The fourth domain of the Certified Cloud Security Professional (CCSP) Exam Outline covers applications in the cloud, from software development to challenges involved in migrating apps from the traditional IT environment. It also addresses software security and performance testing methods as well as proper identity and access management (IAM) principles. Because it is weighted less than the previous domains (according to this table published by (ISC)2, https://cccure.training/m/articles/view/CISSP-domains-weight-percentage-on-the-real-exam), there are considerably fewer questions in this chapter. ISO 27034 mandates a framework for application security within an organization. According to the standard, each organization should have a(n) _______________, and each application within the organization should have its own _______________.
According to ISO 27034, there is one Organizational Normative Framework (ONF) in the organization, and _______________ Application Normative Framework (ANF[s]) for each application within that organization.
What language is used in the Simple Object Access Protocol (SOAP) application design protocol?
Typically, representational state transfer (REST) interactions do not require _______________.
Representational state transfer (REST) application programming interfaces (APIs) use _______________ protocol verbs.
The architecture of the World Wide Web, as it works today, is _______________.
RESTful responses can come from the server in _______________ or _______________ formats.
Which of the following is an informal industry term for moving applications from a traditional environment into the cloud?
Developers creating software for the cloud environment should bear in mind cloud-specific risks such as _______________ and _______________ .
When an organization considers cloud migrations, the organization’s software developers will need to know which _______________ and which _______________ the organization will be using, in order to properly and securely create suitable applications.
Which of the following is perhaps the best method for reducing the risk of a specific application not delivering the proper level of functionality and performance when it is moved from the traditional environment into the cloud?
Software developers designing applications for the cloud should expect to include options to ensure all of the following capabilities except _______________.
In a platform as a service (PaaS) model, who should most likely be responsible for the security of the applications in the production environment?
In the testing phase of the software development lifecycle (SDLC), software performance and _______________ should both be reviewed.
Regardless of which model the organization uses for system development, in which phase of the software development lifecycle (SDLC) will user input be requested and considered?
Which phase of the software development lifecycle (SDLC) is most likely to involve crypto-shredding?
Where are business requirements most likely to be mapped to software construction?
All of the following are usually nonfunctional requirements except _______________.
Designers making applications for the cloud have to take into consideration risks and operational constraints that did not exist or were not as pronounced in the traditional environment. Which of the following is an element cloud app designers may have to consider incorporating in software for the cloud that may not have been as important in the traditional environment?
Designers making applications for the cloud have to take into consideration risks and operational constraints that did not exist or were not as pronounced in the traditional environment. Which of the following is an element cloud app designers may have to consider incorporating in software for the cloud that might not have been as important in the traditional environment?
Designers making applications for the cloud have to take into consideration risks and operational constraints that did not exist or were not as pronounced in the traditional environment. Which of the following is an element cloud app designers may not be able to use as readily in the cloud environment as it was deployed in the traditional environment?
All of these can affect the quality of service expected from an application except _______________.
The possibility that a user could gain access or control of an application so as to take on administrator or management capabilities is called _______________.
Which of the following is not checked when using the STRIDE threat model?
It is very likely that your organization’s users will use unapproved application programming interfaces (APIs), especially in a bring your own device (BYOD) environment, because _______________.
Some current software developers are not aware of security problems within the programs they’re creating because _______________.
What is the most secure form of code testing and review?
What is the major difference between authentication and authorization?
Access should be based on _______________.
Who should determine which users have access to which specific objects?
All of the following are identity federation standards commonly found in use today except _______________.
Which of the following is a federation standard/protocol that does not rely on Simple Object Access Protocol (SOAP), Security Assertion Markup Language (SAML), or Extensible Markup Language (XML)?
Authentication mechanisms typically include any or all of the following except _______________.
Which of the following constitutes a multifactor authentication process or procedure?
Typically, multifactor authentication should be used _______________.
A web application firewall (WAF) usually operates at Layer _______________ of the Open Systems Interconnection (OSI) model.
A web application firewall (WAF) can understand and act on _______________ traffic.
WAFs can be used to reduce the likelihood that _______________ attacks will be successful.
