- One feature that makes cloud-based operations so desirable is the flexibility to use current datasets in new and novel ways; this capability is offered and enhanced through the deployment of a wide variety of APIs, many of which can be chosen by the cloud customer, and even still more that can be selected by the user (on the user's own platform or device, in a BYOD environment). Although the variety of options is enticing, it brings an attendant risk: the APIs used to provide this capability might be of questionable origin. It behooves the cloud customer to formalize a policy and process for vetting, selecting, and deploying only those APIs that can be validated in some fashion—a method for determining the trustworthiness of the source and the software itself. This process should be included in the organization's acquisition and development program, as well as the change management effort. Poor documentation is a slow, methodical process that does not add to functionality or performance. It allows tenants to access the organization's data through inadvertent data bleeding. Even though some apps will eventually run successfully in the cloud, they may require configuration changes in order to work effectively.
RESTful APIs
REST stands for Representational State Transfer. It is a software architecture designed to scale the abilities of web-based applications. It is based on guidelines and best practices for creating these scalable web applications. These standards, when followed, allow web applications to access other applications, databases, and so on in order to extend their functionality. Other characteristics of the REST model include the following: It's lightweight. It uses simple URLs. It is not reliant on XML. It's scalable. It outputs in many formats (CSV, JSON, and so on). It's efficient, which means it uses smaller messages than XML. Some examples of situations where REST works well are When bandwidth is limited When stateless operations are used When caching is needed
Deployment model
Removes or reduces the authority and execution of security controls in the environment
Spoofing vs Tampering
Spoofing: Performs impersonation on another device on a network to launch attacks Tampering: Performs modification on data output, data input, or data that is stored
Third-Party Admins
These are cloud providers who manage administration of your system and who are not under your control.
secure operations phase
This is after thorough testing has been successfully completed and the application and its environment are deemed secure.
The development phase
is where the code is written. The code takes into account the previously established definition and design parameters. Some testing of code snippets may occur in this phase to determine whether the code is working as designed. However, major testing will occur later in the process.
disposal phase
once the software has completed its job or replaced with a newer version, it must be securely discarded.
definition phase
we are focused on identifying the business needs of the application, such as accounting, database, or customer relationship management. Regardless of the application's purpose, it is vital that the definition phase ferret out all aspects of the business needs in relationship to it. We try to refrain from choosing any specific tools or technologies at this point; the temptation to do so creates a situation where we have a foregone conclusion ("We're going to use Tech X") instead of truly considering all possibilities that might best satisfy the business requirements.
Federated Identity Management
(or "federation," in general) is much the same as normal identity management except it is used to manage identities across disparate organizations. You can think of it as single sign-on (SSO) for multiple organizations.
Cross-Site Request Forgery (CSRF)
A CSRF manipulates a logged-on user's browser to send a forged HTTP request along with cookies and other authentication information in an effort to force the victim's browser to generate a request that a vulnerable application thinks is a legitimate request form the user.
Which of the following best represents the definition of REST? Lightweight and scalable Relies heavily on XML Only supports XML output Built on protocol standards
A. The other answers all list aspects of SOAP.
Database activity monitoring (DAM) can be: Host-based or network-based Server-based or client-based Used in the place of encryption Used in place of data masking
A. We don't use DAM in place of encryption or masking; DAM augments these options without replacing them. We don't usually think of the database interaction as client-server, so A is the best answer.
Access Management (5)
Access management is the part of the process that deals with controlling access to resources once they have been granted. Access management is what tries to identify who a user is and what they are allowed to access each time they attempt to access a resource. This is accomplished through a combination of means: Authentication: Establishes identity by asking who you are and determining whether you are a legitimate user (often by combining the use of an identity assertion and an authentication factor; for example, a user ID and password). Authorization: Evaluates what you have access to after authentication occurs (in many cases, this means comparing the identity assertion against an access control list [ACL]). Policy Management: Serves as the enforcement arm of authentication and authorization and is established based on business needs and senior management decisions. Federation: An association of organizations that facilitate the exchange of information as appropriate about users and access to resources, allowing them to share resources across disparate organizations. Identity Repositories: The directory services for the administration of user accounts and their associated attributes.
Missing Function-Level Access Control
An application should always verify function-level access privileges before granting access of that functionality to the user interface (UI). If this is not implemented properly, malicious users may be able to forge requests that will allow them functionality without authorization.
forklifting
An often-used term for moving an entire application to the cloud without any significant changes This refers to the idea of moving an existing legacy enterprise application to the cloud with little or no code changes. Although many times these are self-contained stand-alone applications that have operated successfully in the enterprise environment, dependency on certain infrastructure aspects of the legacy enterprise that might not be replicated in the cloud, and other issues such as the use of proprietary libraries that the cloud environment does not also have, can crop up and can cause serious problems in transition efforts. Not only are all apps not natively ready for the cloud, many cannot move to the cloud at all without some type of extensive code changes. Lastly, many applications, particularly office applications such as accounting and word processing applications, now have alternative cloud-based versions, minimizing or removing the need to move those applications as they exist in local systems to the cloud.
APIs are defined as which of the following? A set of standards for building software applications to access a web-based software application or tool A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or tool A set of routines and tools for building software applications to access web-based software applications A set of protocols, and tools for building software applications to access a web-based software application or tool
B All the answers are true, but B is the most complete. WRONG C
Which of the following best describes data masking? Data masking involves stripping out all similar digits in a string of numbers so as to obscure the original number. A method used to protect prying eyes from data such as social security numbers and credit card data. A method for creating similar but inauthentic datasets used for software testing and user training. A method where the last few numbers in a dataset are not obscured. These are often used for authentication.
C. Again, all of these answers are actually correct, but C is the best answer, because it is the most general, includes the others, and is therefore the optimum choice. This is a good example of the type of question that can appear on the actual exam. WRONG D
Which of the following best describes SAST? A set of technologies that analyze application source code, and bit code for coding and design problems that would indicate a security problem or vulnerability A set of technologies that analyze application source code for coding and design problems that would indicate a security problem or vulnerability A set of technologies that analyze application source code, byte code, and binaries for coding and design problems that would indicate a security problem or vulnerability A set of technologies that analyze application bit code, and binaries for coding and design problems that would indicate a security problem or vulnerability
C. All the possible answers are good, and are, in fact, correct. C, however, is the most complete and therefore the best answer.
In a federated identity arrangement using a trusted third-party model, who is the identity provider and who is the relying party? Each member organization/a trusted third party Each member organization/each member organization A contracted third party/the various member organizations of the federation The users of the various organizations within the federation/a CASB
C. In a trusted third-party model of federation, each member organization outsources the review and approval task to a third party they all trust. This makes the third party the identifier (it issues and manages identities for all users in all organizations in the federation), and the various member organizations are the relying parties (the resource providers that share resources based on approval from the third party).
Which of the following best describes SAML? A standard used for directory synchronization A standard for exchanging usernames and passwords across devices A standard for exchanging authentication and authorization data between security domains A standard for developing secure application management logistics
C. Option B is also true, but not as comprehensive as C. D and A are simply not true.
Which of the following best describes data masking? Data masking is used in place of encryption for better performance. Data masking is used to hide PII. Data masking is used to create a similar, inauthentic dataset used for training and software testing. Data masking is used in place of production data.
C. Options B and D are also correct, but not as comprehensive as C, making C the best choice. A is not correct; we don't want to encrypt data if we're using the data for testing or display purposes, the common uses of masked data. WRONG B
Dynamic application security testing (DAST) is best described as which of the following? Test performed on an application or software product while being consumed by cloud customers Masking Test performed on an application or software product while it is using real data in production Test performed on an application or software product while it is being executed in memory in an operating system
D. We do the testing prior to deployment, so C and A are incorrect. B is simply a distractor.
CSA came up with in 2013 titled "The Notorious Nine":
Data loss: Data can be lost through poor application or database design, corruption, or hardware failures. Data breaches: Breaches are due usually to poor database security design or configuration whereby data is exposed without proper authorization. Account takeover or hijacking: This happens when attacks are designed to steal or wedge themselves into the middle of a conversation in order to gain control. Insecure APIs: APIs are the connective tissue of cloud-based web applications and if not properly designed and implemented can cause gaping holes in the security fabric. Denial-of-service (DoS): Both denial-of-service and the even more dreaded distributed denial-of-service attacks are designed to make an application or service unavailable so that a service interruption occurs. Insider threats: Disgruntled employees can wreak havoc on a system. Abuse of cloud services: Consumers sometimes misuse their cloud services for illegal or immoral activities. Insufficient due diligence: Cloud consumers can get into big trouble if they do not follow good due diligence practices. Shared technology issues: While the underlying infrastructure items themselves often were never designed for a multitenancy situation, they respond pretty well to modern virtualization software. However, the consumer must always be wary of the dangers presented in the cloud environment when someone makes a configuration error or has a disgruntled employee. These threats can negate even the most sophisticated control mechanisms.
Whole-instance encryption
Encrypts all of the system's data at rest in one instance
Secure sockets layer
Encrypts data transmission between servers
Volume encryption
Encrypts only a part of a hard drive instead of the entire disk
Transport layer security
Ensures privacy when communicating between applications
Secure code reviews
Identifies and mitigates codes in an application that has exposed a potential vulnerability
Quality of Service
In the cloud model, QoS refers to the idea of ensuring that you do not over-control your environment with security measures that degrade your application's performance. IT QoS focuses on measuring security, health, and services.
Application Virtualization
It is a little like sandboxing, but instead of sandboxing a process, application virtualization allows you to run full applications in a protected space. In addition, because you are doing this virtually, you can run applications that would otherwise not run on the host system. The best example of this is the Linux application WINE. WINE is itself an application virtualization platform that then provides a Linux machine with the ability to run Windows-based applications. This also provides for a space where new apps can be tested, for instance with Windows, without allowing the app to touch what would normally be the external Windows machine.
Tenancy Separation
Multitenancy refers to the notion of hosting multiple cloud tenants on a single host while sharing resources. For instance, a typical host machine can support numerous virtual tenants based on the amount of CPU, RAM, and storage it has. These tenants, while running on the same host, are maintained separately in their virtual environments. This is known as tenancy separation. It is vitally important that configurations be made in such a way as to ensure absolute adherence to this principle. If not, such issues as data leakage and corruption could occur.
OWASP 9 secure coding recommendations
OWASP believes that, if application developers avoided these nine simple design flaws, the vast majority of security breaches would not occur. Input validation Source code design Info leakage and improper error handling Direct object reference Resource usage API usage Best practice violations Weak session management Use of HTTP Get query strings
Invalidated Redirects and Forwards
Oftentimes developers will use redirects without validation, which may expose applications to untrusted data or other applications. Without this validation, malicious users can alter the redirects to point the user to malicious sites such as phishing sites.
deception technology
One of the newest forms of security designed to work in conjunction with both WAFs and DAMs. Let's say a DAM has picked up some actor poking around with SQL injection attacks to see if they can find a weakness in the database or if the WAF will stop them. Deception occurs by quietly rerouting what may be attack traffic to another network segment with databases populated with phony data and triggers that can capture the attack. Although this is often referred to as a honeypot, there are now companies that will set up and manage these deceptive networks for you and not only move the attack traffic away from targets but inform law enforcement and even trap the attacker with logs.
SOAP APIs
Simple Object Access Protocol (SOAP) is a protocol specification providing for the exchange of structured information or data in web services. It also works over other protocols such as SMTP, FTP, and HTTP. Some of the characteristics of SOAP include the following: Standards-based Reliant on XML Highly intolerant of errors Slower Built-in error handling Some examples of where SOAP works or fits in better are: Asynchronous processing Format contracts Stateful operations
STRIDE threat model
The model provides a standardized way of describing threats by their attributes. Then by looking at your application and applying these threat types, you can cover almost all categories to see whether your application has a vulnerability and what type it is. The STRIDE acronym stands for the following: Spoofing: Any impersonation such as IP or user spoofing Tampering: With data output, data input, or data that is stored Repudiation: When the inability to deny one's action has been compromised Information Disclosure: Data leakage or an outright breach Denial of Service: Any type of attack that could cause the application to be unavailable, thereby voiding the CIA triangle of security Elevation of Privilege: The ability to elevate a user account privilege above the authorized level
Federation Standards
There are a number of federation standards, but the most widely used one is Security Assertion Markup Language (SAML). The latest version of SAML is SAML 2.0. It is XML based and consists of a framework for communicating authentication, authorization or entitlement information, and attribute information across organizations. Some of the other standards that exist in this area are as follows: WS-Federation: This uses the term realms in explaining its capabilities to allow organizations to trust each other's identity information across organizations. OAuth: Often used in authorization with mobile apps, the OAuth framework provides third-party applications limited access to HTTP services. OpenID Connect: This is an interoperable authentication protocol based on the OAuth 2 specification. It allows developers to authenticate their users across websites and applications without having to manage usernames and passwords.
web application firewall (WAF)
These firewalls are deployed in addition to any network firewall and are designed to protect specific web-based applications. PCI requires them as a way of protecting credit card data egress from a web application that may be handling online transactions. In addition, WAFs can also provide protection against such network-based attacks as DoS or DDoS attacks. WAFs function at Layer 7 of the OSI model.
API gateways
They can be used to impose such controls on API activity as Acting as an API proxy so as to not directly expose the API Implementing access control to the API Limiting connections so that bandwidth is available for all applications, which can also help in the event of an internal DoS or DDoS attack Allowing for API logging Allowing for metrics to be assembled from API access logs Providing for additional API security filtering XML gateways work in much the same way, except they work around how sensitive data and services are exposed to APIs. They can be either software- or hardware-based and can implement some types of data loss prevention (DLP).
Broken Authentication
This occurs when a malicious user is able to break a session and steal items like tokens, passwords, or keys. This then allows the malicious user to hijack the system.
Insecure Direct Object Access
This refers to an occurrence that involves a reference to an internal object, like a file, without access control checks or other controls in place to ensure attackers cannot manipulate data.
Cross-Site Scripting (XSS)
XSS is one of the most widely seen application flaws, next to injections. XSS occurs when an application allows untrusted data to be sent to a web browser without proper validation or escaping. This then allows the malicious user to execute code or hijack sessions in the user's browser.
Open Web Application Security Project (OWASP)
a collective effort of web developers sharing and analyzing information about web applications and security features and risks. While OWASP offers a variety of resources such as development guides, white papers, and security tools, all at no cost, the organization is best known for publishing the Top 10, a list of web app security risks developed from surveys conducted every three years.
ANF-to-ONF relationship
a one-to-one relationship; every application has an ANF that maps back to the ONF. However, the ONF-to-ANF relationship is one-to-many. The ONF has many ANFs, but the ANF has only one ONF. Make sure you understand this concept.
Static application security testing (SAST)
a useful method of security application testing. Static means that the source code, byte code, and binaries are all tested without executing the application. These sources of code are examined for known security flaws and vulnerabilities to attempt to catch them prior to going into production. This type of testing is often used in the early stages of application development as the full application is not testable in any other way at that time. SAST testing is useful in finding such security problems as cross-site scripting (XSS) errors, SQL injection vulnerabilities, buffer overflows, unhandled error conditions, and backdoors. This type of test usually delivers more results and more accuracy than its counterpart dynamic application security testing (DAST). Unlike SAST, DAST is considered a black-box test since the code is not revealed and the test must look for problems and vulnerabilities while the application is running. It is most effective when used against standard HTTP and other HTML web application interfaces.
Identity and access management (IAM)
about the people, processes, and procedures used to create, manage, and destroy identities of all kinds. Whether you are dealing with system administrators or plain users of cloud services, the creation and management of identities is key in maintaining secure operations. IAM systems consist of several components, as shown in Figure 7.3. First and foremost is that they are designed to verify or authenticate users to gain access to resources. Once authenticated, the users are then authorized and given subsequent access to resources. The user is generally managed through a central user repository. This is often accomplished with role-based access. This allows for a broader and more consistent set of controls for users. Rather than the administrator having to create, modify, delete, and otherwise manage a user, role-based access allows the administrator to modify the role a user has, thereby impacting the entire group in that role at once.
testing phase
activities such as penetration testing and vulnerability scanning against the application are performed. We will use techniques and tools for both dynamic and static testing or dynamic application security testing (DAST) and static application security testing (SAST). We will go into these testing methods later in the lesson.
Runtime Application Self-Protection (RASP)
assists in the prevention of successful attack by protecting itself through the ability to reconfigure itself without human intervention. This typically occurs in response to certain types of threats or faults. It is called runtime protection because it comes into play by launching itself as the application is executed in memory.
ISO/IEC 27034-1
provides one of the most widely accepted set of standards and guidelines for secure application development. ISO/IEC 27034-1 is a comprehensive set of standards that cover many aspects of application development. A few of the key elements include the organizational normative framework (ONF), the application normative framework (ANF), and the application security management process (APSM). Part of ISO/IEC 27034-1 lays out the ONF for all of the components of best practices with regard to application security. The standard is composed of the following categories: Business Context Regulatory Context Technical Context Specifications Roles, Responsibilities, and Qualifications Processes Application Security Control (ASC) Library
Application programming interfaces (APIs)
the coding components that allow applications to speak to one another, generally through a web interface of some kind. We hope that this occurs in a safe and secure manner. However, that is not always the case, and the cloud security professional should know how to determine risks and threats associated with the use of APIs. regardless of what type of API you use to offer web services, you are granting another application access to the primary application and any data it may have access to. This can present many security challenges for the consumer since they do not have the skillset to be able to evaluate the security of any specific API they might be accessing. In addition, there may be other APIs in play that a user is not aware of but that are used on the same system. This can then lead to data leakage or other problems if the APIs in question have not been sufficiently vetted and validated to ensure they provide adequate security.
Identity Management
the process whereby individuals are given access to system resources by associating user rights with a given identity. Provisioning is the first phase of identity management, where each subject is issued a unique identity assertion (something that serves as an identification, such as a user ID). During this process, the user is usually also issued a password for use in authenticating the identity assertion. The entity issuing the password and identity assertion will retain a record of each for use in recognizing the user later (when the user uses them to log in to resources). The generation, storage, and security controls of these passwords is known as password management. In a self-service identity management configuration (as opposed to a provider-managed configuration), the cloud customer is in charge of provisioning each user's identity/identity assertion.
The application normative framework (ANF)
used together with the ONF in that it is created for a specific application. The ANF shares the applicable parts of the organizational normative framework (ONF) needed to achieve an application's required level of security and the level of trust desired.
design phase
we begin to develop user stories (what the user will want to accomplish and how to go about it), what the interface will look like, and whether it will require the use or development of any APIs. This is also where we would identify what programming language (Python, Visual Basic, and so on) and architecture (REST, SOAP, and so on) we will use.
stateful packet inspection
which allowed firewalls to prevent inbound traffic from entering unless the connection had been initiated from inside the network.