Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CCSP > Domain 4: Cloud Application Security > Flashcards

Domain 4: Cloud Application Security Flashcards

1
Q

Mikayla wants to validate a component of her software that she has downloaded from GitHub. How can she validate that the underlying software does not have security flaws when it is downloaded and included in her environment as part of her integration process?

A. Validate the checksum of the file.
B. Validate the signature of the file.
C. Validate the hash of the file.
D. Mikayla cannot ensure that there are no security flaws via the options described.

A

Answer: D. Mikayla cannot ensure that there are no security flaws via the options described.

Mikayla can’t validate third-party software’s lack of vulnerabilities or other security issues simply by validating that it is signed, that its hash matches an officially posted hash, or that the checksum matches ensuring the file is intact. She’ll need to test the software herself or identify a third party that she can rely on that does appropriate software testing. Even then, the software could still contain flaws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Lin wants to allow her users to use existing credentials provided by a third-party identity provider when they access her service. What element will she have to provide from the following list?

A. User IDs
B. Authentication
C. Authorization
D. Identity proofing

A

Answer: C. Authorization

Lin will need to provide authorization to use her organization’s services. The third-party identity provider will supply user IDs and will authenticate them, then provide Lin with a token or validation that the user is who they claim to be. Identity proofing is not necessarily provided by either party in this scenario, which can make accepting third-party credentials challenging if verifying that someone is who they claim to be is important, instead of just allowing access to the service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Joanna’s software vendor does not provide source code to their clients. In the following list, what is her best option to test the security of the vendor’s software package?

A. Perform static analysis of the software.
B. Implement pair-programming techniques.
C. Review the software for hard-coded secrets.
D. Perform dynamic testing.

A

Answer: D. Perform dynamic testing.

Joanna knows she can’t access the source code, meaning that static analysis isn’t an option, and that identifying secrets may be difficult.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What SDLC model is most frequently associated with cloud development processes?

A. Agile
B. RAD
C. Spiral
D. Waterfall

A

Answer: A. Agile

The Agile development model is most frequently associated with cloud services and development. Rapid application development, spiral, and waterfall methods are more frequently associated with traditional development environments, but can be used for cloud services and systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Susan wants to avoid common pitfalls in cloud application development. Which of the following pitfalls is frequently associated with cloud environments?

A. Reliability of applications built in the cloud
B. Scalability of applications built in the cloud
C. Redundancy of applications built in the cloud
D. Security of applications built in the cloud

A

Answer: D. Security of applications built in the cloud

Susan knows that cloud services will allow her to build her applications on a reliable, scalable infrastructure that can leverage redundancy in multiple ways. She also knows that
Securing code remains a concern regardless of the environment in which it is built or run.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Susan wants to avoid issues with data integration. She is aware that the OWASP Cloud Top 10 includes service and data integration security issues, and is deploying a REST-based API for her customers to use when accessing her service. She is using API keys, but she is concerned about third parties intercepting and accessing the data. What should she include in her implementation to address this concern?

A. Data tokenization
B. Ensure encryption at rest
C. Ensure encryption in transit
D. Data masking

A

Answer: C. Ensure encryption in transit

Susan knows that encryption in transit, typically via TLS, is the right solution to prevent third parties from intercepting and accessing data that is sent to her customers via API calls. Tokenization and masking are used to protect data in applications, but they do not meet the need to prevent interception, and the data will be in transit rather than at rest in the scenario described.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Ben wants to gather business requirements for his software development effort and is using an Agile methodology. Which of the following is not a common means of gathering user requirements in an Agile process?

A. Brainstorming
B. Documentation review
C. User observation
D. Surveys

A

Answer: B. Documentation review

Brainstorming, surveys, workshops, user observation, and many other techniques are commonly used to gather business requirements. Documentation, however, doesn’t involve user
requirements or feedback.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Encryption at rest is a protective design element included in SDLCs for cloud environments due to what common cloud design motif?

A. Rapid elasticity
B. Multitenancy
C. Measured services
D. Scalability

A

Answer: B. Multitenancy

Since multiple tenants share the same underlying infrastructure, encryption at rest provides protection against inadvertent data exposure or remnant data on reused infrastructure. Elasticity, measured services, and scalability do not require encryption at rest and may in fact result in slightly higher costs due to encryption overhead.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Nick wants to avoid common pitfalls in his CI/CD pipeline. Which of the following is a common CI/CD pitfall that can harm cloud development efforts?

A. Automation of processes
B. Use of metrics
C. Using multiple deployment paths
D. Reliance on a version control system

A

Answer: C. Using multiple deployment paths

Having multiple deployment paths means that elements or processes in a CI/CD system can be avoided. A single path with an emergency process backing it up helps to avoid this
problem. Automation, use of metrics, and use of version control are all recommended best practices for CI/CD pipelines.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Maria wants to integrate her existing identity provider with her cloud provider’s services. What common standard is used for most cloud identity provider integration?

A. IDPL
B. OpenLDAP
C. SAML
D. ConnectID

A

Answer: C. SAML

Maria knows that IdPs typically integrate with either OpenID Connect or SAML. OpenLDAP is an open source implementation of LDAP, but it isn’t used for this type of integration since it is a directory service. ConnectID and IDPL were made up for this question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Jack wants to enable his team to develop cloud-native applications. Which of the following is not a common element in a cloud-native application design?

A. Optimized assembly code
B. Automated release pipelines
C. Containers
D. Microservices

A

Answer: A. Optimized assembly code

Jack knows that languages that best fit cloud applications make the most sense and that assembly language isn’t likely to fit his CI/CD environment. Use of automated release
pipelines, containers, and microservices is a common element in cloud application development and design.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

At which phase of the software development life cycle (SDLC) is user involvement most crucial?

A. Define
B. Design
C. Development
D. Test

A

Answer: A. Define

While some development models allow for user involvement in the entirety of the process, user input is most necessary in the Define phase, where developers can understand
the business/user requirements— what the system/software is actually supposed to produce, in terms of function and performance. Involvement throughout the process is helpful, but without user input in Define, the entire process won’t have the right starting point.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Brian wants to ensure that he takes the OWASP Top 10 Cloud risks into account in his development process. He knows that regulatory compliance is on the list, and he wants to include it in the SDLC. During what phase of the SDLC would it make the most sense to consider regulatory compliance?

