CCSP Domain 4: Cloud Application Security [updated 2022]
Domain 4 of the CCSP focuses on developing and securing cloud applications; it represents 17% of the certification exam. The CCSP comprises six domains.
Earning the CCSP means you have the knowledge and skills to make cloud applications more secure using best practices, policies and procedures. The CCSP shows you understand the activities, risks, appropriate security controls and storage architectures required to ensure data security in a cloud environment. The “Official (ISC)2 Guide to the CCSP CBK” is a great way to familiarize yourself with the subdomain topics.
Domain 4 — cloud application security
Each of the seven subdomains covers a specific aspect of managing cloud applications securely and effectively.
4.1 Advocate training and awareness for application security
Cloud development basics
Candidates need to understand the basics of cloud application development, including:
- Security by design
- Shared security responsibility
- Security as a business objective
Common pitfalls and common cloud vulnerabilities
Candidates need to understand common pitfalls and vulnerabilities (e.g., Open Web Application Security Project (OWASP) Top-10, SANS Top-25) when migrating to or developing applications in the cloud. Such pitfalls include:
- Lack of guidelines and documentation
- Integration complexities
- Multi-tenancy challenges
- Third-party administrator challenges
Note: The 12th annual (ISC)² Security Congress on October 10, 2022, features a lecture on “Top Public Cloud Security Fails and How to Avoid Them.” On October 12, 2022, another panel speaker will discuss “Emerging Threats Against Cloud Application Identities (And What You Should Do About It).”
4.2 Describe the secure software development life cycle (SSDLC) process
Candidates need to understand the phases under the SSDLC, which include security-focused steps that allow security by design.
Be aware of the business needs of the application.
Phases and methodologies
The following phases are common across the various models of SDLCs, such as Waterfall, Agile, Development and Operations (DevOps):
- Requirement analysis
- Operations and maintenance
4.3 Apply the secure software development life cycle (SSDLC)
Candidates need to understand cloud-specific risks and the use of threat modeling to assess the impact of those risks.
Avoid common vulnerabilities during development
Candidates should know the vulnerabilities to address when developing for the cloud.
The latest OWASP Top 10 identifies critical web application security risks, including:
- Broken access control
- Cryptographic failures
- Insecure design
- Security misconfiguration
- Vulnerable and outdated components
- Identification and authentication failures
- Software and data integrity failures
- Security logging and monitoring failures
- Server-side request forgery
Candidates need to recognize the numerous security challenges and threats that the cloud has brought forth, from limited visibility into cloud usage to data breaches, account hijacking, malware, lack of cloud security architecture and strategy and misconfigurations.
Candidates must know best practices for securing applications in the cloud and ways to ensure software quality through validation and verification activities.
- Application Security Verification Standard (ASVS)
- Software Assurance Forum for Excellence in Code (SAFECode)
- Open Web Application Security Project (OWASP)
Candidates need to know how threat models work in identifying potential threats to applications and countermeasures that can be implemented. Four commonly used threat models are STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege), PASTA (process for attack simulation and threat analysis), DREAD (disaster, reproducibility, exploitability, affected users and discoverability) and ATASM (architecture, threats, attack surfaces and mitigations.
Software configuration management (SCM) and versioning
Candidates need to understand the importance of SCM and versioning in managing software assets, configuration management (including change management), and configuration management databases (CMDB) tools such as Chef, Puppet and Ansible.
4.4 Apply cloud software assurance and validation
Candidates need to understand the importance of testing and auditing in developing secure applications and various application security testing methodologies.
Functional and non-functional testing
Candidates need to understand the difference between functional and non-functional testing.
- Functional testing ensures that the functions and features of the application work correctly.
- Non-functional testing only looks at the performance or usability of these functions.
Security testing methodologies
Candidates need to understand the various software testing methodologies, such as black-box testing, white-box testing, static application security testing (SAST), dynamic application security testing (DAST), software composition analysis (SCA), and interactive application security testing (IAST).
Quality assurance and abuse case testing
Both are essential for security testing of new applications.
4.5 Use verified secure software
Candidates must understand the significant components of secure software a security-conscious organization uses. These components include:
- Approved APIs
- Supply chain management
- Third-party software management
- Validated open-source software
4.6 Comprehend the specifics of cloud application architecture
Candidates need to understand the various security components and technologies required in a cloud application architecture.
Supplemental security components
Candidates need to understand how security components such as web application firewall (WAF), database activity monitoring (DAM), Extensible Markup Language (XML) firewalls, and application programming interface (API) gateway work in a cloud environment.
Candidates need to understand data encryption at rest and in motion in the cloud, using technologies/protocols such as transport layer security (TLS), a virtual private network (VPN) and the management of encryption keys in the cloud by the cloud service provider (CSP) and the cloud consumer.
Sandboxing, application virtualization and orchestration
Candidates need to understand how sandboxing, application virtualization and application orchestration (e.g., microservices, containers) work in a cloud environment. Popular cloud orchestration tools include AWS Cloud Formation, Terraform, Azure Automation, etc.
4.7 Design appropriate identity and access management (IAM) solutions
Candidates need to understand identification, authentication and authorization in the cloud and the components and protocols that make up an IAM solution.
Federated identity and single sign-on
Candidates need to understand federated identity (e.g., Security Assertion Markup Language (SAML), Open Authorization (OAuth), etc.) and single sign-on, the benefits of those protocols and how they work.
Identity providers (IdP)
Candidates need to understand how identity providers such as Azure Active Directory, AWS IAM, Google Cloud Identity, Okta Identity Management, etc., interface with cloud applications.
Single sign-on (SSO) and multifactor authentication (MFA)
Candidates need to understand the concepts of SSO and its ability to let users access all needed applications by authenticating themselves only once and MFA with its need for various authentication factors (i.e., something you know, something you have and something you are).
Cloud access security broker (CASB)
Candidates need to understand how a CASB works to mitigate high-risk security events and manage user activities in the cloud.
Candidates need to be familiar with solutions that can help improve the IAM methods to control access to cloud assets.
How to prepare for the CCSP exam
Studying suitable material is recommended by (ISC)2 to take the CCSP exam. The official preparation material includes:
- Official (ISC)² CCSP Study Guide, 2nd Edition
- Official (ISC)² CCSP CBK Reference, 3rd Edition
- Official (ISC)² CCSP Practice Tests, 2nd Edition
- Official (ISC)² CCSP Flash Cards
- Official (ISC)² CCSP Study App
Need training? Design a learning path that fits your needs to prepare for the CCSP certification. Start validating your cloud security knowledge by reviewing all the key elements found in the fourth domain of the CCSP common body of knowledge (CBK) — Cloud Application Security.
For more on the CCSP certification, check out our CCSP certification hub.
- CCSP, (ISC)²
- CCSP: Certification Exam Outline, (ISC)²
- CCSP Domain Refresh FAQ, (ISC)²
- 12th annual Security Congress: The Agenda, (ISC)²