Domain 4 of 6

Cloud Application Security

Domain · 17% of the CCSP exam

Build security in across the life cycle; never bolt it on at the end

A SQL-injection flaw caught in code review costs a developer a few minutes; the same flaw caught in production after a breach costs an incident response, a breach disclosure, and a fine. That single economic fact is the spine of CCSP domain 4: secure software is built in, not tested in, so every control here attaches to an earlier point in the software development life cycle (SDLC) than the one before it. The mental model is shift-left, the practice of moving each security activity as early in the life cycle as it can be done. It carries one canonical trap the exam returns to repeatedly: when a question describes finding a defect late (a penetration test, a production incident) and asks for the better approach, the answer is almost never a bigger gate at the end; it is the activity one phase earlier, the requirement, the threat model, or the code-review check that would have stopped the defect from ever shipping.

The domain unfolds in seven steps, from knowing the risk to deciding who may act on the data

The subtopics walk the life cycle in order, so read them as one continuous thread. AppSec Training & Awareness opens by naming the recurring weaknesses (hardcoded secrets, insecure defaults, over-permissive identity and access management (IAM), unvalidated input, unpatched dependencies) and why moving to the cloud sharpens each one; reach for it to recognize the pitfall in a question stem. Secure SDLC Process is the framework: a phased life cycle (requirements, design, development, testing, deployment, operations) with one security activity bound to each phase. Applying the Secure SDLC is that framework in practice, where threat modeling (STRIDE, DREAD, PASTA, ATASM) and verifiable coding standards (OWASP ASVS) turn the catalog into checkable requirements. Software Assurance & Validation tests the result, choosing the technique by what it can see (SAST, DAST, IAST, SCA). Verified Secure Software extends that trust to the code you did not write, the third-party APIs, libraries, and open source most of the application is assembled from. Cloud Application Architecture adds the supplemental runtime controls (WAF, XML gateway, API gateway, application-level cryptography, sandboxing) layered on top of secure code. Identity & Access Management Solutions closes the loop by deciding who the verified caller is and what it may do.

When in doubt, prefer prevention over detection and verified components over convenient ones

Across the whole domain the exam rewards a consistent instinct: a control that stops a class of defect beats one that merely finds it after the fact, and a component you have verified beats one you simply trust. That is why secure coding standards outrank a late security test, why a software bill of materials (SBOM) and pinned, scanned dependencies outrank pulling whatever the first search result returned, and why supplemental runtime controls are framed as exactly that, supplemental: a WAF is a mitigating, compensating control that buys time against a known pattern, never a substitute for input validation in the application itself. When two answers both technically work, choose the one that is earlier, preventive, and verifiable.

Where each life-cycle concern lives in domain 4

Life-cycle stageCore question it answersDrill into
Know the riskWhich weaknesses recur, and why does cloud sharpen them?AppSec Training & Awareness
Frame the processWhich security activity attaches to each SDLC phase?Secure SDLC Process
Apply itHow do threat modeling and standards turn risk into requirements?Applying the Secure SDLC
Test the resultWhich testing technique sees which class of flaw?Software Assurance & Validation
Trust what you didn't writeHow do you verify APIs, libraries, and open source before relying on them?Verified Secure Software
Add runtime controlsWhich supplemental control protects which layer at run time?Cloud Application Architecture
Decide who may actHow is the caller authenticated, and what is it authorized to do?Identity & Access Management Solutions

Subtopics in this domain