(ISC)² CCSP

CCSP Domain #4: Cloud Application Security [updated 2022]

February 1, 2022 by Mosimilolu Odusanya

Successful candidates must understand the types of activities, risks, appropriate security controls and storage architectures required to ensure data security in a cloud environment. The following topics are included in this domain, as per the “Official (ISC)2 Guide to the CCSP CBK”. This domain represents 17% of the CCSP certification exam. Earning the CCSP means the candidate has the right knowledge and skills to secure a cloud environment.

Domain 4 — cloud application security

4.1 Advocate training and awareness for application security

Candidates will need to understand the critical application development and deployment in cloud environments and the potential impacts of insecure code deployed across a cloud infrastructure.

Candidates are also required to understand the basics of cloud application development, including the following:

  1. Security by design
  2. Shared security responsibility
  3. Security as a business objective

Common pitfalls

Candidates will need to understand common pitfalls and vulnerabilities throughout the Software Development Lifecycle (SDLC) and when migrating to or developing applications in the cloud. Such pitfalls include:

  1. Lack of guidelines and documentation
  2. Integration complexities
  3. Multi-tenancy challenges
  4. Third-party administrator challenges

More information on security threats that affect application development can be seen in the Cloud Security Alliance (CSA) Top Threats to Cloud Computing and the OWASP Top 10 (See Section 4.3.1 below).

4.2 Describe the secure software development lifecycle process

Candidates will need to understand the phases under the Secure Software Development Lifecycle (SSDLC), which includes security-focused steps which allow security by design.

4.2.1 NIST secure software development framework

This framework defines and describes secure software development practices. It helps develop secure traditional IT systems, Industrial Control Systems (ICS), Internet of Things (IoT) Systems and Cyber Physical Systems (CPS).

4.2.2 OWASP software assurance security model

This framework helps organizations formulate and implement a strategy for software security. It provides an effective and measurable way to analyze and improve the secure software development lifecycle.

4.2.3 Phases and methodologies

The following phases are common across the various models of SDLCs such as Waterfall, Agile, Development and Operations (DevOps) etc.:

  1. Planning
  2. Requirement analysis
  3. Design
  4. Development
  5. Testing
  6. Deployment
  7. Operations and maintenance

4.3 Apply the secure software development lifecycle

Candidates will need to understand common application vulnerabilities, cloud-specific risks and the use of threat modeling to assess the impact of those risks.

4.3.1 Avoid common vulnerabilities during development

The OWASP Top 10 identifies critical web application security risks. The Top 10 web application security risks for 2021 include:

  1. Broken access control
  2. Cryptographic failures
  3. Injection
  4. Insecure design
  5. Security misconfiguration
  6. Vulnerable and outdated components
  7. Identification and authentication failures
  8. Software and data integrity failures
  9. Security logging and monitoring failures
  10. Server-side request forgery

4.3.2 Cloud specific risks

Several additional risks apply to cloud environments. CSA’s 2019 “Egregious 11” provides some specific cloud risks. These include:

  1. Data breaches
  2. Misconfiguration and inadequate change control
  3. Lack of cloud security architecture and strategy
  4. Insufficient identity, credential, access and key management
  5. Account hijacking
  6. Insider threat
  7. Insecure interfaces and APIs
  8. Weak control plane
  9. Metastructure and applistructure failures
  10. Limited cloud usage visibility
  11. Abuse and nefarious use of cloud services 

4.3.3 Quality assurance

Candidates must understand the quality assurance process to ensure software quality through validation and verification activities.

4.3.4 Threat modeling

Candidates will need to understand how threat models work in identifying potential threats to applications and countermeasures that can be implemented. Two (2) commonly used threat models are STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege) and PASTA (The Process for Attack Simulation and Threat Analysis).

4.3.5 Software configuration management (SCM) and versioning

Candidates will need to understand the importance of SCM and versioning in managing software assets, configuration management (including change management), and configuration management databases (CMDB) tools such as Chef, Puppet and Ansible.

4.4. Apply cloud software assurance and validation

Candidates will need to understand the importance of testing and auditing in developing secure applications and various application security testing methodologies.

4.4.1 Functional testing

Candidates will need to understand functional testing and the various functional tests such as unit testing, integration testing, usability testing etc.

4.4.2 Security testing methodologies

Candidates will need to understand the various software testing methodologies such as black-box testing, white box testing, static application security testing (SAST), dynamic application security testing (DAST) etc.

4.5 Use verified secure software

Candidates must understand the major components of secure software a security-conscious organization uses. These components include:

  1. Approved APIs
  2. Supply chain management
  3. Third-party software management
  4. Validated open source software

4.6 Comprehend the specifics of cloud application architecture

Candidates must understand the various security components and technologies required in a cloud application architecture.

4.6.1 Supplemental security components

Candidates will need to understand how security components such as web application firewall (WAF), database activity monitoring (DAM), API Gateway etc., work in a cloud environment.

4.6.2 Cryptography

Candidates will need to understand data encryption at rest and in motion in the cloud using technologies/protocols such as transport layer security (TLS), a virtual private network (VPN) etc. In addition, the management of encryption keys in the cloud by the cloud service provider (CSP) and the cloud consumer.

4.6.3 Sandboxing, application virtualization and orchestration

Candidates will need to understand how sandboxing, application virtualization, and application orchestration works in a cloud environment. Popular cloud orchestration tools include AWS Cloud Formation, Terraform, Azure Automation etc.

4.7 Design appropriate identity and access management (IAM) solutions

Candidates will need to understand identification, authentication and authorization in the cloud and the various components and protocols that make up an IAM solution.

4.7.1 Federated identity and single sign-on

Candidates will need to understand federated identity (e.g., Security Assertion Markup Language (SAML), Open Authorization (OAuth) etc.) and single sign-on works, the benefits of both protocols and how they work.

4.7.2 Identity providers

Candidates will need to understand how identity providers such as Azure Active Directory, AWS IAM, Google Cloud Identity, Okta Identity Management etc. interface with cloud applications.

4.7.3 Multifactor authentication (MFA)

Candidates will need to understand the various authentication factors (i.e., something you know, something you have and something you are) and the various applications via MFA.

4.7.4 Cloud access security broker (CASB)

Candidates will need to understand CASBs works in mitigating high-risk security events and managing user activities in the cloud.

How to prepare for the CCSP exam

Studying the right material is very important. The official books and material recommended by the (ISC)2 to take the CCSP exam include:

  1. Official (ISC)² CCSP CBK Reference, Third Edition
  2. Official (ISC)² CCSP Study Guide
  3. Official (ISC)² CCSP practice tests
  4. Official CCSP study and practice tests apps
  5. Official (ISC)² CCSP flashcards 

 

Sources

  1. The Official (ISC)2 CCSP CBK Reference, (ISC)2
  2. (ISC)2 Approved CCSP for Dummies, Wiley
  3. CCSP Certification Exam Outline, (ISC)2
Posted: February 1, 2022
Author
Mosimilolu Odusanya
View Profile

Mosimilolu (or 'Simi') works as a full-time cybersecurity consultant, specializing in privacy and infrastructure security. Outside of work, her passions includes watching anime and TV shows and travelling.

Leave a Reply

Your email address will not be published.