A. Analysis and requirements definition
B. Design
C. Implementation
D. Testing

A

Answer: A. Analysis and requirements definition

Brian needs to bring up regulatory compliance during the Requirements Gathering phase of the SDLC. If it isn’t a requirement, it won’t make it into the design and implementation.

Testing for regulatory compliance can be challenging as not all compliance can be tested for by technical means.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The testing process that Angie is using for her organization includes access to the design specifications, source code, and running applications. What type of security testing methodology is she using?

A. White box
B. Gray box
C. Red box
D. Black box

A

Answer: A. White box

Angie is using a white box, or full knowledge, testing methodology. Gray box, or partial knowledge, testing provides some but not all access to an environment or system. Black box, or zero knowledge, testing requires testers to act like attackers without insider knowledge of the systems. Red-box was made up for this question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The CWE/SANS Top 25 most dangerous software errors includes the use of hard-coded credentials. What common cloud service component can be used to avoid this problem for cloud-hosted software and applications?

A. An MFA token
B. A TPM
C. A KMS
D. An API key

A

Answer: A. KMS

KMSs, or key management services, are used to securely store and access secrets, allowing them to be used when needed without hard-coding them. TPMs are used to store secrets for hardware devices, MFA tokens are used for multifactor authentication, and API keys are used to securely authenticate to and access APIs, but none of them provides the functionality needed to avoid hard-coded credentials in cloud applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Dana’s organization requires an SBOM for each application it deploys. What OWASP Top 10 item does an SBOM help to avoid?

A. Vulnerable and outdated components
B. Broken access control
C. Injection
D. Security misconfiguration

A

Answer: A. Vulnerable and outdated components

A software bill of materials (SBOM) is used to identify each component in a software package. Dana knows that having a SBOM will help her to track the versions and updates available for each component of her software stack.

A Software Bill of Materials (SBOM) is a detailed inventory of all the components, libraries, and dependencies that make up a software product. It’s like a list of ingredients for a software application, including details like component names, versions, licenses, and dependencies. SBOMs are crucial for understanding software composition, managing dependencies, mitigating security risks, and ensuring compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

The company that Yun works for provides API access to customers. Yun wants to rate-limit API access and gather billing information while using a central authorization and access management system. What type of tool should Yun put in place to meet these requirements?

A. An API gateway
B. An API proxy
C. An API firewall
D. A next-generation API manager

A

Answer: A. An API gateway

API gateways are designed to aggregate API access, provide authentication for API use, rate-limit, and gather statistics and data about API usage. API proxies are used to decouple software components, API firewalls are purpose-built firewalls for APIs that protect specific APIs, and next-generation API managers were made up for this question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What phase of the SDLC is IAST typically associated with?

A. Design
B. Testing
C. Implementation
D. Deployment

A

Answer: B. Testing

Interactive application security testing (IAST) uses software instrumentation to monitor applications as they run and to gather information about what occurs and how the software performs. It is normally implemented during the QA or Testing phase of the SDLC.

IAST is a crucial application security testing method for identifying vulnerabilities in web applications, particularly in cloud environments. For CCSP professionals, understanding IAST is vital for developing a strong cloud security strategy. It enables faster vulnerability remediation, improved DevSecOps practices, and enhanced security for cloud applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Gary’s cloud service provides customers with access to APIs. Which of the following is a common security flaw in APIs?

A. Use of unstructured data
B. Lack of authentication
C. Use of semi-structured data
D. Lack of encryption

A

Answer: B. Lack of authentication

Unsecured APIs are a common issue, and lack of authentication is a major problem.
How data is provided— structured, unstructured, or semi-structured— is not a security issue.
Encryption is typically not provided by the API and is instead provided by the web server or underlying service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Dan wants to encrypt data at rest in his cloud environment. What encryption standard should he look for when encrypting data at rest?

A. TLS
B. AES- 256
C. SSL
D. Blowfish

A

Answer: B. AES- 256

AES-256 is a commonly accepted and used standard for encrypting data at rest. TLS is used for encrypting data in transit. SSL is outmoded, and Blowfish has known vulnerabilities, including birthday attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Mark wants to ensure that his software vendor is using industry best practices as part of their software validation process. He knows that NIST defines a number of recommended minimums for verification of code by developers. Which of the following is not a NIST recommended minimum standard for vendor or developer verification of code?

A. Use automated testing.
B. Perform code-based (static) analysis.
C. Only check internally developed software.
D. Conduct threat modeling.

A

Answer: C. Only check internally developed software.

Checking whether the included software is internally or externally developed is a
best practice, and only checking your own components will often leave a lot
of unchecked software in a package. You can find the full list at www.nist
.gov/itl/executive-order-improving-nations-cybersecurity/
recommended-minimum-standard-vendor-or-developer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Lori wants to ensure that the included software components provided by her vendor are secure. What type of process should she use to conduct an assessment of those packages?

A. A web application vulnerability scan
B. A software composition analysis
C. A vulnerability scan
D. A version number validation process

A

Answer: B. A software composition analysis

Lori’s best option is to conduct a software composition analysis (SCA) process using an SCA tool that can identify open source libraries and other components. Vulnerability scans won’t identify all of the components associated with software, and a version number validation process was made up for this question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Christine has documented a software testing user story that states: “As an attacker, I will upload malicious software as part of my form submission, which will exploit the parsing software that reads user submissions.” What type of testing is Christine preparing for?

A. Abuse case testing
B. Static testing
C. QA testing
D. SCA testing

A

Answer: A. Abuse case testing

Christine is preparing for abuse case testing, which documents abuse of software functionality. Static testing reviews source code, QA testing validates the quality of software, and SCA is software composition analysis, which looks at the underlying components of software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

OWASP’S Application Security Verification Standard (ASVS) has three primary usage models. Which of the following is not an intended usage model based on its design objectives?

