CCSP Domain #4: Cloud Application Security [updated 2022]
Successful candidates must understand the types of activities, risks, appropriate security controls and storage architectures required to ensure data security in a cloud environment. The following topics are included in this domain, as per the “Official (ISC)2 Guide to the CCSP CBK”. This domain represents 17% of the CCSP certification exam. Earning the CCSP means the candidate has the right knowledge and skills to secure a cloud environment.
Domain 4 — cloud application security
4.1 Advocate training and awareness for application security
Candidates will need to understand the critical application development and deployment in cloud environments and the potential impacts of insecure code deployed across a cloud infrastructure.
Candidates are also required to understand the basics of cloud application development, including the following:
- Security by design
- Shared security responsibility
- Security as a business objective
Candidates will need to understand common pitfalls and vulnerabilities throughout the Software Development Lifecycle (SDLC) and when migrating to or developing applications in the cloud. Such pitfalls include:
- Lack of guidelines and documentation
- Integration complexities
- Multi-tenancy challenges
- Third-party administrator challenges
More information on security threats that affect application development can be seen in the Cloud Security Alliance (CSA) Top Threats to Cloud Computing and the OWASP Top 10 (See Section 4.3.1 below).
4.2 Describe the secure software development lifecycle process
Candidates will need to understand the phases under the Secure Software Development Lifecycle (SSDLC), which includes security-focused steps which allow security by design.
4.2.1 NIST secure software development framework
This framework defines and describes secure software development practices. It helps develop secure traditional IT systems, Industrial Control Systems (ICS), Internet of Things (IoT) Systems and Cyber Physical Systems (CPS).
4.2.2 OWASP software assurance security model
This framework helps organizations formulate and implement a strategy for software security. It provides an effective and measurable way to analyze and improve the secure software development lifecycle.
4.2.3 Phases and methodologies
The following phases are common across the various models of SDLCs such as Waterfall, Agile, Development and Operations (DevOps) etc.:
- Requirement analysis
- Operations and maintenance
4.3 Apply the secure software development lifecycle
Candidates will need to understand common application vulnerabilities, cloud-specific risks and the use of threat modeling to assess the impact of those risks.
4.3.1 Avoid common vulnerabilities during development
The OWASP Top 10 identifies critical web application security risks. The Top 10 web application security risks for 2021 include:
- Broken access control
- Cryptographic failures
- Insecure design
- Security misconfiguration
- Vulnerable and outdated components
- Identification and authentication failures
- Software and data integrity failures
- Security logging and monitoring failures
- Server-side request forgery
4.3.2 Cloud specific risks
Several additional risks apply to cloud environments. CSA’s 2019 “Egregious 11” provides some specific cloud risks. These include:
- Data breaches
- Misconfiguration and inadequate change control
- Lack of cloud security architecture and strategy
- Insufficient identity, credential, access and key management
- Account hijacking
- Insider threat
- Insecure interfaces and APIs
- Weak control plane
- Metastructure and applistructure failures
- Limited cloud usage visibility
- Abuse and nefarious use of cloud services
4.3.3 Quality assurance
Candidates must understand the quality assurance process to ensure software quality through validation and verification activities.
4.3.4 Threat modeling
Candidates will need to understand how threat models work in identifying potential threats to applications and countermeasures that can be implemented. Two (2) commonly used threat models are STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege) and PASTA (The Process for Attack Simulation and Threat Analysis).
4.3.5 Software configuration management (SCM) and versioning
Candidates will need to understand the importance of SCM and versioning in managing software assets, configuration management (including change management), and configuration management databases (CMDB) tools such as Chef, Puppet and Ansible.
4.4. Apply cloud software assurance and validation
Candidates will need to understand the importance of testing and auditing in developing secure applications and various application security testing methodologies.
4.4.1 Functional testing
Candidates will need to understand functional testing and the various functional tests such as unit testing, integration testing, usability testing etc.
4.4.2 Security testing methodologies
Candidates will need to understand the various software testing methodologies such as black-box testing, white box testing, static application security testing (SAST), dynamic application security testing (DAST) etc.
4.5 Use verified secure software
Candidates must understand the major components of secure software a security-conscious organization uses. These components include:
- Approved APIs
- Supply chain management
- Third-party software management
- Validated open source software
4.6 Comprehend the specifics of cloud application architecture
Candidates must understand the various security components and technologies required in a cloud application architecture.
4.6.1 Supplemental security components
Candidates will need to understand how security components such as web application firewall (WAF), database activity monitoring (DAM), API Gateway etc., work in a cloud environment.
Candidates will need to understand data encryption at rest and in motion in the cloud using technologies/protocols such as transport layer security (TLS), a virtual private network (VPN) etc. In addition, the management of encryption keys in the cloud by the cloud service provider (CSP) and the cloud consumer.
4.6.3 Sandboxing, application virtualization and orchestration
Candidates will need to understand how sandboxing, application virtualization, and application orchestration works in a cloud environment. Popular cloud orchestration tools include AWS Cloud Formation, Terraform, Azure Automation etc.
4.7 Design appropriate identity and access management (IAM) solutions
Candidates will need to understand identification, authentication and authorization in the cloud and the various components and protocols that make up an IAM solution.
4.7.1 Federated identity and single sign-on
Candidates will need to understand federated identity (e.g., Security Assertion Markup Language (SAML), Open Authorization (OAuth) etc.) and single sign-on works, the benefits of both protocols and how they work.
4.7.2 Identity providers
Candidates will need to understand how identity providers such as Azure Active Directory, AWS IAM, Google Cloud Identity, Okta Identity Management etc. interface with cloud applications.
4.7.3 Multifactor authentication (MFA)
Candidates will need to understand the various authentication factors (i.e., something you know, something you have and something you are) and the various applications via MFA.
4.7.4 Cloud access security broker (CASB)
Candidates will need to understand CASBs works in mitigating high-risk security events and managing user activities in the cloud.
How to prepare for the CCSP exam
Studying the right material is very important. The official books and material recommended by the (ISC)2 to take the CCSP exam include:
- Official (ISC)² CCSP CBK Reference, Third Edition
- Official (ISC)² CCSP Study Guide
- Official (ISC)² CCSP practice tests
- Official CCSP study and practice tests apps
- Official (ISC)² CCSP flashcards
We've encountered a new and totally unexpected error.
Get instant boot camp pricing
A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here.