Application Security and
Authentication / Authorization Protocols
REST vs SOAP
|Representational State Transfer||Simple Object Access Protocol|
|Uses simple HTTP||Uses SOAP envelope and then HTTP or FTP or SMTP to transfer the data|
|Encrypts with SSL / HTTPS||Message-level cryptography|
|Good performance and scaling, uses caching||Slower performance, scaling is complex, caching is not possible|
|Widely used||Used where REST is not possible, provides WS-* features (Web Service standards: WS-Addressing, WS-Policy, WS-Security, WS-Federation, etc)|
Secure Operations Phase
- Puppet — configuration management system, you define the state of IT infrastructure and Puppet then enforces the correct state
- Chef — you automate how you build, deploy, and manage architecture. Chef server stores "recipes". Chef client is installed on each node, periodically polls the Chef server for the latest policy.
- Ansible — software provisioning, application deployment, and configuration management
Federated identity management
The pre-Contents opening of their Wikipedia pages seem to contain most of what you need to know.
- SAML — the most commonly used federation. XML-based framework to communicate user authentication, authorization, and attributes. Authentication tokens are digitally signed XML, moved over TLS.
- WS-Federation, federation within the broader WS-Security or WS-* framework.
- OpenID Connect — based on OAuth, lower security.
- OAuth — widely used for web and mobile access. Users can grant websites or applications access to their information on websites, without giving them the passwords.
Also included in the exam question pool
but with less emphasis:
- Shibboleth — heavily used in education settings, based on SAML, open & free
- XACML — eXtensible Access Control Markup Language. It's an Attribute-Based Access Control system. Attributes associated with a user or action or resource are inputs to the access-control decision.
Application virtualization — useful for sandboxing
- Microsoft App-V