forked from SrivathsanNayak/ethical-hacking-notes
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
f6ae800
commit e0715f2
Showing
3 changed files
with
69 additions
and
0 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,70 @@ | ||
| # Securing Cloud Applications, Users & Related Technologies | ||
|
|
||
| 1. [Secure Software Development Lifecycle (SSDLC)](#secure-software-development-lifecycle-ssdlc) | ||
| 2. [Testing & Assessment](#testing--assessment) | ||
| 3. [DevOps & Immutable](#devops--immutable) | ||
| 4. [Secure Operations, Architecture & Related Technologies](#secure-operations-architecture--related-technologies) | ||
| 5. [Identity & Access Management (IAM) Definitions](#identity--access-management-iam-definitions) | ||
| 6. [Identity & Access Management (IAM) Standards](#identity--access-management-iam-standards) | ||
| 7. [Identity & Access Management (IAM) in Practice](#identity--access-management-iam-in-practice) | ||
|
|
||
| ## Secure Software Development Lifecycle (SSDLC) | ||
|
|
||
| * How Cloud changes AppSec: | ||
|
|
||
| * Opportunities: | ||
|
|
||
| * Higher baseline security | ||
| * Agility | ||
| * Isolated environments | ||
| * Independent VMs for microservices | ||
| * Elasticity | ||
| * DevOps | ||
| * Unified interface | ||
|
|
||
| * Challenges: | ||
|
|
||
| * Limited visibility | ||
| * Increased app scope | ||
| * Changing threat models | ||
| * Reduced transparency | ||
|
|
||
| * AppSec phases: | ||
|
|
||
| * Secure Design & Development - training, SSDLC, pre-deploy testing | ||
|
|
||
| * Secure Deployment - code review, testing, vulnerability assessment, deployment | ||
|
|
||
| * Secure Operation - change management, app defenses, ongoing assessment, activity monitoring | ||
|
|
||
| * SSDLC framework: | ||
|
|
||
|  | ||
|
|
||
| * Impact of cloud on SSDLC: | ||
|
|
||
| * Risks change; more support from cloud provider | ||
|
|
||
| * Large changes in visibility & control | ||
|
|
||
| * Management plane and metastructure part of threat model | ||
|
|
||
| * DevOps; managed via APIs | ||
|
|
||
| * Secure Design & Development: | ||
|
|
||
|  | ||
|
|
||
| * Threat modeling is done to get a view of all possible threats; one example is STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). The threat models are later mapped to their countermeasures. | ||
|
|
||
| ## Testing & Assessment | ||
|
|
||
| ## DevOps & Immutable | ||
|
|
||
| ## Secure Operations, Architecture & Related Technologies | ||
|
|
||
| ## Identity & Access Management (IAM) Definitions | ||
|
|
||
| ## Identity & Access Management (IAM) Standards | ||
|
|
||
| ## Identity & Access Management (IAM) in Practice |