unit 5

What is Dynamic Application Security Testing (DAST), and how is it different

from Static Application Security Testing (SAST)?
Describe best practices for ensuring security in cloud-native application
development.
Define threat modeling. How does it assist in identifying and addressing
potential security threats in a system?
What is Infrastructure as Code (IaC) scanning, and why is it essential for
maintaining secure cloud infrastructure?
How can security vulnerabilities arise from misconfigured cloud services?
Explain with a relevant example.
What is meant by cloud security compliance? Provide a detailed explanation of
the FedRAMP and NIST security frameworks and how they contribute to
ensuring compliance in cloud environments.
List the OWASP Top 10 web application security risks. Choose any three
vulnerabilities from the list, explain them in detail, and describe how they can
be mitigated using secure coding practices.
Define Identity and Access Management (IAM). Discuss the four key
components of IAM and their role in securing access to systems and data.
Compare Dynamic Application Security Testing (DAST) with penetration testing
by listing three similarities and three differences. Also, mention the use cases
where each method is most appropriate.
What is vulnerability scanning? Outline the major steps involved in the
vulnerability management lifecycle.
Define encryption. With the help of a clear diagram, explain the lifecycle of key
management in encryption systems.
What are secure coding practices, and why are they important in software
development?
What is Static Application Security Testing (SAST), and how does it function?
What are the main security factors to consider when working with major cloud
platforms like AWS, Azure, or GCP?
What is vulnerability scanning, and how does it support application security?
How do SAST and DAST compare, and in which situations should each be
used?
How do Identity and Access Management (IAM) and encryption work together
to improve security in the cloud?

unit 5 1
 What are the OWASP Top 10 security vulnerabilities? Choose any two from the
list and explain strategies to mitigate them.

Q1 , 16-What is Dynamic Application

Security Testing (DAST), and how is it
different from Static Application Security
Testing (SAST)? which situations should
each be used?
🔍 What is DAST?
DAST (Dynamic Application Security Testing) is a black-box security testing
method that:

Tests the application while it is running (runtime testing).

Simulates external attacks by interacting with the live app.

Looks for vulnerabilities like SQL injection, cross-site scripting (XSS),

insecure authentication, etc.

Does not require access to source code.

When to use:

After deployment or on staging/testing environments.

To test how the application behaves in a real environment.

To find runtime vulnerabilities that code analysis can miss.

📌 Example: DAST tools send input to a live web app to see if

it reacts in an insecure way, like exposing error messages or
allowing unauthorized access.

🧬 What is SAST?
SAST (Static Application Security Testing) is a white-box security testing
method that:

unit 5 2
 Analyzes the application’s source code, bytecode, or binaries.

Finds vulnerabilities before the code is run (at build or development time).

Helps developers identify and fix issues early, like insecure coding patterns
or hardcoded secrets.

When to use:

Early in the development cycle (during coding or build).

To find issues in the code itself.

For developers to fix bugs before deployment.

📌 Example: SAST scans your codebase and flags insecure

code, such as SQL queries built with string concatenation.

🆚 Key Differences Between DAST and SAST

Feature DAST SAST

No source code needed Needs full access to source code

Access Required
(black-box) (white-box)

During runtime (after

When Used During development or build time
deployment)

Vulnerabilities Runtime issues like XSS, SQL Code issues like logic flaws,
Found injection insecure functions

Developer Less feedback on exact code Pinpoints exact lines of insecure

Friendly? location code

Sometimes more (context may be

False Positives Usually fewer
missing)

Integration Post-deployment testing Early in the CI/CD pipeline

✅ Conclusion
SAST = “Check your code before it runs.”

DAST = “Check your app while it runs.”

Both are complementary. For strong security, many organizations use both
SAST and DAST in their DevSecOps pipelines.

unit 5 3
 Use SAST: Early development, code review, and when you want to prevent
vulnerabilities from entering the codebase.

Use DAST: Later stages, testing deployed apps, and when you want to find
vulnerabilities that appear during execution.

Q2-Describe best practices for ensuring

security in cloud-native application
development.
Ensuring security in cloud-native application development involves
integrating security into every stage of the software development lifecycle
(SDLC). Here are the best practices developers and DevOps teams should
follow:

🔐 1. Shift Security Left (DevSecOps)

Integrate security early in the development process.