A. To be used as a metric
B. To be used for auditing
C. To be used as guidance
D. To be used during procurement

A

Answer: B. To be used for auditing

ASVS is intended to be used as a metric to assess the degree of trust that can be placed in web applications, to provide guidance to developers on how to build in security controls, and as part of procurement processes to specify application security validation requirements in contracts. It isn’t designed as an audit standard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Ian wants to use a cloud-specific list of application issues. Which of the following options should he choose? A. The OWASP Top 10 B. The NIST Dirty Dozen C. The SANS Top 25 D. The MITRE ATT&CK-RS
**Answer: A. The OWASP Top 10** **The OWASP Top 10 is a cloud-specific list, whereas the SANS Top 25 describes the software errors in general.** The NIST Dirty Dozen and the MITRE ATT&CK- RS were made up for this question.
26
Nick wants to use a common format for his team’s software versioning. What versioning format should he use if he wants to use a common industry practice? A. Codename.version B. Major.build.minor.patch C. RFC number.version.patch D. Major.minor.patch
**Answer: D. Major.minor.patch** Major.minor.patch is a common format for versioning. While there’s no industry standard, having the versioning numbers in an order of scale is a common practice.
27
What term is used to describe the list of all of the software components of a product? A. Component index B. SBOM C. Version catalog D. SCCM
**Answer: B. SBOM** A software bill of materials (SBOM) is a listing of all of the components of a software package or program, and it is considered increasingly important as part of a software security program.
28
Valerie’s company has recently experienced successful SQL injection attacks against a third-party application they use. The vendor has not yet provided a patch for the SQL injection flaw, but Valerie needs to keep the application in production due to business requirements. What type of tool could Valerie put in place to protect against the SQL injection attacks on her web application? A. A DAM B. A WAF C. An XML firewall D. An API gateway
**Answer: B. A WAF** Web application firewalls (WAFs) typically have built-in protection against common attacks like SQL injection. Valerie should choose a WAF to protect against both the SQL injection she’s aware of and other common attacks against web applications.
29
Jackie wants to allow applications to run using the libraries and other dependencies they need without having to have an independent operating system for each application. What technology should she use to allow her to easily move application packages between different operating systems? A. Packages B. Containers C. Virtual machines D. Hypervisors
**Answer: B. Containers** Containers allow applications to be moved easily because they contain the dependencies and components the application needs without requiring a complete operating system to be packaged with them. Packages are software components, and virtual machines run on hypervisors.
30
Charles logs in using his organization’s credentials and is able to use that login throughout a variety of systems and applications. What technology is Charles using? A. SAML B. SSO C. OpenID Connect D. OTP
**Answer: B. SSO** **Charles is using a single-sign-on (SSO) technology to allow him to log in once and use many services and systems.** SAML and OpenID Connect are used for federation, while OTP is a one-time password.
30
Henry wants to ensure that only authorized customers are able to use his organization’s public-facing APIs. What common security technique is for this purpose? A. API keys B. Single sign-on C. API federation D. Complex API passwords
**Answer: A. API keys** **Henry’s organization should use API keys to ensure that only authorized users are able to use the APIs that they expose for customer use.**
31
Nancy wants to ensure that her organization does not have an issue with licensing for her software, and she knows that the vendor controls access using a licensing server that each installation checks in with. Which of the following should she pay particular attention to in order to ensure that she does not have a service interruption at some point in the future? A. The license term B. Whether the terms of the license can be disclosed C. The license cost D. Third-party sub-licenses included in the contract
**Answer: A. The license term** **Nancy knows that she should keep track of the license term, or how long the license is valid for, so that the software does not disable itself when the license or contract expires.** The cost, whether the terms can be disclosed, and if there is third-party software involved, are less likely to be the cause of service interruptions.
32
Isaac wants to ensure that his cloud service provider is using cryptographic systems that meet widely accepted standards. What U.S. government standard should he expect his provider to comply with their cryptographic systems? A. GDPR B. FIPS 140-2 C. SSL D. SHA- 2
**Answer: B. FIPS 140-2** **FIPS 140- 2, a Federal Information Processing Standard, defines the requirements for cryptographic modules and is a commonly used standard to assess cryptographic systems, and it’s the only currently valid cryptographic standard listed here.** SSL is outdated and has been replaced by TLS, SHA-2 is a hashing algorithm, and GDPR is a European Union data protection regulation.
33
Megan wants to increase the auditability of the use of privileges in her infrastructure. Which of the following solutions will have the biggest positive impact on auditability? A. Use shared service accounts. B. Use multifactor authentication. C. Use dynamic secrets. D. Use API keys.
**Answer: C. Use dynamic secrets.** **Using dynamic secrets— secrets that are generated and used as they are needed— allows for granular auditing of uses because each secret is created as needed and thus their specific usage can be reviewed as needed.** Shared accounts don’t allow auditing because actions cannot be provably linked to individual users. Multifactor authentication helps prevent stolen credentials and brute-force attacks, but won’t increase the auditability of usage, and API keys allow API authentication, but like multifactor authentication, don’t increase the individual auditability of usage as much as dynamic secrets do.
34
In the testing phase of the software development life cycle (SDLC), software performance and ___________________ should both be reviewed. A. Version B. Complexity C. Size D. Security
**Answer: D. Security** Testing the performance and security of software is expected in the Testing phase of the SDLC. **The version, complexity, and size of the code are not commonly tested elements.**
35
Chris wants to use a cloud provider–hosted mechanism to store and manage his organization’s secrets. What type of solution should he look for? A. KMS B. PKI C. CA D. KCS
**Answer: A. KMS** Chris should look for a key management service (KMS). KMSs allow creation, storage, management, and auditing of keys. A PKI is a public key infrastructure, a CA is a certificate authority, and a KCS was made up for this question— none of them will provide the services that Chris is looking for.
36
What entity provides authentication services in a federation? A. IdP B. RP C. SP D. SSO
**Answer: A. IdP** **Identity providers (IdPs) provide authentication as well as create, manage, and maintain identities and identity information.** Relying parties and service providers both trust IdPs to handle authentication, and SSO is Single-Sign-On.
37
Docker is an example of what sort of tool? A. Microservices launcher B. Cloud application security broker C. A containerization platform D. A web application firewall
