CCSK Domain 10 Application Security
XACML - ANS-eXtensible Access Control Markup Language
OpenID - ANS-an open standard permitting users to be authenticated in a decentralized
manner
OAuth - ANS-Open Authorization, an open standard for authorization allowing users to
share their private resources with tokens instead of credentials
SAML - ANS-Security Assertion Markup Language, an XML-based OASIS open
standard for exchanging authentication & authorization data between security domains
IdEA - ANS-Identity
Entitlement
Access Management
ISAE 3402 / SSAE 16 - ANS-replaces SAS 70
What are the components of IdEA? - ANS-Authentication
Authorization
Administration
Audit and Compliance
Policy
For user-centric authorization model, the user is the _______________. The user
determines the access for their resources, and the service provider acts as
_______________. - ANS-PDP, PEP
OAuth is widely used for this model, and User Managed Access (UMA) is also an
emerging standard in this space.
For an enterprise-centric authorization model, the enterprise is the _______________
or _______________ and the service provider acts as _______________ - ANS-PDP
Policy Access Point (PAP)
PEP
Authorization - ANS-in broadest terms refers to enforcing the rules by which access is
granted to the resources
, What are the 3 approaches for interoperability testing? - ANS-Testing all pairs
Testing some of the combinations
Testing against a reference implementation
OWASP Testing Guide V3.0
Penetration Testing - ANS-Configuration Management Testing
Business Logic Testing
Authentication Testing
Session Management Testing
Data Validation Testing
Denial of Service
Web Service Testing
Ajax Testing (RIA Security Testing)
Mash-up - ANS-A mashup in web development is a web page or web application, that
uses content from more than one-source to create a single new service displayed in a
single graphical interface.
The term implies easy, fast integration, frequently using open API and data sources to
produce enriched results that were not necessarily the original reason for producing the
raw source data
Threat for cloud apps & cooresponding address by IdEA - ANS-Spoofing --
Authentication
Tampering -- Hash or Digital Signature
Repudiation -- Digital Signature (use SAML) *****************audit logging
Information Disclosure -- SSL, encryption
*****************(strictly not IdEA specific)
Denial of Service -- Security Gateway
Elevation of Privileges -- Authorization (OAuth)
SAPM - ANS-Shared Acct Password Management
manages highly privileged accounts allows for segregation of duties and least priviledge
SCIM - ANS-Simple Cloud Identity Management
(new emerging standard)
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Hkane. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for £6.46. You're not tied to anything after your purchase.