CCSP: 11 Answers to Domain 4 Questions

Updated: Dec 9, 2020

Question #1 ISO 27034 mandates a framework for application security within an organisation. According to the standard, each organisation should have a(n)_____, and each application within the organisation should have its own _____.

  • Organisational Normative Framework (ONF), Application Normative Framework (ANF)

  • Application Normative Framework (ANF), Organisational Normative Framework (ONF)

  • Standard Application Security (SAS), Application Normative Framework (ANF)

  • Organisational Normative Framework (ONF), Standard Application Security (SAS)




ISO/IEC 27034-1 Standards for Secure Application Development


The information security industry is in the process of an evolution against rising technological and new customer requirements. The need to implement the most successful approaches and tools for protection and ensuring the security in cyberspace, changes the practices in this area.

  • A very important process is information sharing about events and incidents in security, and the exchange of countermeasures against attacks between stakeholders.

  • The most important decision in support of security is the establishment of international standards for the regulation of information security.


ISO/IEC 27034 -1 is the group that has developed several information security standards, including the ISO/IEC 27001, or Requirements for Information Security Management Systems.


A valuable contribution of ISO/IEC 27034 in the area of definitions, is to encourage a holistic view of application security. Securing software should be viewed in a broad context that includes

  • software development considerations

  • business and regulatory contexts, as well as

  • the external factors that can affect the overall security of the application.

An understanding of risk and the ability to employ this knowledge via risk assessments, is crucial to the ability to properly define the appropriate security requirements for any application.

An organisation’s Information Security Management System (ISMS) systematically governs information security risk for the enterprise, including that of the application security program.



These basic ideas have been implemented using two frameworks.

  • The Organisational Normative Framework (ONF); and

  • The Application Normative Framework (ANF).

Implementation of these flexible frameworks is intended to help organisations integrate security seamlessly throughout their application’s lifecycle.



The ONF or Organisational Normative Framework is a framework of containers for all components of application security best practices of the organisation.

  • Business context includes all the application security policies, standards, and best practices, adopted by the organisation.

  • Regulatory context includes all the standards, laws, or regulations, that affect application security.

  • Technological context includes the required and available technologies that are applicable to application security.

  • Application specifications repository, documents the organisation’s IT functional requirements and the solutions that are appropriate to address these requirements.

  • Roles, responsibilities, and qualifications, define the different actors in an organisation, related to IT applications. This container will include a wide range of job titles and duties, besides the developer role.

  • Application security control (ASC) library, contains the approved controls that are necessary to protect an application based on the identified threats, the context, and the targeted level of trust.



The Application Normative Framework (ANF) is a derivative of the ONF and is created for a single application.

  • The ANF maintains the applicable portions of the ONF that are needed to enable that specific application to achieve the required level of security.

  • Because a typical organisation will have several applications to secure, there will be a one-to-many relationship between one ONF and many ANFs.

  • However, the ANF-to-ONF relationship is a one-to-one relationship. That is, every application has an ANF that maps back to one ONF.

ISO/IEC 27034-1 defines an application security management process(ASMP) to manage and maintain each ANF.



The application security management process is performed in five steps:

  1. Specifying the application security requirements and the environment

  2. Assessing application security risks

  3. Creating and maintaining the Application Normative Framework (ANF)

  4. Implementation and operation of the application, and

  5. Auditing the security of the application

Answer

  • Organisational Normative Framework (ONF), Application Normative Framework (ANF)

  • Application Normative Framework (ANF), Organisational Normative Framework (ONF)

  • Standard Application Security (SAS), Application Normative Framework (ANF)

  • Organisational Normative Framework (ONF), Standard Application Security (SAS)


Question #2 According to ISO 27034, there is one Organizational Normative Framework (ONF) in the organization, and ___________________ Application Normative Framework (ANF[s]) for each application within that organization.

  • Many

  • Three

  • No

  • One

The Application Normative Framework (ANF) is a derivative of the ONF and is created for a single application.

  • The ANF maintains the applicable portions of the ONF that are needed to enable that specific application to achieve the required level of security.

  • Because a typical organisation will have several applications to secure, there will be a one-to-many relationship between one ONF and many ANFs.