**Answer: C. A containerization platform** Docker is a containerization tool.
38
Yasmine is working with a software-as-a-service (SaaS) vendor. What part of the environment does Yasmine’s company have responsibility for? A. Applications and data storage. B. The OS, middleware, and runtime. C. Storage and networking. D. The vendor is responsible for the environment.
**Answer: D. The vendor is responsible for the environment.** **Yasmine knows that in an SaaS environment, the vendor is responsible for the applications, data storage, runtime and middleware, operating systems and servers, storage, and networking.** Yasmine’s company will be responsible for how they operate the software, who they provide access to, and what rights they provide to their users, as well as ensuring that her data is safe and secure.
39
Jason wants to use multifactor authentication. Which of the following lists a valid multi-factor set? A. A username, password, and PIN B. A username, password, and app-generated code on a phone C. A username, voiceprint, and fingerprint D. A username, app-generated code, and token-generated code
**Answer: B. A username, password, and app-generated code on a phone** Multifactor authentication relies on using two different types of factors: something you know, like a password or PIN; something you have, like a hardware token or application-generated PIN; or something you are, such as a biometric identifier. Jason knows that a password and an app-generated PIN count as using multiple factors.
40
Kim wants to use version control for her software. What common tool could her organization use to perform this function? A. Jenkins B. Chef C. Git D. Puppet
**Answer: C. Git** Git provides version management as part of its capabilities. Jenkins is a CI/CD tool used for continuous integration tooling. Puppet and Chef are both infrastructure automation tools.
41
Ramon’s organization uses Office 365 but relies on their own Active Directory credentials to log into O365. What is this type of configuration called? A. Federated identity B. Structured identity C. Shared identity D. Constrained identity
**Answer: A. Federated identity** **Ramon’s organization is using Azure’s federation capability to leverage its existing on-site credentials in the cloud.** Structured, shared, and constrained identity was made up for this question.
42
Gretchen wants to ensure that her organization is in compliance with their software licenses. Which of the following is the most important step for most organizations in ensuring license compliance? A. Using only open-source software B. Tracking all software versions C. Using only commercial software D. Software inventory
**Answer: D. Software inventory** **Having a complete software inventory allows organizations like Gretchen’s to ensure that they are aware of their software license compliances, terms, and conditions as well as their license expiration dates.** While only using open-source software might seem like an easy solution, there are multiple open-source software licenses that have different requirements, making a software inventory necessary. Using only commercial software doesn’t simplify the requirement, and software versioning is important but would be part of a complete inventory.
43
Laura wants to use a threat modeling tool to assess threats in her environment. Which of the following models has been abandoned by Microsoft and replaced with a new model? A. DREAD B. PASTA C. STRIDE D. ATASM
**Answer: A. DREAD** DREAD has been replaced with STRIDE by Microsoft. PASTA and ATASM are in active use. DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) is the risk assessment model.
44
Aisha’s organization has deployed a cloud application security broker. Which of the following is not a typical purpose for a CASB to be deployed? A. To control usage-based costs B. To limit access based on service categories C. To help limit the potential for sensitive data loss D. To detect anomalous usage patterns
**Answer: A. To control usage-based costs** **CASBs are often used to control usage based on roles and rights, but they aren’t used to monitor based on costs in the cloud service itself— instead, cost limiting rules are often used in the cloud services themselves.** They are also used to limit the potential for sensitive data loss and to detect anomalous usage patterns.
45
Kathleen wants to test potentially malicious software in a secure way. What cloud application architecture concept can she apply to help her do so? A. An IPS B. A SIEM C. Sandboxing D. Antivirus
**Answer: C. Sandboxing** **Kathleen knows that sandboxing, or creating a secure and isolated environment, is commonly used for malicious software testing.** An IPS or antivirus can be used to detect malicious activities and might be deployed in the sandbox as part of the instrumentation. A SIEM solution is used to centralize and correlate security events and information.
46
Kieran’s team has deployed a CASB and wants to focus on data protection. Which of the following capabilities will most effectively help protect against third parties accessing data while it travels between Kieran’s on-premises location and their cloud vendors? A. Encryption B. Tokenization C. Masking D. Upload prevention
**Answer: A. Encryption** **Using the CASB to enforce encryption between an on-premises location and cloud providers will provide the most effective protection against third parties seeing the data in transit.** Tokenization and masking help protect data while it is being accessed, but don’t prevent it from being exposed in transit. Upload prevention doesn’t prevent downloads from being accessed.
47
Selah is preparing a container to deploy her application to a cloud service provider’s containerization service. Which of the following components will not be included in the container? A. The host kernel for the operating system B. The libraries needed by the application C. The configuration files for the application D. The binaries belonging to the application
**Answer: A. The host kernel for the operating system** Containers contain elements of the operating system but share the host’s kernel. They also contain libraries, configuration files, and the application files or binaries themselves.
48
Olivia is preparing to generate API keys and knows that they need to have certain characteristics to be secure. Which of the following best describes an API key that will be considered secure? A. Unique, random, and non-guessable B. Unique, sequential, and traceable C. Repeatable, sequential, and traceable D. Repeatable, logged, and traceable
**Answer: A. Unique, random, and non-guessable** API keys should be unique, random, and non-guessable to ensure that attackers cannot guess or otherwise identify them.
49
Ian is using a CASB to control usage of cloud services. He wants to ensure that users in his organization only use cloud services that are approved for their role. What two elements should he define in his rules to most effectively accomplish this? A. Identity and activity B. Activity and data C. Identity and service D. Service and data
**Answer: C. Identity and service** Ian can filter based on user identity and the service the users are attempting to use to most effectively filter service usage by role. Activity and data don’t identify the user, and activities don’t necessarily uniquely identify a service.
50
Jack wants to use the ATASM model. Which of the following is not one of the key elements of an ATASM assessment? A. Attacks B. Threats C. Architecture D. Mitigations
**Answer: A. Attacks** ATASM considers architecture, threats, attack surfaces (not attacks) and mitigations. ATASM (Architecture, Threats, Attack Surfaces, and Mitigations).
51