A database activity monitor (DAM) tool usually operates at Layer _______________ of the Open Systems Interconnection (OSI) model.
Database activity monitors (DAMs) can be used to reduce the potential success of _______________ attacks.
Which security tool can perform content inspection of Secure File Transfer Protocol (SFTP) communications?
To deploy a set of microservices to clients instead of building one monolithic application, it is best to use a(n) _______________ to coordinate client requests.
Firewalls can detect attack traffic by using all these methods except _______________.
Transport Layer Security (TLS) provides _______________ and _______________ for communications.
Transport Layer Security (TLS) uses a new _______________ for each secure connection.
A virtual private network (VPN) is used to protect data in transit by _______________.
The employment of users in dynamic software testing should best be augmented by _______________.
Why do developers have an inherent conflict of interest in testing software they’ve created?
Sandboxing can often be used for _______________.
Sandboxing can often be used for _______________.
Application virtualization can typically be used for _______________.
Application virtualization can typically be used for _______________.
Any organization that complies with ISO 27034 will have a maximum of _______________ Organizational Normative Framework(s) (ONF)(s).
Under ISO 27034, every application within a given organization will have an attendant set of controls assigned to it; the controls for a given application are listed in the _______________.
Static application security testing (SAST) is usually considered a _______________ form of testing.
Static application security testing (SAST) examines _______________.
Dynamic application security testing (DAST) is usually considered a _______________ form of testing.
Dynamic application security testing (DAST) checks software functionality in _______________.
Vulnerability scans are dependent on _______________ in order to function.
Due to their reliance on vulnerability signatures, vulnerability scanners will not detect _______________.
Penetration testing is a(n) _______________ form of security assessment.
Dynamic software security testing should include _______________.
According to Open Web Application Security Project (OWASP) recommendations, active software security testing should include all of the following except _______________.
According to Open Web Application Security Project (OWASP) recommendations, active software security testing should include all of the following except _______________.
According to Open Web Application Security Project (OWASP) recommendations, active software security testing should include all of the following except _______________.
According to Open Web Application Security Project (OWASP) recommendations, active software security testing should include all of the following except _______________.
Static software security testing typically uses _______________ as a measure of how thorough the testing was.
Dynamic software security testing typically uses _______________ as a measure of how thorough the testing was.
Software security testing should involve both known good and known bad data in order to simulate both _______________ and _______________.
Training programs should be tracked and monitored in order to fulfill both _______________ and _______________ requirements. Choose the best response.
Task-centric training is typically for _______________.
Awareness training is typically for _______________.
Why is cloud security training particularly important for software developers?
Software developers should receive cloud-specific training that highlights the challenges involved with having a production environment that operates in the cloud. One of these challenges is _______________.
Software developers should receive cloud-specific training that highlights the challenges involved with having a production environment that operates in the cloud. One of these challenges is _______________.
Which security technique is most preferable when creating a limited functionality for customer service personnel to review account data related to sales made to your clientele?
At which phase of the software development lifecycle (SDLC) is user involvement most crucial?
At which phase of the software development lifecycle (SDLC) should security personnel first be involved?
At which phase of the software development lifecycle (SDLC) is it probably most useful to involve third-party personnel?
In software development lifecycle (SDLC) implementations that include a Secure Operations phase, which of the following security techniques or tools are implemented during that phase?
A cloud environment that lacks security controls is vulnerable to exploitation, data loss, and interruptions. Conversely, excessive use of security controls _______________.
A cloud environment that lacks security controls is vulnerable to exploitation, data loss, and interruptions. Conversely, excessive use of security controls _______________.
A cloud environment that lacks security controls is vulnerable to exploitation, data loss, and interruptions. Conversely, excessive use of security controls _______________.
You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also dictate which application programming interfaces (APIs) can be used to access and manipulate company data and the process for getting an API added to the list of approved programs. You conduct an approved scan of the company data set in the cloud, with the provider’s permission. This allows you to catalog all APIs that have accessed and manipulated company data through authorized user accounts in the last month. The scan reveals that 300 different APIs were used by authorized personnel. Of these, 30 had been approved by the company and were on the list. Of the following, what is the most reasonable immediate action?