Use SAST, DAST, and software composition analysis (SCA) tools in your
CI/CD pipeline.

Automate security checks as part of code commits and builds.

☁️ 2. Use Secure Cloud Configurations

Apply the principle of least privilege for IAM roles, service accounts, and
secrets.

Avoid hardcoding secrets or credentials; use a secrets manager (e.g., AWS

Secrets Manager, Azure Key Vault).

Disable unused services and enforce strong access policies.

🧰 3. Use Container Security Best Practices

Use trusted base images and regularly scan for vulnerabilities (e.g., with
Trivy or Clair).

Keep images minimal (no unused packages or tools).

Apply runtime protection with tools like Falco or AppArmor.

unit 5 4
 🔄 4. Implement CI/CD Security
Secure your build and deployment pipelines (e.g., restrict who can trigger
builds).

Use code signing to verify the authenticity of deployed artifacts.

Store and manage dependencies in private registries with scanning (e.g.,

Nexus, Azure Artifacts).

🔒 5. Network Security and Zero Trust

Enforce zero trust networking—every component must authenticate and
authorize.

Use service meshes (e.g., Istio, Linkerd) to encrypt traffic and control
access between services.

Limit public exposure using firewalls, ingress controllers, and private

endpoints.

🧪 6. Continuous Monitoring and Logging

Monitor logs and metrics with centralized logging tools (e.g., ELK Stack,
Prometheus, Grafana).

Set up alerts for unusual behavior or unauthorized access.

Integrate with SIEM tools for advanced threat detection.

📦 7. Use Policy as Code

Define and enforce security policies using tools like OPA (Open Policy
Agent) or Kubernetes PodSecurityPolicies.

Automate compliance checks against policies in CI/CD.

🛡️ 8. Regularly Audit and Patch

Continuously scan your dependencies, containers, and infrastructure for
vulnerabilities.

Apply security patches and updates promptly.

Use infrastructure as code (IaC) to version and manage security

configurations.

unit 5 5
 🧑‍🤝‍🧑 9. Train Your Team
Educate developers and DevOps engineers on secure coding practices.

Promote a security-first mindset through regular training and simulated

attacks (e.g., red teaming).

🔁 10. Use Multi-Layered Defense (Defense in Depth)

Combine several security measures at different levels (app, container,
infrastructure, network).

This way, if one layer fails, others still provide protection.

Q3-Define threat modeling. How does it

assist in identifying and addressing
potential security threats in a system?
✅ Definition: Threat Modeling
Threat modeling is a proactive security process used to identify, evaluate,
and address potential security threats and vulnerabilities within a system,
before they are exploited. It involves analyzing how an attacker might exploit
weaknesses in your application or infrastructure and what can be done to
prevent or mitigate those risks.

Purpose of Threat Modeling

Think like an attacker to find security flaws.

Understand what assets need protection.

Prioritize threats based on risk and impact.

Implement defenses early in the design phase.

PROCESS- 5

Define the System

Understand what you are building.

unit 5 6
 Identify components like servers, databases, APIs, etc.

Identify Assets

Determine what needs protection (e.g., user data, credentials, financial

records).

Focus on both technical and business-critical assets.

Create Architecture Diagrams

Draw how data flows between components.

Include users, external systems, trust boundaries, and interactions.

Identify Threats

Use frameworks like STRIDE (Spoofing, Tampering, Repudiation, etc.).

Think like an attacker: What can go wrong?

Mitigate and Document

Plan defenses and security controls to reduce or eliminate threats.

Document findings, decisions, and mitigation strategies.

🛠️ Example Tools
Microsoft Threat Modeling Tool

OWASP Threat Dragon

IriusRisk

draw.io / Lucidchart (for visual threat diagrams)

How it helps identify and address potential security threats:

1. Defines Security Scope Early

– Helps teams understand what to protect and where threats could arise
before any code is written.

2. Identifies Critical Assets

– Pinpoints sensitive data and components that are most likely to be

targeted by attackers.

3. Visualizes System Architecture

unit 5 7
 – Uses diagrams to show how data flows, where trust boundaries are, and
how components interact.

