Cloud Application Security Testing Concepts and Methods

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> At this point, I hope you're a little afraid.
00:00
We've talked about all the various threats
00:00
that are out there that affect
00:00
Cloud-based applications and considerations
00:00
that should be taken when we comes
00:00
to application security.
00:00
Now we're really going to talk about
00:00
what we're going to build on some of the concepts that
00:00
we've talked about already and then get
00:00
more specifically into how
00:00
Cloud application security is
00:00
tested through discovering some
00:00
of the methods and concepts.
00:00
In this lesson, we're going to talk
00:00
>> about the methods for
00:00
>> testing Cloud application security.
00:00
We're going to we talk about the process for validating
00:00
security of Cloud application components.
00:00
Then we're going to talk about how these
00:00
processes and methods work
00:00
together to produce more secure Cloud applications.
00:00
We have already talked about APIs,
00:00
we talked about RESTful APIs,
00:00
SOAP APIs, the risks that are involved in
00:00
using APIs as well as how you want to manage those.
00:00
Then we've also talked about
00:00
the notions of the advantages and
00:00
disadvantages of open-source software when it comes
00:00
to vulnerability attribution
00:00
and vulnerability identification.
00:00
Then also some of the benefits that come with
00:00
the flexibility of modifying
00:00
the security components of
00:00
open source software to meet your organization's needs.
00:00
Well, some of the other important concepts
00:00
that we're going to talking
00:00
about going forward are as follows.
00:00
First is threat modeling.
00:00
Whenever you're designing
00:00
an application or doing development,
00:00
you want to think about what are
00:00
the potential avenues and
00:00
vulnerabilities within this application
00:00
by the way that it works.
00:00
We're going to go into some specific
00:00
threat models that are often used.
00:00
We're going to go deep into
00:00
Microsoft's STRIDE threat model
00:00
and talk about how it can be used
00:00
to do more effective security testing.
00:00
Then we want to talk about different methods for
00:00
testing the security of software.
00:00
There are active methods and pass
00:00
the methods and a whole host of ways of
00:00
seeing how your application will
00:00
perform and doing so in a secure manner.
00:00
Now, one of the most
00:00
important things I wanted to really think
00:00
about is this concept of quality of service.
00:00
When we talked about
00:00
the use of the Cloud, first and foremost,
00:00
the business case was
00:00
driving whether or not
00:00
an organization should go to the Cloud,
00:00
what risks it should really
00:00
accept when operating in the Cloud and the
00:00
same is true when it comes to
00:00
security testing of Cloud applications.
00:00
You really want to think about what is
00:00
this application meant to do,
00:00
and then judge whether or not
00:00
the impact of different security features impair that.
00:00
This concept is called the quality of service.
00:00
It's a delicate balance
00:00
between ensuring that your customers
00:00
can easily perform the task
00:00
they need to do within your applications,
00:00
or that they function as quickly
00:00
as possible to meet the market demands,
00:00
while also doing so in a secure manner.
00:00
We're going to talk about
00:00
this delicate balance between obtaining
00:00
secure software and
00:00
then also functional high-value software.
00:00
All right, quiz question.
00:00
Which of these concepts represents
00:00
the trade-off between application
00:00
security and productivity?
00:00
Is it quality of software,
00:00
software security testing, or STRIDE?
00:00
If you said quality of software
00:00
or quality of service, you're correct.
00:00
This really is an important concept
00:00
for anyone to consider.
00:00
The business is really driving the purpose
00:00
for developing applications in
00:00
the Cloud or using Cloud applications,
00:00
and should really figure most
00:00
prominently when doing effective security testing.
00:00
We don't want the application to be
00:00
so secure that it really
00:00
degrades the overall quality and
00:00
performance of whatever software is being developed.
00:00
In summary, we talked about the concepts and processes
00:00
associated with secure application development.
00:00
Then we talked about how those concepts really enable
00:00
the development of more secure software
00:00
and Cloud applications.
00:00
All right, well, we're going to get into testing in
00:00
more detail in future lessons. I'll see you then.
Up Next