Testing done on running code is known as what type of testing? A. Dynamic B. Automatic C. Structured D. Static
**Answer: A. Dynamic** Testing done against running code is called dynamic testing. Static testing reviews source code. Automatic and structured testing are not commonly used testing terms.
52
A web application firewall (WAF) can understand and act on what type of traffic? A. Border Gateway Protocol (BGP) B. Simple Mail Transfer Protocol (SMTP) C. Internet Control Message Protocol (ICMP) D. Hypertext Transfer Protocol (HTTP)
**Answer: D. Hypertext Transfer Protocol (HTTP)** WAFs focus on web traffic and thus typically scan HTTP traffic rather than BGP, ICMP, or SMTP traffic.
53
Henry wants to design his SDLC to help prevent the most common application security issues. Where in the SDLC should he insert controls to ensure that his application architecture is secure? A. Analysis and requirements definition B. Design C. Deployment D. Operations and maintenance
**Answer: B. Design** **The Design phase allows Henry to include security design elements that will help ensure that his application is secure.** The Requirements phase should include the need for security, but won’t specify how it will be accomplished, and deployment and maintenance are too late as the architecture has already been designed and implemented.
54
Jacinda’s manager has asked her to set up a sandbox environment to help validate third-party software before it is run. What should Jacinda prepare an environment to handle? A. Optimizing the production environment by moving processes that are not frequently used into the sandbox B. Allowing secure remote access for users who need resources in the cloud environment C. Running malware for analysis purposes D. Creating secure subnets of the production environment
**Answer: C. Running malware for analysis purposes** **A sandbox can be used to run malware for analysis purposes as it won’t affect (or infect) the production environment; it’s worth noting, though, that some malware is sandbox-aware, so additional antimalware measures are advisable.** Optimizing production by moving tasks isn’t a typical use for a sandbox, remote secure access systems are called jumpboxes, and subnets are created using network configurations.
55
Valerie wants to decouple her application infrastructure from her underlying operating system platforms to allow her to more easily migrate between cloud service providers. What type of solution will best fit her needs? A. Use custom-configured Linux virtual machines to host the application. B. Use containers configured for the application to host the application. C. Use the cloud provider’s native serverless infrastructures to host the applications. D. Use default Linux systems with default configurations to host the application.
**Answer: B. Use containers configured for the application to host the application. ** **Containerization best meets the platform-agnostic approach that matches Valerie’s requirements.** While serverless is powerful, moving between native serverless platforms typically requires building to each provider’s requirements. Virtual machines have more overhead than Valerie needs, and not configuring them for the application only makes them less suited to the task.
56
Gary wants to monitor privileged credential use in his Microsoft SQL Server environment, which he hosts with an IaaS provider. What type of tool should Gary select to help with this need? A. A WAF B. A database SIEM C. A DB-IPS D. A DAM
**Answer: D. A DAM** **A Database Activity Monitor (DAM) solution provides database activity monitoring that includes privileged account usage logging and monitoring in addition to other security and monitoring features.** A WAF would help with web application security issues but doesn’t meet the need described here. DB- IPS and database SIEMs were made up for this question.
57
Paula wants to avoid Denial-Of-Service (DOS) attacks against her APIs. What controls should she select to most effectively provide this type of security? A. Use an IPS and a scalable architecture. B. Use a scalable architecture and set throttling limits and quotas. C. Require authentication and use an IPS. D. Require authentication and set throttling limits and quotas.
**Answer: D. Require authentication and set throttling limits and quotas.** **Requiring authentication and setting throttling limits and quotas help to prevent Denial-Of-Service (DOS) attacks on APIs.** Scalable architecture can help handle the load, but won’t stop the attacks from occurring, and using an IPS might help stop attacks, but an API gateway would be more likely to understand API traffic.
58
Sandboxing can often be used for ___________________. A. Testing user awareness and training. B. Testing API security. C. Testing software before putting it into production. D. Testing software to validate its compliance with regulatory requirements.
**Answer: C. Testing software before putting it into production.** **Software that has either been purchased from a vendor or developed internally can be tested in a sandboxed environment that mimics the production environment in order to determine whether there will be any interoperability problems when it is installed into actual production.** It isn’t used for user awareness, regulatory requirement evaluation, or API security testing in most cases.
59
Jen wants to ensure that the encryption modules she is using in her application design are secure. What type of validation or certification should she look for? A. PCI compliant B. AES-cert C. FIPS 140-2 D. GLBA validated
**Answer: C. FIPS 140-2** **FIPS 140- 2 is a U.S. government standard that specifies the security requirements for cryptographic modules.** If the module Jen is using is FIPS 140- 2-certified, she will have met her goal. PCI compliance is used for credit cards, AES is not a certification, and GLBA is a U.S. act that requires financial institutions to secure their customers' private information.
60
Kwame wants to limit the impact of potentially compromised secrets in his environment. What should he do to most effectively limit the issues compromised the secrets can cause? A. Extend the secrets lifecycle. B. Rotate secrets. C. Replace secrets with tokens. D. Implement a secret expiration list.
**Answer: B. Rotate secrets.** Rotating secrets limits the blast radius of exposed or compromised secrets. Extending their lifecycle does the opposite and means they can have a longer lifecycle in the hands of attackers. Replacing secrets with tokens won’t meet the needs of most service environments. While certificate revocation lists (CRLs) exist, secret expiration lists do not.
61
As part of her organization’s SDLC, Olivia is testing whether the business logic in a new application generates correct output. What type of testing is Olivia conducting? A. Stress testing B. Functional testing C. Load testing D. Nonfunctional testing
**Answer: B. Functional testing** **Olivia is conducting functional testing that seeks to test whether the software meets business requirements.** This does not specify a load or stress test scenario.
62
Olivia’s organization wants to adopt multifactor authentication. Which of the following MFA models is considered less secure than the others? A. Hardware tokens B. Mobile applications C. SMS factors D. USB tokens
**Answer: C. SMS factors** **SMS factors are considered the least secure of these options because of SIM swapping and VoIP-based attacks on SMS messages.**
63
Ben wants to validate open-source software packages used in his environment. Which of the following is not a valid dynamic testing option? A. Use manual security testing of the live application. B. Use an application vulnerability scanner. C. Use manual security testing of the source code. D. Conduct unit and integration testing of the application.
