Your cart is empty.
Keep shopping
Teach on Udemy
Turn what you know into an opportunity and reach millions around the world.
Learn MoreCCSP Domain 4 - Cloud Application Security
Rating: 4.5 out of 54.5(143 ratings)
1,334 students
CCSP Domain 4 - Cloud Application Security
Exam preparation - This domain is in alignment with the August 2022 exam outline
Last updated 2/2023
English
What you'll learn
- Understand what (ISC)2 expects you to know about the Cloud Applications Security domain.
- Comprehend
- Explain
- Understand
Explore related topics
Course content
3 sections • 29 lectures • 2h 45m total length
- Introduction and What is Clean Code?7:45
In this video we will cover:
Application Security
Clean Code
In this video you will learn:
Primarily, it should be said that secure applications mean the code is clean and free of flaws and defects. Adding security to applications is also critical. There are two things we add for security and they are encryption and authentication.
Adding security, such as cryptography, helps to secure the data that is being processed by the application, but it does not make the application secure. Clean code requires the developers and everyone else that touches this project to be trained in how to develop clean code.
We encourage you to learn more about Introduction & What is Clean Code by watching this complete video. See you in the Next Video.
- Software Development Life Cycle (SDLC)5:41
In this video we will cover:
Software Development Lifecycle
In this video you will learn:
The software development life cycle is the logic of project management, but for software development. The software development life cycle is define, design, develop and test, at least that is what is in the CSA Guidance 4.0 document.
Another SDLC is from a project perspective and is more comprehensive is
Project management and initiation
Functional design
Detailed design
Develop and document
Test and update and push it to production
End of Life
If you have a different lifecycle that you prefer, that is fine. The logical flow is always the same. Plan before you build, then once it is built it can be tested. Once ready it can be pushed out to the production environment.
(ISC)2 does not have a preferred lifecycle. The CSA has ½ of a lifecycle in their document. What is important is that we need to add security at every step of the lifecycle that we choose to follow at the office.
We encourage you to learn more about Software Development Life Cycle (SDLC)by watching this complete video. See you in the Next Video
- Supply Chain Management3:14
In this video we will cover:
Supply Chain Management
In this video you will learn:
We have supply chain concerns over where some of our code comes from. Statistics show that mode applications have a significant amount of the code is being pulled from sources such as GitHub. The problems you face in the supply chain is where does this code come from? Who created it? Is it being maintained? Is it being tested? And so on.
We encourage you to learn more about Supply Chain Management by watching this complete video. See you in the Next Video.
- Software Development Methodologies6:09
In this video we will cover:
Software Development Methodologies
In this video you will learn:
Once we have our software lIfecycle then the next question is how do we move through that lifecycle? The lifecycle does not need to be followed in a linear format (waterfall). There are many other approaches that have been developed over the years. The ones that are showing up the most in business right now seem to be: Agile, Scrum, DevOPS, and DevSecOps.
We have covered these approaches in this short video. We encourage you to learn more about Software Development Methodologies by watching this complete video. See you in the Next Video.
- DevOps Practices9:12
In this video we will cover:
DEVOPS PRACTICES
In this video you will learn:
We now define infrastructure, applistructure, metastructure, and infostructure. Infrastructure is the routers, switches, the servers except when we are in the cloud they are not real.
In Infrastructure as a Code (IaaC) we are dealing with our Infrastructure is now just code. It is virtual. We do not have to buy a physical router if we are building a virtual Data Center (DC) in the cloud. In an Infrastructure as a Service (IaaS). They are virtual and when they are virtual, you could say they are just code.
Do you want to learn more about DEVOPS PRACTICES? We have covered key points in this short video. We encourage you to learn more about DevOps Practices by watching this complete video. See you in the Next Video.
- Xtra -My thoughts numbers 4 the test2:21
In this short video, we have some thoughts on remembering numbers for the test. We encourage everyone to watch this video.
See you in the next video.