  • However, the ANF-to-ONF relationship is a one-to-one relationship. That is, every application has an ANF that maps back to one ONF.

Answer

  • Many

  • Three

  • No

  • One


Question #3 What language is used in the Simple Object Access Protocol (SOAP) application design protocol?

  • Hypertext Markup Language (HTML)

  • X.509

  • Extensible Markup Language (XML)

  • Hypertext Transfer Protocol (HTTP)

Application Programming Interfaces (APIs)

It is important that we examine the mechanisms behind the scenes that make application security and software development for the cloud work, as well as the weaknesses and vulnerabilities associated with each.


Application programming interfaces (APIs) are the coding components that allow applications to speak to one another, generally through a web interface of some kind. We usually hope this communication occurs in a safe and secure manner. However, that is not always the case.


There are two common types of APIs in use with cloud-based applications today.



We have

  • Representational State Transfer or REST APIs, and

  • Simple Object Access Protocol or SOAP APIs.

REST API is a software architecture designed to scale the abilities of web-based applications. It is based on guidelines and best practices for creating scalable web applications. When followed, it allows web applications to access other applications, databases, and so on, in order to extend their functionality. The architecture is

  • lightweight

  • it uses simple URLs

  • it is not reliant on XML

  • it is scalable

  • it can output in many formats, including CSV, Javascript Object Notation (JSON), HTML, XLS, XML; and

  • it is efficient, which means, it uses smaller messages than XML.

It works well when

  • bandwidth is limited

  • when stateless operations are used, and

  • when caching is needed.

Simple Object Access Protocol (SOAP) is a protocol specification providing for the exchange of structured information or data, in web services. It also works over other protocols such as SMTP, FTP, and HTTP. It is

  • standards-based, and not URL-based as in REST,

  • it is reliant on XML

  • it is highly intolerant of errors

  • it is much slower than REST, and

  • has built-in error handling. If there’s a problem with your request, the response contains error information that you can use to fix the problem. Given that you might not own the Web service, this particular feature is extremely important; otherwise you would be left guessing as to why things didn’t work. The error reporting even provides standardised codes so that it’s possible to automate some error handling tasks in your code.

Answer

  • Hypertext Markup Language (HTML)

  • X.509

  • Extensible Markup Language (XML)

  • Hypertext Transfer Protocol (HTTP)


Question #4 Typically, representational state transfer (REST) interactions do not require ___________________.

  • Credentials

  • Sessions

  • Servers

  • Clients


Generally, a REST interaction involves the client asking the server (through an application programming interface [API]) for data, sometimes as the result of processing; the server processes the request and returns the result. In REST, an enduring session, where the server has to store some temporary data about the client, is not necessary.


Answer

  • Credentials

  • Sessions

  • Servers

  • Client


Question #5 Representational state transfer (REST) application programming interfaces (APIs) use ___________________ protocol verbs.

  • Hypertext Markup Language (HTML)

  • Hypertext Transfer Protocol (HTTP)

  • Extensible Markup Language (XML)

  • American Standard Code for Information Interchange (ASCII)

REST APIs enable you to develop any kind of web application having all possible CRUD (create, retrieve, update, delete) operations. REST guidelines suggest using a specific HTTP method on a particular type of call made to the server.

Suitable HTTP methods include

  • HTTP GET

  • HTTP POST

  • HTTP PUT

  • HTTP DELETE

  • HTTP PATCH

Answer

  • Hypertext Markup Language (HTML)

  • Hypertext Transfer Protocol (HTTP)

  • Extensible Markup Language (XML)

  • American Standard Code for Information Interchange (ASCII)


Question #6 The architecture of the World Wide Web, as it works today, is ___________________.

  • JavaScript Open Notation (JSON)

  • Denial of service (DoS)

  • Representational state transfer (REST)

  • Extensible Markup Language (XML)

The web is mainly HTTP, which is a RESTful protocol.


Answer

  • JavaScript Open Notation (JSON)

  • Denial of service (DoS)

  • Representational state transfer (REST)

  • Extensible Markup Language (XML)


Question #7 RESTful responses can come from the server in ___________________ or ___________________ formats.