**Answer: C. Use manual security testing of the source code.** **Review of the source code is static testing and does not meet Ben’s needs. The other answers all include dynamic testing options.**
64
Yariv’s abuse case testing has identified an issue with their web application that allows bots to conduct automated attacks. What type of protection could he implement to limit the impact of bots performing actions like this? A. Filter known SQL injection attacks from web queries. B. Use a CAPTCHA before allowing user actions. C. Require users to log in before performing actions. D. Prevent XSS by limiting special characters in form submissions.
**Answer: B. Use a CAPTCHA before allowing user actions.** **CAPTCHA-based security systems help to reduce the impact of bots by requiring human interaction.** While there are ways to work around CAPTCHAs, Yariv knows that they require additional work from attackers and will help reduce the overall load from bots. SQL injection and XSS are not mentioned in the question, and requiring logins without additional protections will not help.
65
Emily logs in to a third-party website using her Google credentials. What role is Google playing in the authentication process? A. Google is the service provider. B. Google is the storage provider. C. Google is the authorization provider. D. Google is the identity provider.
**Answer: D. Google is the identity provider.** **When Emily logs in using her Google credentials, Google acts as the identity provider and tells the third-party service provider that she has logged in using her user ID and passwords successfully.** The service provider must then authorize her to use the services. Nothing in the question indicates whether the service provider may be a storage provider.
66
Software developers designing applications that allow access to protected customer information for the cloud should expect to include options to ensure all of the following capabilities except ___________________. A. Encryption of data at rest B. Encryption of data in transit C. Data masking D. Randomizing customer data
**Answer: D. Randomizing customer data** Not all programs (or organizations) will require database access, or even use databases, and hashing is not a common requirement since the data will not be readable. Encryption at rest and in transit, as well as data masking, are all commonly employed to protect sensitive information.
67
Kristen wants to filter her SAML traffic for potential attacks, including rate-limiting requests and validating content. Which of the following solutions is purpose-built for this type of security design? A. A DAM with OpenID support B. A SAML-compliant IDS C. An XML firewall D. A WAF
**Answer: C. An XML firewall** **SAML is an XML-based protocol, and Kristen knows that an XML firewall that is SAML-aware with appropriate rules for identity-based protection would be her best option.** IDS systems cannot rate-limit even if they are SAML-aware. WAFs are designed for web applications rather than specifically for XML and SAML-based filtering, and a DAM is a database- specific tool.
68
Which of the following is not true about single sign-on (SSO)? A. Reduction in password fatigue B. Reduces password reuse C. Prevents the use of multifactor authentication D. Makes end-user credential management easier
**Answer: C. Prevents the use of multifactor authentication** **Using SSO does not prevent the use of multifactor authentication.** In fact, it often makes it easier since organizations can centralize their use of MFA.
69
What does static application security testing (SAST) examine? A. Software outcomes B. User performance C. System durability D. Source code
**Answer: D. Source code** **Static testing reviews source code. Dynamic testing would test outcomes and performance.**
70
Angela wants to deploy multifactor authentication (MFA) for her organization and wants to integrate it with her cloud provider. Which of the following MFA options is least likely to be easily supported by a cloud provider? A. Hardware tokens B. Biometric readers C. Mobile applications D. SMS factors
**Answer: B. Biometric readers** **Biometric readers are the least likely secondary factor to be supported by cloud vendors.** Hardware and software tokens as well as SMS factors are commonly supported by cloud providers.
71
Christina is following a typical SDLC process and has completed the planning phase. What phase typically follows the Planning phase in most SDLCs? A. Design B. Deployment C. Maintenance D. Requirements Gathering
**Answer: D. Requirements Gathering** **Once planning is done, organizations typically move into the Requirements Gathering phase to ensure they know what the software they will build will do.** Design, Build, Test, Deploy, and Maintain are common follow-up phases.
72
Annie’s organization uses a waterfall methodology for its SDLC. What description best fits a waterfall methodology? A. Development efforts can move easily between phases to meet organizational needs. B. The outcome of each phase serves as the input to the next phase. C. Development efforts repeat in cycles until the development is complete. D. The outcome of each phase determines whether the process moves forward or backward in the SDLC process.
**Answer: B. The outcome of each phase serves as the input to the next phase.** Waterfall phases each serve as the input for the next phase and move only in one direction.
73
During what phase of the SDLC are business requirements most likely to be mapped to how the software will be built? A. Requirements Definition B. Design C. Testing D. Secure Operations
**Answer: B. Design** Requirements are typically mapped to the software in the Design phase. Requirements will be created in the Define phase, validated in the Test phase, and, of course, the software will be run in production in the Operations phase.
74
Stress testing is a form of what type of testing? A. Black box B. Functional testing C. White box D. Nonfunctional testing
**Answer: D. Nonfunctional testing** **Nonfunctional testing seeks to test whether it meets customer expectations and performance requirements, including how software behaves under abnormal conditions.** Black box, or zero knowledge, testing attempts to replicate an attacker’s experience; white box, or full knowledge, testing provides complete insight into an environment or tool, including access to source code and documentation, and functional testing is conducted based on business requirements.
75
Gabriel’s organization wants to ensure that their open-source software is properly licensed. What should they were do? A. Contact the authors of each component to request permission to use them. B. Engage a third-party license management vendor to ensure compliance with the licenses. C. Pay appropriate licensing fees to the licensing organization for each software component. D. Review the licenses for each component to ensure they are in compliance.
**Answer: D. Review the licenses for each component to ensure they are in compliance.** **Since there are some different open source licenses, Gabriel’s best bet is to ensure that his organization reviews the licenses that apply to each software package or component they use.** This can be complex and time-consuming, and organizations often limit the licenses they are willing to accept to reduce of this burden.
76
Sofia is preparing a list of the likely attacks against her APIs. Which of the following is not a common attack against APIs? A. Injection B. Malware C. Distributed denial-of-service D. Credential stuffing
**Answer: B. Malware** **Injection, distributed denial-of-service, cross-site scripting, on-path, and credential stuffing attacks are all commonly aimed at APIs. Malware attacks, however, are not a common API threat.**
77