4. Uncovers Potential Threats

– Encourages teams to think like attackers using frameworks like STRIDE to

identify vulnerabilities.

5. Prioritizes Security Efforts

– Helps focus on the most likely and impactful threats, so resources are
used effectively.

6. Guides Mitigation Strategies

– Provides a clear path for adding appropriate security controls and

reducing risk.

Q4 What is Infrastructure as Code (IaC)

scanning, and why is it essential for
maintaining secure cloud infrastructure?
Infrastructure as Code (IaC) scanning is the process of automatically
analyzing IaC files (like Terraform, CloudFormation, or Ansible scripts) to detect
security misconfigurations, policy violations, and vulnerabilities before
infrastructure is deployed.
IaC scanning helps "secure your cloud before it exists" by catching issues
during infrastructure planning—not after deployment.

Why IaC Scanning Is Essential for Cloud Security:

1. Early Detection of Security Issues

– Finds misconfigurations (e.g., open ports, overly permissive roles) before

they reach production.

2. Automates Security Checks

– Ensures security is part of the DevOps workflow by integrating into CI/CD
pipelines.

3. Prevents Misconfigured Cloud Resources

unit 5 8
 – Stops risky infrastructure (like public S3 buckets or weak IAM roles) from
being provisioned.

4. Improves Compliance
– Helps meet regulatory standards (e.g., CIS, GDPR, HIPAA) by enforcing
security policies automatically.

5. Reduces Human Error

– Automates review of IaC templates, minimizing the risk of manual

mistakes.

6. Enables Shift-Left Security

– Moves security checks earlier in the development process, saving time
and reducing costs.

Q5 How can security vulnerabilities arise

from misconfigured cloud services?
Explain with a relevant example.
Security vulnerabilities can arise from misconfigured cloud services when
settings like access controls, permissions, encryption, or networking are not
properly set. These misconfigurations can expose sensitive data, allow
unauthorized access, or enable attackers to exploit the system.

🔒 How Misconfiguration Leads to Vulnerabilities:

1. Overly permissive access controls

– Granting public or wide access to sensitive resources unintentionally.

2. Disabled encryption
– Data stored or transferred without encryption can be intercepted or
stolen.

3. Open ports or insecure network settings

– Can allow attackers to scan and attack exposed services.

4. Misconfigured identity and access management (IAM)

unit 5 9
 – Weak or overly broad IAM roles can give attackers unnecessary
permissions.

📌 Example: Public S3 Bucket in AWS

A developer sets up an Amazon S3 bucket to store application logs.

They accidentally configure it with public read access, assuming it's

needed for debugging.

The bucket contains sensitive customer data (e.g., names, email

addresses).

A malicious user discovers the open bucket using a scanner and

downloads the data, resulting in a data breach.

🛡️ Result:
Misconfiguration here led to data exposure, potential regulatory violations (like
GDPR), and loss of customer trust.

Q6-What is meant by cloud security

compliance? Provide a detailed
explanation of the FedRAMP and NIST
security frameworks and how they
contribute to ensuring compliance in
cloud environments.
Cloud Security Compliance refers to the practice of ensuring that cloud
services, infrastructure, and applications meet established legal, regulatory,
and industry standards designed to protect data privacy, security, and integrity.
Compliance involves following a set of rules, guidelines, and best practices to
manage risks and demonstrate that an organization’s cloud operations adhere
to required security controls.

FedRAMP (Federal Risk and Authorization Management

Program)

unit 5 10
 Purpose: FedRAMP is a U.S. government program that standardizes
security assessment, authorization, and continuous monitoring for cloud
products and services used by federal agencies.

Scope: Applies primarily to cloud service providers (CSPs) working with

federal government agencies.

Framework: FedRAMP uses a standardized approach based on the NIST SP

800-53 security controls, ensuring CSPs implement rigorous security
measures.

Process: CSPs undergo a formal security authorization process, including

third-party assessments, to receive an Authority to Operate (ATO).

Contribution to Compliance: FedRAMP helps ensure that cloud services

meet federal security requirements, enabling agencies to trust cloud
providers without conducting individual assessments. It reduces duplication
of effort and increases security transparency.

