三叉戟

本页面只读。您可以查看源文件，但不能更改它。如果您觉得这是系统错误，请联系管理员。
**Summary**
 Developing software and applications for the cloud requires attention to security throughout 
the development process. That often starts with awareness and training, and then progresses 
through the rest of the software development lifecycle. Developers and security professionals 
need to be aware of common pitfalls as well as the most common cloud vulnerabilities, like 
those described by the OWASP Top 10 and SANS Top 25 lists. You’ll also need to under
stand the SDLC, common models, and what each phase of the SDLC involves.
Along the way, you’ll apply technologies like cryptography, sandboxing, and application 
containerization, as well as security components like web application firewalls and API gate
ways. Threat modeling using models like STRIDE and ATASM, as well as secure coding, are 
part of the planning, design, and coding processes. Testing also plays a role; analysts need 
to be familiar with functional and nonfunctional testing, static and dynamic testing, and a 
variety of other parts of the testing and QA process.
 Finally, in addition to software development concepts, identity and access management is 
an important part of application architectures and implementation. While it plays a broad 
role in the cloud, the CCSP exam objectives pair it with application development, focusing 
on federated identity, identity providers, SSO, and MFA as well as secrets management. Since 
each of those is part of a secure design, familiarity with threats to IAM is also important for 
this domain.
 **Exam Essentials**
 **Explain cloud development basics, including common pitfalls and vulnerabilities 
to avoid.** Understand common pitfalls in application development like ensuring 
performance, scalability, portability, and interoperability. Be familiar with the OWASP 
Top 10 and SANS Top 25, including examples of the vulnerabilities from both lists.
 **Describe the software development lifecycle and how it can be applied.** Explain common software development models like Agile and Waterfall. Describe threat models including DREAD, STRIDE, PASTA, and ATASM. Be familiar with secure coding practices and standards like OWASP, ASVS, and SAFECode.
 **Apply testing methodologies to application software.** Describe functional and nonfunctional testing. Explain methodologies like full knowledge, zero knowledge, static and 
dynamic testing, and interactive application security testing. Understand QA processes and 
the role of QA in the SDLC.
 **Manage the software supply chain and use verified secure software.** Explain API security best practices and security concerns. Describe supply chain security practices and why supply chain security is important. Understand the importance of assessing vendors, particularly for open- source and third- party software components.
 **Explain common application security technologies and supplemental security controls.** Be familiar with design elements like when and where to use cryptography to protect data in motion and data at rest. Explain the use of and differences between sandboxing, application virtualization, microservices, and containers. Describe the role of orchestration in application environments. Be familiar with the uses for and roles of web application firewalls, database activity monitoring, XML firewalls, API gateways, and cloud application security brokers.
 **Understand IAM solutions as well as common threats to identity and access management.** Explain federated identity and the role of identity providers in federated environments. Describe the differences between SSO and MFA. Understand the basics of secrets management and why secrets need to be protected in application environments. 
Explain the differences between user, privileged, and service access. Be ready to explain 
threats like lost or exposed credentials, improper configurations, excessive permissions, and 
a lack of monitoring and alerting in the context of identity and access management for applications in the cloud.