The SAFECode Fundamental Practices for Secure Software Development includes a section on handling errors. What common development best practice does it reference? A. Providing too much information in errors. B. Handling errors in a secure and graceful way. C. Ensuring unanticipated errors are provided only to administrators. D. Ensuring unanticipated errors are provided only to users.
**Answer: B. Handling errors in a secure and graceful way.** **The SAFECode fundamental practices note that errors should be handled in a secure and graceful way.** It recommends against providing too much information in errors and that unanticipated errors should be flagged to both users and administrators, but with different levels of information appropriate to each group.
78
Jason wants to use TLS to protect his organization’s production web traffic. Who should generate the x.509 certificate for his website? A. Jason should generate it on the web servers. B. Jason should use his company’s internal certificate authority. C. Jason should use a commercial certificate authority. D. Jason should generate the certificate on a separate administrative workstation used only for that purpose.
**Answer: C. Jason should use a commercial certificate authority.** **Jason should use a commercial certificate authority for any certificate used in production.** This allows users to validate the certificate and the certificate chain to ensure trust.
79
Lisa wants to ensure that the open-source software package she has downloaded is legitimate. The software download site provides an SHA2 hash, a cryptographic signature, a file size, and a version number. Which of these options provides the greatest level of certainty? A. The SHA2 hash B. The cryptographic signature C. The file size D. The version number
**Answer: B. The cryptographic signature** **A signature ensures that the file is both the correct file and that it has not been changed, and validates that it was provided by the signer.** An SHA2 hash is the second-best option, although attackers might modify the hash on the site or modify the file before it is hashed. File size and version number are the least useful options.
80
James has created monitoring instrumentation for his application and uses the instrumentation to assess performance as well as function during the QA stage of his SDLC. What type of software validation methodology is he using? A. IAST B. Interactive DST C. SCA D. Structured DST
**Answer: A. IAST** **Interactive application security testing (IAST) uses software instrumentation to validate performance and function, and is typically conducted during the QA/Test phase of the SDLC.** SCA, or software composition analysis, reviews the components that make up an application. Interactive and structured DST were made up for this question.
81
Michelle is using the SAFECode Fundamental Practices for Secure Software Development as an underlying foundation for her organization’s development practices. She wants to develop an encryption strategy and knows that SAFECode describes how to do so. Which of the following is not a best practice for developing an encryption strategy for applications according to SAFECode? A. Ensuring encryption algorithms cannot be changed easily. B. Defining what to protect. C. Assessing what encryption mechanisms meet the organization's requirements. D. Deciding on a key management solution.
**Answer: A. Ensuring encryption algorithms cannot be changed easily.** **Changing encryption algorithms if a problem is found with one that is currently in use is, actually, a best practice that SAFECode recommends.** They call it “cryptographic agility”, and note that you need to be able to transition to new mechanisms, libraries, and keys when needed. Defining what to protect, what mechanisms will be used, and how keys and certificates will be managed are all common best practices and are also recommended by SAFECode.
82
In a platform as a service (PaaS) model, who should most likely be responsible for the security of the applications in the production environment? A. Cloud customer B. Cloud provider C. Regulator D. Programmers
**Answer: A. Cloud customer** **In a PaaS environment, the customer is responsible for the security of applications in the production environment.** The service provider will be responsible for the underlying hardware and platform itself.
83
James wants to test his software for business logic issues that knowledgeable users could use to take advantage of his software. What type of testing should he invest in? A. Abuse case testing B. Black box testing C. Use case testing D. White box testing
**Answer: A. Abuse case testing** **Abuse case testing will test how users could abuse the software, including the type of issues James is concerned about.** White box, or full knowledge, testing, and black box, or zero knowledge, testing both describe the amount of information that testers have about the environment, and use case testing validates how software is supposed to be used, not how it could be abused.
84
Frankie wants to implement single-sign-on (SSO) for her organization. Which of the following options is not commonly supported for SSO in cloud environments? A. Cloud provider native SSO B. Active Directory C. SAML D. LDAP
**Answer: D. LDAP** **Active Directory, SAML, and vendor-native SSO options are all commonly supported, but LDAP is not a commonly supported SSO option for most cloud vendors.**
85
Regardless of which model the organization uses for system development, in which phase of the software development life cycle (SDLC) will user input be requested and considered? A. Define B. Design C. Development D. Detect
**Answer: A. Define** **In the Define phase, organizations work to determine the purpose of the software and what it needs to do to meet the needs of users.** Design and Development stages, then work to architect and build software that meets those requirements. Detect is not an SDLC phase.
86
Pete is reviewing his environment based on the OWASP Cloud Native Application Security Top 10. He knows that container configuration is a top concern and has identified that his containers currently run as root. How can he remediate this issue? A. Set the operating system to prevent root logins. B. Set a non-privileged user as the container owner. C. Set a non-privileged user as the process owner. D. Use multifactor authentication for the root user.
**Answer: C. Set a non-privileged user as the process owner.** **Setting a nonprivileged user as the process owner will work in many cases. Setting the container owner as a nonprivileged user won’t stop root from running it in a poor configuration.** Limiting root login or requiring multifactor won’t stop a process from running as root either.
87
Jessica’s quality assurance testing process involves identifying software flaws, including business logic flaws, and other coding mistakes. What type of testing should she perform to most effectively identify underlying code quality issues? A. Static testing B. Black box testing C. Dynamic testing D. Software composition analysis
**Answer: A. Static testing** **Jessica should perform static testing to help her organization identify code quality issues by reviewing the source code for the application.** Dynamic testing can identify functional issues, but may not identify code quality or business logic flaws. Black box testing won’t allow the access to the code she needs, and software composition analysis seeks to understand what components make up an application.
88
