Okay, I'm just gonna keep doing what I did on Paul's new section and role already.
All right, welcome back. Thanks for sticking around through the first half of the course, we've gone through the 1st 3 domains, and now we're moving on to domain four, which is cloud application security. I feel like there's quite a bit of this section on the exam for good things, you know, for good reason. Right when we talk about Web applications,
that's what you know. That's what today's environment is all about is accessing information through the Web.
It's how we get information on new customers, how we collect orders, how we do business to business communications. So Web APS, very important topic. And of course, if they don't function securely, then we're in trouble. So in this chapter, we're gonna start off with where we always begin.
You know how much security is enough? The answer is just enough.
What do you mean, just enough? It means we start by figuring out what the value of the asset is.
How sensitive is the data? What classifications the data, what level of importance, whether it's availability or confidentiality or integrity. We start by looking at that, what's the value of the data now here, we're gonna focus on Got a sensitivity, which, of course, confidentiality.
Ah, then the actual application of the architecture itself of the Web. APS tell you the truth, we're not getting really deep into that, nor does the exam. But understanding, for instance, the different the type of AP ice and wouldn't a p I is. And what its importance is. Ah, that's gonna be a piece.
Then we talk about security responsibilities across the model. So who's responsible for what?
Remember, the answer is
it's always my problem, right? But sometimes it's the cloud service providers responsibility. So physical security is always gonna be the cloud service providers responsibility.
But it's my problem if they're not secure. Right? So we keep going back to that idea of I'm ultimately liable. I'm ultimately accountable for the protection of my dad.
All right, we'll talk about that. S t. L. C, the beloved software development life cycle. That's the same whether you're designing Web APS or more traditional APs.
And the essential nature is security at every single phase off the software development lifecycle. Remember, if we don't build in security. We're not just gonna stumble into a secure application, right? We have a plan for security.
All right, then we're gonna look att? Oh! Wasps Top 10 vulnerabilities. I want to be really clear. The exam expects you to understand what a wasp is there a couple of the vulnerabilities that are listed on a WASP? You'll want to understand,
but they're not gonna ask you. Hey, on a Wasps 2017 top 10. What's the third most significant threat? That's not what they're gonna do,
So I'm not gonna read through everyone. I don't want you to memorize it per a wasp. You know, here, the seven are here. The top 10 in order. Don't need you to do that. But I want you to know about a wasp is a resource.
And we look at those top 10 items to say, Listen, if I'm just not designing a web application, this is the stuff I really need to focus on. So I won't go through piece by piece,
but we'll hit a miss it over a few. All right, then.
Big topic today. Identity and access management identity, making sure that individuals have the correct accounts to access resource is and then the access management peace, making sure they have the correct access to access what they need based on policy or some other mechanism.
And then last but not least, we'll talk a little bit about application security testing. As the rule goes, no matter how brilliant your planning is, still test things out. That's a pretty good policy to follow. So some of the things that we test for in our Web applications to make sure that they're secure,
so stick around Chapter four is coming up.