CCSK Domain 10 Application Security
XACML - ANS-eXtensible Access Control Markup Language
OpenID - ANS-an open standard permitting users to be authenticated in a decentralized
manner
OAuth - ANS-Open Authorization, an open standard for authorization allowing users to
share their private resources with tokens instead of credentials
SAML - ANS-Security Assertion Markup Language, an XML-based OASIS open
standard for exchanging authentication & authorization data between security domains
IdEA - ANS-Identity
Entitlement
Access Management
ISAE 3402 / SSAE 16 - ANS-replaces SAS 70
What are the components of IdEA? - ANS-Authentication
Authorization
Administration
Audit and Compliance
Policy
For user-centric authorization model, the user is the _______________. The user
determines the access for their resources, and the service provider acts as
_______________. - ANS-PDP, PEP
OAuth is widely used for this model, and User Managed Access (UMA) is also an
emerging standard in this space.
For an enterprise-centric authorization model, the enterprise is the _______________
or _______________ and the service provider acts as _______________ - ANS-PDP
Policy Access Point (PAP)
PEP
Authorization - ANS-in broadest terms refers to enforcing the rules by which access is
granted to the resources
, What are the 3 approaches for interoperability testing? - ANS-Testing all pairs
Testing some of the combinations
Testing against a reference implementation
OWASP Testing Guide V3.0
Penetration Testing - ANS-Configuration Management Testing
Business Logic Testing
Authentication Testing
Session Management Testing
Data Validation Testing
Denial of Service
Web Service Testing
Ajax Testing (RIA Security Testing)
Mash-up - ANS-A mashup in web development is a web page or web application, that
uses content from more than one-source to create a single new service displayed in a
single graphical interface.
The term implies easy, fast integration, frequently using open API and data sources to
produce enriched results that were not necessarily the original reason for producing the
raw source data
Threat for cloud apps & cooresponding address by IdEA - ANS-Spoofing --
Authentication
Tampering -- Hash or Digital Signature
Repudiation -- Digital Signature (use SAML) *****************audit logging
Information Disclosure -- SSL, encryption
*****************(strictly not IdEA specific)
Denial of Service -- Security Gateway
Elevation of Privileges -- Authorization (OAuth)
SAPM - ANS-Shared Acct Password Management
manages highly privileged accounts allows for segregation of duties and least priviledge
SCIM - ANS-Simple Cloud Identity Management
(new emerging standard)
XACML - ANS-eXtensible Access Control Markup Language
OpenID - ANS-an open standard permitting users to be authenticated in a decentralized
manner
OAuth - ANS-Open Authorization, an open standard for authorization allowing users to
share their private resources with tokens instead of credentials
SAML - ANS-Security Assertion Markup Language, an XML-based OASIS open
standard for exchanging authentication & authorization data between security domains
IdEA - ANS-Identity
Entitlement
Access Management
ISAE 3402 / SSAE 16 - ANS-replaces SAS 70
What are the components of IdEA? - ANS-Authentication
Authorization
Administration
Audit and Compliance
Policy
For user-centric authorization model, the user is the _______________. The user
determines the access for their resources, and the service provider acts as
_______________. - ANS-PDP, PEP
OAuth is widely used for this model, and User Managed Access (UMA) is also an
emerging standard in this space.
For an enterprise-centric authorization model, the enterprise is the _______________
or _______________ and the service provider acts as _______________ - ANS-PDP
Policy Access Point (PAP)
PEP
Authorization - ANS-in broadest terms refers to enforcing the rules by which access is
granted to the resources
, What are the 3 approaches for interoperability testing? - ANS-Testing all pairs
Testing some of the combinations
Testing against a reference implementation
OWASP Testing Guide V3.0
Penetration Testing - ANS-Configuration Management Testing
Business Logic Testing
Authentication Testing
Session Management Testing
Data Validation Testing
Denial of Service
Web Service Testing
Ajax Testing (RIA Security Testing)
Mash-up - ANS-A mashup in web development is a web page or web application, that
uses content from more than one-source to create a single new service displayed in a
single graphical interface.
The term implies easy, fast integration, frequently using open API and data sources to
produce enriched results that were not necessarily the original reason for producing the
raw source data
Threat for cloud apps & cooresponding address by IdEA - ANS-Spoofing --
Authentication
Tampering -- Hash or Digital Signature
Repudiation -- Digital Signature (use SAML) *****************audit logging
Information Disclosure -- SSL, encryption
*****************(strictly not IdEA specific)
Denial of Service -- Security Gateway
Elevation of Privileges -- Authorization (OAuth)
SAPM - ANS-Shared Acct Password Management
manages highly privileged accounts allows for segregation of duties and least priviledge
SCIM - ANS-Simple Cloud Identity Management
(new emerging standard)