Which of the following is not checked when using the STRIDE threat model? A. The ability of users to gain administrative access rights without proper permission. B. The ability of internal personnel to trigger business continuity/disaster recovery activities. C. The ability of a participant in a transaction to refute that they’ve taken part in the transaction. D. The ability of an unauthorized user to pretend to be an authorized user.
**Answer: B. The ability of internal personnel to trigger business continuity/disaster recovery activities. (BC/DR) ** **The STRIDE threat model does not deal with business continuity and disaster recovery (BC/DR) actions. All the other options are elements of STRIDE: escalation of privilege, repudiation, and spoofing.**
89
Kathleen’s organization uses a microservices architecture to deliver its major applications. What type of security tool is best suited to providing security for microservices that rely on APIs and service discovery? A. CASB B. XML firewall C. RPC gateway D. API gateway
**Answer: D. API gateway** **API gateways are well suited to this type of architecture because they focus on service discovery and API security as well as rate-limiting and other security controls like authentication.** XML firewalls and cloud application security brokers (CASBs) are both used for other purposes, and RPC gateways allow remote procedure calls to other networks and services.
90
At which phase of the software development life cycle (SDLC) should security personnel first be involved? A. Define B. Design C. Develop D. Test
**Answer: A. Define** **The earlier security inputs are included in the project, the more efficient and less costly security controls are overall. The Define phase is the earliest part of the SDLC, and thus is when security staff should be included.**
91
Tahir configures his organization’s QA environment to simulate logins for 25% more users than typically log in at the maximum usage for their major web application. Which term best describes the type of testing Tahir is conducting? A. Dynamic, nonfunctional testing B. Dynamic, functional testing C. Static, functional testing D. Static testing, nonfunctional testing
**Answer: A. Dynamic, nonfunctional testing** **Tahir is conducting a non-functional test that checks for behavior under load, and since the program is actually running, it is dynamic testing rather than static testing of source code.**
92
When Joanna logs into a service provider that her organization works with, the service provider sends a request to her organization’s identity provider to determine if she is already authenticated. If she is, the identity provider sends a token to the service provider confirming that she is authenticated, and her browser will pass a token to the service provider that is validated based on the trust relationship the service provider has with the identity provider. What type of infrastructure is Joanna using? A. RDP B. SSO C. OTP D. MFA
**Answer: B. SSO** **Joanna is using a Single-Sign-On (SSO) infrastructure to allow her to sign on in one location and to use those credentials in multiple locations with various service providers.** RDP (Remote Desktop Protocol) is used for graphical access to Windows systems, OTP is a one-time password, and MFA is multifactor authentication.
93
Ben’s team uses the STRIDE model to identify security threats. What security property does tampering impact in the STRIDE model? A. Integrity B. Confidentiality C. Availability D. Authorization
**Answer: A. Integrity** Tampering impacts the integrity of data by modifying it.
94
Carmen’s organization wants to provide awareness training using a community-based web application security guide. What community standard is best suited to this type of training? A. ASVS B. CVE C. OWASP D. NIST
**Answer: C. OWASP** OWASP, the Open Web Application Security Project, provides both cloud and web application security Top 10 lists that are community-sourced and which are well suited to awareness training. ASVS sets standards for application validation and security testing. CVE and NIST are not community-based web application security guides.
95
Henry uses an IAST process as part of his SLDC. What SDLC phase is IAST most likely to occur in? A. Planning B. Building C. Deployment D. Testing
**Answer: D. Testing** Interactive application security testing (IAST) would be most likely to occur during the Testing phase of the SDLC.
96
Malika wants to ensure that human error doesn’t influence the security of secrets in her organization. Which of the following practices will most effectively prevent human-related issues from influencing her secret security? A. Use a common passphrase word list in an automated CI/CD pipeline. B. Require password complexity. C. Generate passphrases randomly. D. Exclusively use shared passphrases.
**Answer: C. Generate passphrases randomly.** **Using automated creation tools for passphrases will prevent staff members from reusing passwords or falling into habits that result in easily guessed passphrases and passwords.** Using a word list, shared passphrases, or simply adding complexity will not meet Malika’s needs.
97
Frank knows that his organization intends to use federated identities as part of its cloud services environment. What standard should he ensure that his existing on-site identity management system supports to help with this? A. SAML B. FIPS 140- 2 C. XML D. FIM
**Answer: A. SAML** **SAML (Security Assertion Markup Language) is commonly used to enable identity federation.** FIPS 140- 2 is a U.S. government encryption mechanism standard, XML may be needed, but is a very broad standard for extensible markup languages, and FIM is federated identity management, a generic term describing the overall concept, not a technology or technological capability.
98
James uses a CI/CD pipeline at the core of his development process. What design pattern should he use to ensure his QA process doesn’t impact production? A. Add software going through QA to his production environment to allow live testing. B. Create a new environment for QA testing, then promote to production after testing. C. Replicate the production environment for QA testing, then promote to production after testing. D. Add software to the QA environment for testing, then allow production users to access QA with instrumentation in place.
**Answer: C. Replicate the production environment for QA testing, then promote to production after testing.** Replicating production for QA testing, then promoting from QA to production once testing is complete, is a common design practice in application development environments. Adding software going through QA to production environments or allowing users to use QA systems instead of production can lead to a negative user experience, and creating a QA environment that doesn’t match production may invalidate testing.
99
Tara’s organization uses a three-level application security verification standard, and requires that their most secure applications reach level 3 with in-depth validation and testing. What application security standard are they using? A. ASVS B. SAFECode C. OWASP D. SANS/CWE
**Answer: A. ASVS** ASVS uses a three-level code validation assurance level model, with level 3 requiring critical applications to meet in-depth validation and testing requirements. The OWASP Application Security Verification Standard (ASVS) is a security standard that helps organizations develop, maintain, and test secure applications, and it is relevant to the CCSP (Certified Cloud Security Professional) certification. ASVS is particularly useful for understanding and applying cloud application security principles. Level 3. Level 3 of the ASVS is the most rigorous level of security requirements. It includes all the requirements from Levels 1 and 2, adding additional requirements considered best practices for securing web applications.

CCSP (22 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions