all right. Cloud Application. Security Review. Like I said, it's an important chapter, Lot of information in there because what we're doing today is the world runs by Web apse, right? So being able to secure those applications,
uh, starts with really having a basic understanding of how they work. So we started off by talking about looking at the sensitivity of what we're protecting. Figuring that out.
We also had to consider who's responsible for What is that the Cloud Service provider? Is it my responsibility? And we know that ultimately, whether it's my responsibility or not, if something doesn't work, it's my problem. So if it's not a direct responsibility that I have,
I need to ensure that service level agreement specifies
how the Cloud service provider addresses the problems. We may have all right, looked at the software development, Lifecycle said. This could also apply to the system development life cycle, and we talked about from the very first stage is looking at feasibility gathering requirements
that's got to include security, and then we consider security. We implement, we test for security.
We monitor for security all the way throughout the process. We've got to be more proactive with security with application design.
We looked at a WASP to give us some suggestions, some input on the top exploits, We said A wasp gives us the top 10. They release those every couple years. We talk about how code injection was the number one
exploit that we see today. But also some things, as basic is just miss configurations of sites, broken authentication of poor authentication.
Cross site scripting showed up again, and we know that's the threat to the user's browser, usually based on redirect or a website that's running some sort of malicious script. Uh, then we spent a good amount of time talking about identity and access management and talking about how we want to take what we looked at in Chapter one.
And we want to take that We want expanded to Web applications and software as a service providers
so that users can have single sign on from their environment. Max's multiple resource is out on the Web. Then we wrapped up with just a short little couple of sentences. Ah, a couple of slides rather about threat modeling and then also applications security testing.
So that is Chapel Chapter four,
the end is near, folks. The next chapter Obviously Domain five is gonna be operations security. Another one That's really, really significant for the exam. So stick around for that. We'll see for the next section.