You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also dictate which application programming interfaces (APIs) can be used to access and manipulate company data and the process for getting an API added to the list of approved programs. You conduct an approved scan of the company data set in the cloud, with the provider’s permission. This allows you to catalog all APIs that have accessed and manipulated company data through authorized user accounts in the last month. The scan reveals that 300 different APIs were used by authorized personnel. Of these, 30 had been approved by the company and were on the list. You’ve brought the matter to the attention of the chief executive officer (CEO), who understands the issue and asks for your recommendation. What is probably the best suggestion?
You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also dictate which application programming interfaces (APIs) can be utilized to access and manipulate company data and the process for getting an API added to the list of approved programs. You conduct an approved scan of the company data set in the cloud, with the provider’s permission. This allows you to catalog all APIs that have accessed and manipulated company data through authorized user accounts in the last month. The scan reveals that 300 different APIs were used by authorized personnel. Of these, 30 had been approved by the company and were on the list. Upon performing an information-gathering investigation at the behest of the chief executive officer (CEO), you determine that these APIs increased productivity 387 percent over the period since they were adopted, at a cost that is negligible compared to getting even one API through the company’s current approval process. What is your suggestion on how to handle the situation?
You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also dictate which application programming interfaces (APIs) can be utilized to access and manipulate company data and the process for getting an API added to the list of approved programs. You conduct an approved scan of the company data set in the cloud, with the provider’s permission. This allows you to catalog all APIs that have accessed and manipulated company data through authorized user accounts in the last month. The scan reveals that 300 different APIs were used by authorized personnel. Of these, 30 had been approved by the company and were on the list. As a subject matter expert, what should you also recommend to the chief executive officer (CEO)?
You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also allow users to select which application programming interfaces (APIs) they install and use on their own devices in order to access and manipulate company data. Of the following, what is a security control you’d like to implement to offset the risk(s) incurred by this practice?
You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also allow users to select which application programming interfaces (APIs) they install and use on their own devices in order to access and manipulate company data. Of the following, what is a security control you’d like to implement to offset the risk(s) incurred by this practice?
You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a platform as a service (PaaS) model with a major cloud provider. According to your company policies, personnel are allowed to work equally from the company offices and their own homes or other locations, using their personal IT devices. The policies also allow users to select which application programming interfaces (APIs) they install and use on their own devices in order to access and manipulate company data. Of the following, what is a security control you’d like to implement to offset the risk(s) incurred by this practice?
Users in your organization have been leveraging application programming interfaces (APIs) for enhancing their productivity in the cloud environment. To ensure that you are securing API access to the production environment, you should deploy _______________ and _______________.
You implement identity and access management (IAM) in order to control access between subjects and objects. What is the ultimate purpose of this effort?
_______________ is perhaps the main external factor driving identity and access management (IAM) efforts.
Whether in a cloud or traditional environment, it is important to implement both _______________ and _______________ access controls.
Access to specific data sets should be granted by _______________.
Access should be granted based on all of the following except _______________.
Federation allows _______________ across organizations.
Federation should be _______________ to the users.
A web application firewall (WAF) understands which protocol(s)?
Web application firewalls and database activity monitors function at levels _______________ and _______________ of the Open Systems Interconnection (OSI) model, respectively.
What can tokenization be used for?
Merchants who accept credit card payments can avoid some of the compliance burden for the Payment Card Industry Data Security Standard (PCI DSS) by outsourcing the tokenization function to _______________.
Which of the following is an example of useful and sufficient data masking of the string “CCSP”?
A cloud-based sandbox should not be used for _______________.
Which of the following should occur at each stage of the software development lifecycle (SDLC)?
Software that includes security elements from the outset of the software development lifecycle (SDLC) process will be _______________.
Software that includes security elements from the outset of the software development lifecycle (SDLC) process will _______________.
The inclusion of security controls in the software design process is dictated by _______________.
Software development should be perceived as _______________.
Dynamic testing of software is perhaps most useful for _______________.
18.119.235.79