Cloud Security Alliance Updated CCSK Exam Questions and Answers by baxter

The most effective way to identify security vulnerabilities in an application is to conduct automated and manual security testing throughout the development lifecycle. This approach ensures that security is continuously evaluated at every stage of development, rather than waiting until the end. Automated tools can help identify common vulnerabilities quickly, while manual testing allows for more in-depth analysis, including testing for complex, contextual security issues. This proactive and ongoing approach reduces the risk of vulnerabilities being overlooked and helps ensure that security is integrated into the application from the start.

Performing code reviews just prior to release is valuable, but it’s not comprehensive enough. Security testing should be done early and continuously, not just before release. Relying solely on secure coding practices is important but not sufficient. Even with secure coding practices, testing is essential to identify vulnerabilities. Waiting for a single penetration test after development is not effective because waiting until the end can allow many vulnerabilities to go unnoticed during development, leaving the application exposed.

The preparation phase in incident response planning involves activities that set the foundation for a successful response to potential security incidents. These activities typically include:

Establishing a response process: Defining clear procedures for how incidents will be detected, analyzed, and mitigated.

Training: Ensuring that all relevant personnel are trained on their roles and responsibilities during an incident.

Communication plans: Creating communication protocols to ensure that all stakeholders are informed during an incident.

Infrastructure evaluations: Assessing the existing security infrastructure to ensure it is capable of supporting incident response efforts.

Implementing encryption and access controls is important for security but is not specifically part of the preparation phase for incident response. Creating incident reports and post-incident reviews is typically part of the post-incident phase, after the response is completed. Developing malware analysis procedures and penetration testing is more related to ongoing security operations and testing rather than the preparation phase of incident response.

InInfrastructure as a Service (IaaS), the customer has themost control and security responsibilitybecause:

The provider only secures physical infrastructure (data centers, networking, hardware).

Customers must configure and manage firewalls, network security, operating system patches, and IAM.

Data security, encryption, and application security are entirely the customer's responsibility.

In contrast:

PaaS (Platform as a Service)places some security responsibility on the provider (e.g., runtime environments, managed databases).

SaaS (Software as a Service)places most security responsibility on the provider, with customers mainly managingidentity and access controls.

This is extensively discussed in:

CCSK v5 - Security Guidance v4.0, Domain 1 (Cloud Computing Concepts and Architectures)

Cloud Controls Matrix (CCM) - Infrastructure and Application Security Controls​.