- CI/CD and DevSecOps3:43
In this video we will cover:
Continuous Integration and Continuous Delivery
In this video you will learn:
If we look at Microsoft 365 my question is when was the last time powerpoint/excel/word was patched? With SaaS it is so much easier for the software developer to keep their products up to date. As opposed to the process that any application should go through when patches need to be applied when they are within the corporation's control.
What we really need is DevSecOps. There are so many pictures for DevSecOps but the one in the video is super cool because you got the basic DevOps in the middle and then you have security wrapped around the whole thing so that security is part of both the development and the operations. Three different teams working together for the business.
We encourage you to watch the whole video to get answers.
- Software Verification and Validation4:00
In this video we will cover:
Software Testing
In this video you will learn:
Software must be tested. Software is the attack point. It is due to software flaws that attackers cause as much damage as they do. It is a constant battle to keep ahead of the bad actor. So knowing different types of tests would be a good starting point.
First we have two terms: verification and validation.
Verification: The first question is does the software work? The functions that exist within an application need to be verified for functionality.
Validation: The second question is did the developers build the software as it was designed? All features and functions need to be verified against the original build plan.We have covered key points in this short video. We encourage you to learn more about Software Verification & Validation by watching this complete video. See you in the Next Video.
- Software Testing8:32
In this video we will cover:
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
Interactive Application Security Testing (IAST)
Fuzz Testing
In this video you will learn:
First SAST, the application is static or stopped. This means the only thing you have is code, you can’t look at the running application. The only thing you can look at is the code. So this is good from early on in the development process. This can be done from when the coding begins.
The next is DAST, the application is dynamic or in a running condition. In DAST it is critical to simulate malicious attacks. So, DAST analyzes a running application by exercising the application's functionality and detecting vulnerabilities based on application behavior and response.
IAST is testing that involves analyzing the behavior of software while being able to see the lines of code as they are being accessed. In a way it is a combination of DAST and SAST.
Fuzz testing or fuzzing is basically throwing as much junk at the interface as you can at to discover where the application breaks.
We have covered key points in this short video. We encourage you to learn more about Software Testing by watching this complete video. See you in the Next Video.
- SANS Top 10 of 25 Programming Errors8:50
- OWASP Top 4 Programming Errors to know10:45
- ISO 270347:03
- Sandbox3:54
- Threat Modeling10:40
- Orchestration1:44
- Introduction to encryption5:32
In this video we will cover:
Encryption
In this video you will learn:
We need to know the basics of encryption for this test. There are three basic things to know here: Symmetric, Asymmetric, and MIC (Message Integrity Control).
Symmetric is perfect If you wanna keep something confidential. Messa Integrity control has to do with Integrity. Asymmetric has to do with Authenticity.
We encourage you to learn more about Encryption by watching this complete video. See you in the Next Video. - Encrypting data in use2:18
In this video we will cover:
Data In Use
In this video you will learn:
Encryption Of Data In Use is an approach in which work is being done to figure out how to keep data encrypted while it is being used. The encryption methodology that applies to this is known as homomorphic cryptography.
We encourage you to learn more about Encrypting Data In Use by watching this complete video. See you in the Next Video.
- Encrypting data at rest1:53
In this video we will cover:
Encryption Of Data At Rest
In this video you will learn:
What we actually use encryption for today is encryption data at rest and in transit. With data at rest, you can encrypt anything, you can encrypt a single file, a partition, a folder, or an entire drive.
We encourage you to learn more about Data at rest encryption by watching this complete video. See you in the Next Video.
- Encrypting data in motion - SSH4:33
In this video we will cover:
SSH
In this video you will learn:
We use encryption for data in transit all of the time, and there are three specific protocols that we use in transit today: SSH, TLS (formerly SSL), and IPSec.
SSH is used first and foremost by administrators when they are remotely connecting to and configuring devices such as routers, switches and servers. It can be used for other purposes though.
