# Domain 4: Cloud Application Security

# 4.1 Advocate training and awareness for application security

Cloud development basics
Common pitfalls
Common cloud vulnerabilities
- OWASP Top 10
- CWE Top 25

# 4.2 Describe the Secure Software Development Life Cycle (SDLC) process

Business requirements
Phases and methodologies
- Design, code, test, maintain
- Waterfall vs. agile

# 4.3 Apply the Secure Software Development Life Cycle (SDLC)

Cloud-specific risks
Threat modeling
Avoid common vulnerabilities during development
Secure coding
- Open Web Application Security Project (OWASP) Application Security
- Verification Standard (ASVS)
- Software Assurance Forum for Excellence in Code (SAFECode)
Software configuration management and versioning

# 4.4 Apply cloud software assurance and validation

Functional and non-functional testing
Security testing methodologies
- Blackbox
- Whitebox
- Static
- Dynamic
- Software Composition Analysis (SCA)
- Interactive application security testing (IAST)
Quality assurance (QA)
Abuse case testing

# 4.5 Use verified secure software

Securing application programming interfaces (API)
Supply-chain management
- Vendor assessment
Third-party software management
- Licensing
Validated open-source software

# 4.6 Comprehend the specifics of cloud application architecture

Supplemental security components
- Web application firewall (WAF)
- Database Activity Monitoring (DAM)
- Extensible Markup Language (XML) firewalls
- Application programming interface (API) gateway
Cryptography
Sandboxing
Application virtualization and orchestration
- Microservices
- Containers

# 4.7 Design appropriate Identity and Access Management (IAM) solutions

Federated identity
Identity providers (IdP)
Single sign-on (SSO)
Multi-factor authentication (MFA)
Cloud access security broker (CASB)
Secrets management