NIST (National Institute of Standards and Technology) Security

Frameworks
Purpose: NIST develops widely recognized cybersecurity standards and
guidelines to help organizations manage and reduce cybersecurity risks.

Key Publications:

NIST SP 800-53: Provides a catalog of security and privacy controls for

federal information systems and organizations, widely used for cloud
security compliance.

NIST Cybersecurity Framework (CSF): A flexible framework designed

to improve critical infrastructure security through five core functions:
Identify, Protect, Detect, Respond, and Recover.

Scope: Applicable across public and private sectors globally, adaptable for
cloud environments.

Contribution to Compliance:

Offers a comprehensive, structured set of controls and best practices

for securing cloud infrastructure.

Enables organizations to assess risks systematically, implement

controls, and align security strategies with business goals.

unit 5 11
 Provides a baseline for federal agencies and companies seeking to
comply with regulations like FedRAMP.

How FedRAMP and NIST Ensure Cloud Compliance

Standardization: Both provide standardized security requirements that
cloud providers must meet, reducing variability and increasing assurance.

Risk Management: They promote systematic risk assessment and

mitigation strategies to protect cloud resources.

Continuous Monitoring: Both frameworks emphasize ongoing evaluation to

maintain security over time.

Trust and Transparency: They help organizations and government

agencies select cloud services confidently, knowing they comply with
recognized security standards.

Q7,18 -List the OWASP Top 10 web

application security risks. Choose any
three vulnerabilities from the list, explain
them in detail, and describe how they can
be mitigated using secure coding
practices.

OWASP Top 10 Web Application Security Risks (2021 version):

1. Broken Access Control

2. Cryptographic Failures

3. Injection

4. Insecure Design

5. Security Misconfiguration

6. Vulnerable and Outdated Components

7. Identification and Authentication Failures

unit 5 12
 8. Software and Data Integrity Failures

9. Security Logging and Monitoring Failures

10. Server-Side Request Forgery (SSRF)

1. Injection
What is it?
Happens when bad input tricks the system into running commands it
shouldn’t, like hacking a database by typing in malicious code.

How to fix it:

Always use safe ways to talk to the database (like prepared

statements).

Check and clean any input before using it.

Don’t just stick user input directly into commands.

2. Broken Access Control

What is it?
When people can do things they shouldn’t, like seeing or changing other
users’ info because the system doesn’t stop them.

How to fix it:

Give users only the permissions they really need.

Always check on the server what a user is allowed to do.

Use roles or rules to control who can do what.

Test regularly to make sure access rules work.

3. Security Misconfiguration
What is it?

When the app or server isn’t set up safely, like using default passwords or
leaving extra services open that hackers can use.

How to fix it:

Set up secure default settings for everything.

unit 5 13
 Turn off things you don’t need.

Keep all software and tools updated.

Use automated tools to manage settings so mistakes don’t happen.

Don’t show sensitive info in error messages.

Q 8-Define Identity and Access

Management (IAM). Discuss the four key
components of IAM and their role in
securing access to systems and data.

IAM is a system that helps organizations control who can access their systems
and data, and what they can do with that access. It ensures that only the right
people get the right permissions at the right time.

Four Key Components of IAM and Their Roles:

1. Identification

This is about recognizing a user or system trying to access resources.

Example: When you enter your username or email to log in.

2. Authentication

This confirms that the user is who they say they are.

Methods include passwords, biometrics, or multi-factor authentication

(MFA).

3. Authorization

Determines what the authenticated user is allowed to do (their

permissions).

Example: A user may be allowed to view data but not delete it.

4. Auditing

Keeps records of who accessed what and when.

unit 5 14
 Helps detect and investigate security issues or policy violations.

Q9- Compare Dynamic Application

Security Testing (DAST) with penetration
testing by listing three similarities and
three differences. Also, mention the use
cases where each method is most
appropriate.
Similarities between DAST and Penetration Testing:
1. Both test the application from the outside (black-box testing) without
needing access to the source code.

2. Both aim to identify security vulnerabilities by simulating attacks.

3. Both can be used to improve the security posture of an application by

finding weaknesses before attackers do.

Differences between DAST and Penetration Testing:

1. Automation vs. Manual

DAST is mostly automated using tools that scan applications

continuously.

Penetration testing is usually manual and performed by skilled security

experts who use creativity and experience.

2. Scope and Depth

DAST tools scan for common vulnerabilities and provide a broad but
shallow assessment.

Penetration testing is deeper and can uncover complex, hidden

vulnerabilities by exploiting weaknesses.

3. Frequency and Timing

unit 5 15
 DAST is often integrated into the CI/CD pipeline for regular automated
testing.

Penetration testing is done periodically (e.g., quarterly or annually) as a

comprehensive security review.

Use Cases:
DAST:

Best for continuous security testing during development and

deployment.

Useful for finding common runtime vulnerabilities like SQL injection or

XSS automatically.

Penetration Testing:

Best for deep, expert-driven security assessments before major

releases or for compliance requirements.

Useful for discovering complex logic flaws or chained exploits that

automated tools may miss.

Q 10-What is vulnerability scanning?

Outline the major steps involved in the
vulnerability management lifecycle.
Vulnerability scanning is the process of automatically inspecting a system,
network, or application to identify security weaknesses, misconfigurations, or
vulnerabilities that could be exploited by attackers. It helps organizations find
and fix security issues before they can be used maliciously.

Major Steps in the Vulnerability Management Lifecycle:

1. Asset Discovery:
Identify and list all hardware, software, and network assets that need to be
scanned.

2. Vulnerability Scanning:

unit 5 16
 Use automated tools to scan assets for known vulnerabilities and security
gaps.

3. Analysis and Prioritization:

Analyze scan results to verify vulnerabilities and prioritize them based on
risk, impact, and exploitability.

4. Remediation:
Fix the identified vulnerabilities by applying patches, changing
configurations, or other security measures.

5. Verification:
Re-scan the assets to ensure vulnerabilities have been successfully
resolved.

6. Reporting and Documentation:

Document findings, actions taken, and maintain reports for compliance and
future reference.

Q 11-Define encryption. With the help of a

clear diagram, explain the lifecycle of key
management in encryption systems.
Encryption is the process of converting plain, readable data (plaintext) into an
unreadable format (ciphertext) using an algorithm and a key. This protects the
data from unauthorized access by ensuring that only those with the correct key
can decrypt and read the original information.

unit 5 17
 Lifecycle of Key Management in Encryption Systems
Key management involves the secure handling of cryptographic keys
throughout their entire lifecycle to ensure data confidentiality and integrity.

Key Generation:
Creation of cryptographic keys using secure algorithms.

Key Distribution:
Securely sharing or distributing the key to authorized users or systems.

Key Storage:
Safely storing keys in a secure location or hardware module to prevent
unauthorized access.

Key Usage:

unit 5 18
 Using the key to encrypt and decrypt data during communication or
storage.

Key Rotation / Renewal:

Regularly updating keys to reduce the risk of compromise.

Key Revocation:

Invalidating keys that are no longer secure or needed.

Key Destruction:
Securely deleting keys to prevent any future use.

Q12-What are secure coding practices,

and why are they important in software
development?
Secure coding practices are a set of guidelines and techniques that
developers follow to write software that is resistant to vulnerabilities and
attacks. These practices help ensure that the code is robust, safe, and protects
users’ data and privacy.

Why secure coding practices are important:

1. Prevent Security Flaws: They help avoid common security issues such as
SQL injection, cross-site scripting (XSS), and buffer overflows.

2. Protect Sensitive Data: Secure coding helps safeguard personal, financial,

or confidential data from unauthorized access.

3. Maintain Application Integrity: Ensures the application behaves as

intended without being manipulated or corrupted by attackers.

4. Reduce Costs: Fixing security problems early in development is much

cheaper than after deployment or after a breach.

5. Build Trust: Secure software increases user confidence and protects the
reputation of the company or product.

6. Compliance: Many industries have legal or regulatory requirements that

mandate secure software development.

unit 5 19
 In short, secure coding practices are essential because they help build
software that is reliable, trustworthy, and safe from cyber threats.

Q 13-What is Static Application Security

Testing (SAST), and how does it function?
Static Application Security Testing (SAST) is a method of analyzing source
code, bytecode, or binary code to find security vulnerabilities without actually
running the program. It’s sometimes called “white-box testing” because it
examines the internal workings of the application.