We encourage you to learn more about SSH by watching this complete video. See you in the Next Video.
- Encrypting data in motion - TLS2:30
In this video we will cover:
TLS
In this video you will learn:
We use encryption for data in transit all of the time, and there are three specific protocols that we use in transit today: SSH, TLS (formerly SSL), and IPSec.
TLS is used first and foremost for the purpose of web based connections. It is a client-server protocol originally developed by Netscape. It can be used for other purposes though.
We encourage you to learn more about TLS by watching this complete video. See you in the Next Video.
- Encrypting data in motion - IPSec3:28
In this video we will cover:
IPSec
In this video you will learn:
We use encryption for data in transit all of the time, and there are three specific protocols that we use in transit today: SSH, TLS (formerly SSL), and IPSec.
IPSec is used first and foremost to protect single hop connections running over WAN or Internet service providers. It can be used for other purposes though.
We encourage you to learn more about IPsec by watching this complete video. See you in the Next Video.
- Symmetric encryption1:58
In this video we will cover:
Symmetric Encryption
In this video you will learn:
Symmetric cryptography is also known as a single key, session key, and shared key cryptography because it is a single key that is actually shared between transmitter and receiver. You can use it to encrypt anything, like data, voice, or video. You can also encrypt anything in folders, drives, partitions whatever you want to encrypt, symmetric is great for it. It keeps things confidential.
We encourage you to learn more about Intro to Symmetric by watching this complete video. See you in the Next Video.
- Introduction to Asymmetric7:04
In this video we will cover:
Asymmetric Encryption
In this video you will learn:
There are two main purposes that Asymmetric encryption serves, one it is good for exchanging and negotiating symmetric keys. The second thing is it is used to authenticate the source with a digital signature.
We encourage you to learn more about Introduction to Asymmetric Encryption by watching this complete video. See you in the Next Video.
- Use of public and private keys4:13
In this video we will cover:
Public Keys
Private Keys
In this video you will learn:
To verify the source whether it is the sender or receiver that is only possible when you have public and private key pairs.
If the public key is used for encryption then the private key must be used for decryption. Only the owner of the private key can decrypt because the key is kept private. It should never be shared with anyone. This achieves confidentiality of the transmitted information, a common use is to exchange the symmetric key.
If the Private key is used for encryption then the public key must be used for decryption. Anyone can decrypt since the public key is public so, this does not achieve confidentiality but it does prove the source. We call this a digital signature.
We encourage you to learn more about the Use Of Public and Private Keys by watching this complete video. See you in the Next Video. - Key storage location11:26
In this video we will cover:
Key Location
Transparent Encryption
In this video you will learn:
The critical question to answer is where is the key?
Normally for SaaS, the key is with the provider, there is an exception with level encryption related to SaaS, we can keep the keys with customers.
At an application level relevant to Iaas and Paas the customer owns the application so the key can be with them.
In Infrastructure, you own the operating system and software on the virtual machines. So, you can add the key.
At the database level, relevant to IaaS and PaaS, customer and provider both have the key. When you are encrypting the database the database itself has to have the key in order to do transparent encryption which means the key must be stored with the database. Which is in Cloud Provider’s Network.
At the file level related to IRM (Information Rights Management), the customer has the key.
In Storage level encryption for IaaS, PaaS, and Saas you are encrypting a drive so the key is with the Cloud Provider.
Transparent Encryption is a very specific term that applies to databases. When someone does encryption it needs to be done transparently. We encourage you to learn more about Key storage locations by watching this complete video. See you in the Next Video.
- Basic IAAA Introduction8:38
In this video we will cover:
Identity And Access Management
Identification and Authentication
In this video you will learn:
We will cover the basics of Identity and Access Management (IAM). With that, we have Identification, Authentication, Authorization, and Accountability (IAAA).
Identification- Statement of who you say you are.
Authentication- Verification of claimed identity.
Authorization- Permissions granted or not.
Accountability- Log created so that someone can be held accountable for their actions.
