CCSP Domain 4: Cloud Application Security
The Certified Cloud Security Professional certification, or CCSP, is a certification hosted by the joint effort of (ISC)2 and the Cloud Security Alliance (CSA). This exciting credential is designed for cloud-based information security professionals and ensures that the certification holder has acquired the requisite skills, knowledge and abilities in cloud implementation, security design, controls, operations and compliance with applicable regulations.
The CCSP certification exam comprises six domains: Architectural Concepts and Design Requirements, Cloud Data Security, Cloud Platform and Infrastructure Security, Operations, Cloud Application Security and Legal and Compliance. This article will detail the Cloud Application Security domain of the CCSP exam and what candidates preparing for the CCSP certification can expect on the exam.
The Cloud Application Security domain of CCSP currently accounts for 15% of the material covered by the CCSP certification exam.
Below you will find an exploration of the different subsections of this domain and what information you can expect to be covered on the CCSP certification exam.
4.1 Recognize the Need for Training and Awareness in Application Security
When new development techniques are introduced, training is often required. Cloud computing is no exception to this rule.
Cloud Development Basics
Cloud Application Components
Cloud applications are composed of the following components:
Determining Data Sensitivity and Performance
Cloud based applications should be assessed to determine their sensitivity and importance. This is how “cloud-friendliness” is determined. Six key questions are asked in these situations. based on impact:
- What if the data becomes widely-distributed and widely public?
- What if a cloud service provider’s employee accessed the application?
- What if an outsider manipulated a process or function?
- What if a function or process failed to provide expected results?
- What if data was changed unexpectedly?
- What if the application becomes unavailable for some time?
There are two main types of API formats: RESTful and SOAP. One is not necessarily better than the other. Both have their different strong points and are used in ways that best suits the organization or business.
Representational State Transfer, or REST, applications are designed to scale Web-based applications. This scaling of abilities, based upon best practices and guidelines, allows Web-based applications access to other applications and databases to enhance functionality. Some other REST traits include:
- Uses simple URLs
- Not reliant on XML
- Different output formats available, including CSV and JSON
- Efficient (using messages that are smaller than XML)
Examples of situations where REST works well include:
- When bandwidth is limited
- When caching is required
- When using stateless operations
Simple object access protocol, or SOAP, is a protocol specification intended for exchanging structured information during implementation of Web services within computer networks.
Some of the different SOAP traits of note are:
- SOAP is standards-based
- Highly intolerant of errors
- XML reliant
- Built-in error handling
Some situations SOAP works well in are:
- Asynchronous processing
- Stateful operations
- Format contracts
- Difficulty in replicating configurations and application through the cloud
- Not all applications are cloud-ready
- Lack of or insufficiency of training and awareness
- Lack of guidelines and documentation
- Integration complexities
- Multi-tenancy challenges
- Third-party administrator challenges
One of the leading authorities in application vulnerabilities is the OWASP Top 10 list, of which the latest published version can be found here. The list is:
- Broken authentication
- Sensitive data exposure
- XML external entities
- Broken access control
- Security misconfiguration
- Cross-site scripting (XSS)
- Insecure deserialization
- Use of components with known vulnerabilities
- Insufficient logging and monitoring
4.2 Understand Cloud Software Assurance and Validation
Software assurance includes the development and implementation of processes and methods for making sure software functions as intended and mitigates the risks of vulnerabilities, defects or malicious code which may harm the end user.
Verification and Validation
For development and project teams to be confident and follow best practices, it is essential that verification and validation of coding occurs at all stages of the development process.
4.3 Use Verified Secure Software
- Approved API: Three benefits of using APIs being automation, programmatic control/access and third-party tool integration
- Software supply chain management (API)
- Community knowledge
4.4 Comprehend the Software Development Life Cycle (SDLC) Process
Phases and Methodologies
There are many different cloud software development life cycles, with many containing comparable phases. You can find two different representative software development life cycles below:
Another popular approach is:
- Planning and requirements analysis
Cloud Application Security Methodologies
Organizational Normative Framework
Organizational Normative Frameworks, or ONF, is defined in ISO/IEC 27034-1. ONFs cover all components of best practices related to application security. ONF includes:
- Business context
- Regulatory context
- Application security control library (ASC)
Application Normative Framework
Application normative framework, or ANF, works in conjunction with an ONF. ANFs are created for a specific purpose, which is normally a specific application. ONFs and ANFs have a one-to-many relationship where you will often see one ONF, the basis of which is being used to create multiple ANFs.
Application security management processes, or ASMPs, manage and maintain ANFs. There are five steps in the creation of an ASMP:
- Specification of application requirements and environment
- Application security risk assessment
- Creation and maintenance of the ANF
- Application provisioning and operating
- Auditing the application’s security
- Mandates everything, including infrastructure and architecture
- Defines the Service Level Agreement (SLA)
Software Configuration Management and Versioning
An essential part of application security is proper software configuration management and versioning. Two popular tools to this end are:
4.5 Apply the Secure Software Development Life-Cycle
Common vulnerabilities relevant to this subsection include:
- SQL injection
- Direct Object Reference
- Buffer Overflow
Applications running in PaaS environments may require “baked-in” security controls. Other considerations include:
- Encryption: May need to be programmed in at the application level
- Logging difficulties
- Make sure that applications can only access each other through a control
CSA has released “The Notorious Nine” list of cloud computing top threats. These include:
- Data breach
- Data loss
- Account hijacking
- Insecure APIs
- Denial of service attacks
- Abuse of cloud services
- Malicious insiders
- Insufficient due diligence
- Shared technologies issues
Quality of Service
There are many considerations that go into quality of service, or QoS. These QoS considerations, albeit non-exhaustive, include:
- Mean time between failures
- Outage duration
- Capacity metric
- Performance metrics
- Reliability percentage metric
- Storage device capacity metric
- Server capacity metric
- Mean-time to switchover metric
- Response time metric
- Server scalability metric
STRIDE threat modeling. The STRIDE acronym stands for:
- Information disclosure
- Denial of Service
- Elevation of privilege
4.6 Comprehend the Specifics of the Cloud Application Architecture
CCSP exam candidates will be responsible for the following coverage of content:
- Supplemental Security devices: Including DAM, WAF, API gateway and XML firewalls
- Cryptography: Including SSL, TLS and IPSEC
- Application virtualization
4.7 Design Appropriate Identity and Access Management (IAM) Solutions
- Federated identity
- Identity providers
- Single sign-on
- Multi-factor authentication
CCSP is a great certification to earn for information security professionals that want to focus their career on cloud computing security. To pass this certification exam, you will have to master the six domains of CCSP. Domain 4 can be mastered relatively easily, and if you solidify your understanding of the subsections set out above, you should have no problem mastering this domain of the CCSP certification exam.
CCSP Certification Exam Outline, (ISC)2
Brian T. O’Hara and Ben Malisow, “CCSP (ISC)2 Certified Cloud Security Professional
Official Study Guide,” John Wiley & Sons, 2017
Adam Gordon, “The Official (ISC)2 Guide to the CCSP CBK,” John Wiley & Sons, 2016