How SAST functions:

1. Code Analysis: SAST tools scan the application’s source code or compiled
code.

2. Pattern Matching: They look for known insecure coding patterns, such as
buffer overflows, SQL injection risks, or improper input validation.

3. Early Detection: Since it analyzes code early in development, it helps catch

vulnerabilities before the application is run.

4. Reports: The tool generates detailed reports showing the location and type
of vulnerabilities in the code.

5. Integration: SAST can be integrated into development environments and

CI/CD pipelines for continuous security checks.

Q 14 What are the main security factors to

consider when working with major cloud
platforms like AWS, Azure, or GCP?
When working with major cloud platforms like AWS, Azure, or GCP, the main
security factors to consider are:

1. Identity and Access Management (IAM):

unit 5 20
 Properly manage user permissions and roles to ensure least privilege
access.

2. Data Protection:
Use encryption for data at rest and in transit to protect sensitive
information.

3. Network Security:

Configure firewalls, virtual private clouds (VPCs), and security groups to

control traffic and isolate resources.

4. Compliance and Governance:

Ensure cloud resources comply with industry standards and regulations
(e.g., GDPR, HIPAA).

5. Monitoring and Logging:

Enable auditing, logging, and continuous monitoring to detect suspicious
activities and respond quickly.

6. Secure Configuration:
Follow best practices for securely configuring services to minimize
misconfigurations and vulnerabilities.

7. Backup and Recovery:

Implement reliable backup strategies and disaster recovery plans to protect

against data loss.

8. Security Automation:
Use automated tools to enforce security policies and manage vulnerabilities
efficiently.

These factors help maintain a strong security posture in cloud environments.

Q15-What is vulnerability scanning, and

how does it support application security?
Vulnerability scanning is an automated process that identifies security
weaknesses, misconfigurations, or missing patches in applications, systems, or

unit 5 21
 networks. It uses tools to scan the target for known vulnerabilities and provides
reports on potential security issues.

How it supports application security:

Early Detection: Finds vulnerabilities before attackers do, allowing teams to
fix issues early.

Continuous Monitoring: Regular scans help maintain security over time as

new vulnerabilities emerge.

Risk Assessment: Helps prioritize which vulnerabilities to address based

on their severity.

Compliance: Supports meeting security standards and regulatory

requirements by proving regular vulnerability checks.

Improved Security Posture: By identifying and fixing weaknesses, it

reduces the risk of attacks on applications.

Supports Remediation: Provides actionable insights so developers and

security teams can patch or mitigate vulnerabilities.

Q 17-How do Identity and Access

Management (IAM) and encryption work
together to improve security in the cloud?
Identity and Access Management (IAM) and encryption work together in
cloud environments to protect data and systems by controlling who can access
what and ensuring that data stays secure, even if accessed improperly.

🔐 How They Work Together:

1. IAM controls access to encrypted data

IAM defines who (users, applications, services) has permission to

access or manage encrypted data.

For example, only a specific role may have permission to decrypt a file
stored in AWS S3 using AWS Key Management Service (KMS).

2. Encryption protects data confidentiality

unit 5 22
 Encryption ensures that even if data is accessed without proper
permissions, it is unreadable without the correct decryption key.

3. IAM manages access to encryption keys

Cloud platforms use services like AWS KMS, Azure Key Vault, or Google
Cloud KMS to manage encryption keys.

IAM policies determine who can create, use, or rotate keys.

4. Defense-in-depth security

IAM ensures access is granted only to authenticated and authorized

users.

Encryption ensures that even if IAM fails, data remains protected.

5. Compliance and auditing

IAM and encryption together help meet compliance standards like

GDPR, HIPAA, and FedRAMP by controlling access and protecting
sensitive data.

Audit logs track who accessed keys or encrypted resources.

📌 Example:
Let’s say a database in AWS is encrypted using KMS.

IAM controls who can connect to the database and who can use the
encryption key.

Encryption ensures that the stored data is unreadable without that key.

So even if someone tries to access the database without permission, the

encrypted data will be useless to them.

unit 5 23