Domain 4: Cloud Application Security
4.1 Advocate training and awareness for application security
- Cloud development basics
- Common pitfalls
- Common cloud vulnerabilities
4.2 Describe the Secure Software Development Life Cycle (SDLC) process
- Business requirements
- Phases and methodologies
- Design, code, test, maintain
- Waterfall vs. agile
4.3 Apply the Secure Software Development Life Cycle (SDLC)
- Cloud-specific risks
- Threat modeling
- Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE)
- Disaster, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD)
- Architecture, Threats, Attack Surfaces, and Mitigations (ATASM)
- Process for Attack Simulation and Threat Analysis (PASTA)
- Avoid common vulnerabilities during development
- Secure coding
- Open Web Application Security Project (OWASP) Application Security
- Verification Standard (ASVS)
- Software Assurance Forum for Excellence in Code (SAFECode)
- Software configuration management and versioning
4.4 Apply cloud software assurance and validation
- Functional and non-functional testing
- Security testing methodologies
- Blackbox
- Whitebox
- Static
- Dynamic
- Software Composition Analysis (SCA)
- Interactive application security testing (IAST)
- Quality assurance (QA)
- Abuse case testing
4.5 Use verified secure software
- Securing application programming interfaces (API)
- Supply-chain management
- Third-party software management
- Validated open-source software
4.6 Comprehend the specifics of cloud application architecture
- Supplemental security components
- Web application firewall (WAF)
- Database Activity Monitoring (DAM)
- Extensible Markup Language (XML) firewalls
- Application programming interface (API) gateway
- Cryptography
- Sandboxing
- Application virtualization and orchestration
4.7 Design appropriate Identity and Access Management (IAM) solutions
- Federated identity
- Identity providers (IdP)
- Single sign-on (SSO)
- Multi-factor authentication (MFA)
- Cloud access security broker (CASB)
- Secrets management