Security Terminology Flashcards
(15 cards)
Static Application Security Testing looks for vulnerabilities in source codes. True or False
True
Dynamic Application Security Testing looks to test the vulnerabilities of executables and do not have access to source codes. You have access to the user interface. True or False
True
IDOR (Insecure Direct Object Reference)
A vulnerability that arises when attackers can access or modify objects by manipulating identifiers used in a web application’s URLs or parameters. It occurs due to missing access control checks, which fail to verify whether a user should be allowed to access specific data.
HTTPS://cheatsheetseries.owasp.org/cheatsheets/insecure_direct_object_reference_prevention_cheat_sheet.html
What is SECaaS?
Security as a Service
What does AWS CloudWatch monitors?
Resources and Applications
What does AWS CloudTrail tracks?
User activities and API usage
JSON
Java Script Object Notation
- Syntax for storing and retrieving data
- Lightweight
- Self-describing
- Independent. Don’t need to be used with Java.
In a PaaS environment, who is typically responsible for a security platform configuration such as IDS tuning?
A. The provider
B. The customer
C. The broker
D. The end user
A
What is OpenID Connect (OIDC) used for?
Because OIDC is built on OAuth, it provides both authentication and authorization. OIDC is used for SSO, delivering the benefits of using one login for multiple sites.
What is OpenID Connect (OIDC) used for?
Because OIDC is built on OAuth, it provides both authentication and authorization. OIDC is used for SSO, delivering the benefits of using one login for multiple sites.
OIDC / OATH does not have encryption of the access tokens.
A. True
B. False
A
What is the difference between SAML vs OAuth vs OpenID Connect
Like OpenID Connect (OIDC) which is built on OATH, SAML is designed for authentication and authorization. OIDC is for authentication and OAuth was built solely for authorization. Understanding the different purposes of each is key to understanding how an access management system works.
SAML and OATH both use tokens (user credentials) for access. However, for OATH, there is no encryption of the access tokens and only authorization is granted. SAML and OIDC/OATH provide both authorization and authentication of identity for SSO.
However, SAML is designed to focus on enterprise security, while OAuth, because it lacks encryption and relies on secure sockets layer/transport layer security (SSL/TLS) protocols for security, is generally not a good choice for securing an enterprise of hundreds or thousands of employees.
OATH may be preferable for identity management (government apps), optimal user experience, mobile/consumer apps, VDI, and temporary access use cases.
What is the difference between OpenID and OpenID Connect?
OpenID Connect (OIDC) is an authentication protocol that verifies a user’s identity when a user tries to access a protected Hypertext Transfer Protocol Secure (HTTPS) endpoint. OIDC was developed to work together with open authorization (OAuth) by providing an authentication layer to support the authorization layer provided by OAuth. OIDC was developed by the OpenID Foundation, which includes companies like Microsoft and Google.
OpenID is an easy and safe way for people to reuse an existing account and user profile from an identity provider, for example Apple, Google, or Microsoft to sign-in to any OpenID-enabled applications and websites without creating a new registration and password. You choose the provider, such as Google and enter your Gmail address and password to sign-in.
What is AWS Control tower?
It automates multi-account setup, governance, compliance enforcement, drift prevention, and security best practices.
What is AWS Control tower?
It automates multi-account setup, governance, compliance enforcement, drift prevention, and security best practices.
