Cloud Applications Flashcards
Qualitative risk analysis
is the process of rating or scoring risk based on a person’s perception of the severity and likelihood of its consequences.
Quantitative risk analysis
is the process of calculating risk based on data gathered.
What is the S.T.R.I.D.E threat model?
Spoofing Identity, Tampering with data, Repudiation, Information Disclosure, Denial of Service, Elevation of privileges.
Spoofing Identity
illegally accessing and then using another user’s authentication information, such as username and password.
Tampering with data
involves the malicious modification of data.
Repudiation
users who deny performing an action without other parties having any way to prove otherwise—for example, a user performs an illegal operation in a system that lacks the ability to trace the prohibited operations.
Information disclosure
the exposure of information to individuals who are not supposed to have access to it
Elevation of privilege
an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system
D.R.E.A.D (Risk Assessment Model)
Damage, Reproducibility, Exploitability, Affected users, Discoverability
What is D.R.E.A.D?
is part of a system for risk-assessing computer security threats previously used at Microsoft and although currently used by OpenStack and other corporations
What is PTA?
PTA (Practical Threat Analysis) is a risk assessment methodology and a suite of software tools that enable users to find the most beneficial and cost-effective way to secure systems and applications according to their specific functionality and environment.
Rapid Application Development
is a form of agile softwaredevelopmentmethodology that prioritizesrapidprototype releases and iterations
Security Systems Development Life Cycle (SecSDLC)
a methodology for the design and implementation of an information system in an organization.
OpenID
it allows users to be authenticated by co-operating sites using a third-party service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log into multiple unrelated websites without having to have a separate identity and password for each
OAuth
is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords
WS-Federation (Web Services Federation)
is an Identity Federation specification, developed by a group of companies: BEA Systems, BMC Software, CA Inc. (along with Layer 7 Technologies now a part of CA Inc.), IBM, Microsoft, Novell, HP Enterprise, and VeriSign.
web application firewall (WAF)
is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation.
XML appliance
is a special-purpose network device used to secure, manage and mediate XML traffic
Tokenization
is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value.
Data masking
is the process of hiding original data with modified content (characters or other data.)
SQL injection
is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
Weak Authentication
Weak authentication has many facets, ranging from brute forcing of the user interface to insecure storage of the database credentials used by an application.
Privilege abuse
Users may abuse legitimate data access privileges for unauthorized purposes
Excessive privileges
If users hold privileges that exceed the requirements of their job function, these privileges may be abused by the individual or an attacker who compromises their account.