In authentication, there are three factors.Factor 1 is something you know, e.g., passwords.
Factor 2 is something we have, such as soft or hard tokens.
Factor 3 is something you are. A biometric which would be behavioral or physiological, such as a fingerprint or a vocal print.
We encourage you to learn more about Basic IAAA Introduction by watching this complete video. See you in the Next Video.
- Single Sign On (SSO)4:30
In this video we will cover:
Single Sign-On
In this video you will learn:
The next important topic to discuss is you try to add Single Sign-On (SSO) to make things easier for users. Sometimes it makes things easier for bad guys as well. The number of accounts, passwords, tokens and other access mechanisms that we have to try and manage in business today is many per user.
Personally, you can think about your bank account, Amazon account, and many other places to log on that you have a user ID and password. It is a lot to manage.
Most people use a single account to log In, for e.g people use Facebook to log in at different places so they don't have to set up more identification and password combinations again and again.We encourage you to learn more about Single Sign-On by watching this complete video. See you in the Next Video.
- SAML7:44
In this video we will cover:
SAML
In this video you will learn:
SAML stands for Security Assertion Markup Language. It is old because cloud technology is evolving very quickly, but SAML is still well supported in the industry today. This is the technology we are using to be able to log on as Single Sign-on into the cloud.
SAML is XML based. Let’s take the example of Facebook, when you try to Log on to Facebook in order to access a site you are trying to get to, how is that gonna work? This is a good thing to know.
For e.g., if you are trying to access a website through Facebook and you see a Facebook button on that website, you click on that button to log in using Facebook, and what happens it will redirect you to Facebook. So your computer is connected to Facebook and what happens you log In, and what happens facebook will send a token through your computer over to that website.The token is formatted with XML. So the website that the user wants to connect to is the service provider, and Facebook is the identity provider or Identity as a Service (IaaS) provider.
The user's computer is the relaying party. It relays the token from the IaaS provider to the service provider. The service provider is relying on the party. They rely on the IaaS provider to authenticate the user.
We encourage you to learn more about SAML by watching this complete video. See you in the Next Video. - CASB6:05
In this video we will cover:
Cloud Access Security Broker
In this video you will learn:
CASB is built around trying to see what users are doing. We must know where users are sending data. It does monitor what they are looking for, and what they actually connect to. If it’s an encrypted session then it can do man-in-the-middle monitoring. It can do data loss and leak prevention and DNS queries.
We have also covered some key points from this short video. We encourage you to learn more about CASB by watching this complete video. See you in the Next Video.
Requirements
- There are no requirements.
- A desire to learn what you need to know about the cloud application security for the CCSP exam is very beneficial to have.
- A basic understanding of information security is recommended.
Description
In this course we walk through all of the critical concepts within the Cloud Application Security domain. This domain is 17% of the test as of August 2022. I will guide you through all of the concepts that you need to know and advise you on the level of knowledge that you need to get comfortable with.
There are over two and a half hours of video content plus course notes based on information from my book: Cloud Guardians.
We will explore the software development lifecycle (SDLC), to include the phases and the methodologies for moving through those phases.
It is important to know the risks to applications including any that are cloud specific. We will talk about SQL injections and buffer overflows and the like. The more that you know of these threats from the Pandemic 11 to OWASP and the SANS Top 20 the better prepared you will be for the exam.
Threat modeling techniques are also key. We will look at STRIDE and DREAD and a couple of others.
Testing application is very critical. This is our most common attack point these days. We will talk about closed box and open box testing as well as DAST, SAST and IAST.
There is also a great need to take care with the supply chain involved in creating software today. We have learned from recent attacks that the supply chain can be compromised.
We finish with discussion about maturity models and data rights management/information rights management and maturity models.
Who this course is for:
- This course is intended for people that are preparing for the (ISC)2 CCSP exam.
- This course would benefit anyone working to expand their knowledge and understanding of the Cloud Application Security.