  • Extensible Markup Language (XML), JavaScript Open Notation (JSON)

  • Hypertext Transfer Protocol (HTTP), X.509

  • American Standard Code for Information Interchange (ASCII), text

  • Hypertext Markup Language (HTML), Extensible Markup Language (XML)

REST API is a software architecture designed to scale the abilities of web-based applications. It is based on guidelines and best practices for creating scalable web applications. When followed, it allows web applications to access other applications, databases, and so on, in order to extend their functionality. The architecture is

  • lightweight

  • it uses simple URLs

  • it is not reliant on XML

  • it is scalable

  • it can output in many formats, including CSV, Javascript Object Notation (JSON), HTML, XLS, XML; and

  • it is efficient, which means, it uses smaller messages than XML.

Answer

  • Extensible Markup Language (XML), JavaScript Open Notation (JSON)

  • Hypertext Transfer Protocol (HTTP), X.509

  • American Standard Code for Information Interchange (ASCII), text

  • Hypertext Markup Language (HTML), Extensible Markup Language (XML)


Question #8 Which of the following is an informal industry term for moving applications from a traditional environment into the cloud?

  • Instantiation

  • Porting

  • Grandslamming

  • Forklifting

An often-used term for moving an entire application to the cloud without any significant changes is forklifting. This refers to the idea of moving an existing legacy enterprise application to the cloud with little or no code changes.

  • Although many times, these are self-contained, standalone applications that have operated successfully in the enterprise environment, dependency on certain infrastructure aspects of the legacy enterprise that might not be replicated in the cloud, and other issues such as the use of proprietary libraries that the cloud environment does not also have, can crop up and can cause serious problems in transition efforts.

  • Many applications, particularly office applications, now have alternative cloud-based versions, minimising or removing the need to move those applications as they exist in local systems, to the cloud.

Answer

  • Instantiation

  • Porting

  • Grandslamming

  • Forklifting


Question #9 Developers creating software for the cloud environment should bear in mind cloud-specific risks such as ___________________ and ___________________.

  • DoS and DDoS (denial of service and distributed denial of service)

  • Multi-tenancy and third-party administrators

  • Unprotected servers and unprotected clients

  • Default configurations and user error

Developers often face challenges when working in a new and unfamiliar environment. For instance, they may be used to working in a certain language or framework that may not be available to them on a particular platform. There are also a number of challenges that must be faced due to the complexities of the cloud computing model. Some of these issues include:

  • Multi-tenancy - the concept of sharing resources with other cloud customers simultaneously.

  • Third-party admins - these are cloud providers who manage administration of your system and who are not under your control.

  • Deployment models (public, private, community, hybrid) - certain models such as the hybrid model, remove or reduce the authority and execution of security controls in the environment.

  • Service models (IaaS, Paas, and SaaS) - developers may or may not have control over the particular infrastructure, platform, or even application stack that they must work with.

Answer

  • DoS and DDoS (denial of service and distributed denial of service)

  • Multi-tenancy and third-party administrators

  • Unprotected servers and unprotected clients

  • Default configurations and user error


Question #10 When an organization considers cloud migrations, the organization’s software developers will need to know which ___________________ and which ___________________ the organization will be using, in order to properly and securely create suitable applications.

  • Geographic location, native language

  • Legal restrictions, specific ISP

  • Service model, deployment model

  • Available bandwidth, telecommunications country code


Answer

  • Geographic location, native language

  • Legal restrictions, specific ISP

  • Service model, deployment model

  • Available bandwidth, telecommunications country code


Question #11 Which of the following is perhaps the best method for reducing the risk of a specific application not delivering the proper level of functionality and performance when it is moved from the legacy environment into the cloud?

  • Remove the application from the organisation's production environment, and replace it with something else.

  • Negotiate and conduct a trial run in the cloud environment for that application before permanently migrating.

  • Make sure the application is fully updated and patched according to all vendor specifications.

  • Run the application in an emulator.

A trial run in the cloud will reveal any functionality/performance loss before a permanent cloud migration.


  • Remove the application from the organisation's production environment, and replace it with something else.

  • Negotiate and conduct a trial run in the cloud environment for that application before permanently migrating.

  • Make sure the application is fully updated and patched according to all vendor specifications.

  • Run the application in an emulator.

60 views0 comments

Recent Posts

See All

© 2021 by CloudTAC