CCSP Domain 4: Cloud Application Security [updated 2022]

Mosimilolu Odusanya
September 6, 2022 by
Mosimilolu Odusanya

Domain 4 of the CCSP focuses on developing and securing cloud applications; it represents 17% of the certification exam. The CCSP comprises six domains.

Earning the CCSP means you have the knowledge and skills to make cloud applications more secure using best practices, policies and procedures. The CCSP shows you understand the activities, risks, appropriate security controls and storage architectures required to ensure data security in a cloud environment. The “Official ISC2 Guide to the CCSP CBK” is a great way to familiarize yourself with the subdomain topics.

Earn your CCSP, guaranteed!

Earn your CCSP, guaranteed!

Save your spot for an upcoming CCSP Boot Camp and earn one of the most in-demand cloud security certifications — guaranteed!


Domain 4 — cloud application security


Each of the seven subdomains covers a specific aspect of managing cloud applications securely and effectively.


4.1 Advocate training and awareness for application security



Cloud development basics


Candidates need to understand the basics of cloud application development, including:

  • Security by design
  • Shared security responsibility
  • Security as a business objective 


Common pitfalls and common cloud vulnerabilities


Candidates need to understand common pitfalls and vulnerabilities (e.g., Open Web Application Security Project (OWASP) Top-10, SANS Top-25) when migrating to or developing applications in the cloud. Such pitfalls include:

  • Lack of guidelines and documentation
  • Integration complexities
  • Multi-tenancy challenges
  • Third-party administrator challenges

Note: The 12th annual ISC2 Security Congress on October 10, 2022, features a lecture on “Top Public Cloud Security Fails and How to Avoid Them.” On October 12, 2022, another panel speaker will discuss “Emerging Threats Against Cloud Application Identities (And What You Should Do About It).”


4.2 Describe the secure software development life cycle (SSDLC) process


Candidates need to understand the phases under the SSDLC, which include security-focused steps that allow security by design.


Business requirements


Be aware of the business needs of the application.


Phases and methodologies


The following phases are common across the various models of SDLCs, such as Waterfall, Agile, Development and Operations (DevOps):

  1. Planning
  2. Requirement analysis
  3. Design
  4. Development
  5. Testing
  6. Deployment
  7. Operations and maintenance


4.3 Apply the secure software development life cycle (SSDLC)


Candidates need to understand cloud-specific risks and the use of threat modeling to assess the impact of those risks.


Avoid common vulnerabilities during development


Candidates should know the vulnerabilities to address when developing for the cloud.

The latest OWASP Top 10 identifies critical web application security risks, including:

  1. Broken access control
  2. Cryptographic failures
  3. Injection
  4. Insecure design
  5. Security misconfiguration
  6. Vulnerable and outdated components
  7. Identification and authentication failures
  8. Software and data integrity failures
  9. Security logging and monitoring failures
  10. Server-side request forgery


Cloud-specific risks


Candidates need to recognize the numerous security challenges and threats that the cloud has brought forth, from limited visibility into cloud usage to data breaches, account hijacking, malware, lack of cloud security architecture and strategy and misconfigurations.

Earn your CCSP, guaranteed!

Earn your CCSP, guaranteed!

Save your spot for an upcoming CCSP Boot Camp and earn one of the most in-demand cloud security certifications — guaranteed!


Secure coding


Candidates must know best practices for securing applications in the cloud and ways to ensure software quality through validation and verification activities.

  • Application Security Verification Standard (ASVS)
  • Software Assurance Forum for Excellence in Code (SAFECode)
  • Open Web Application Security Project (OWASP)


Threat modeling


Candidates need to know how threat models work in identifying potential threats to applications and countermeasures that can be implemented. Four commonly used threat models are STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege), PASTA (process for attack simulation and threat analysis), DREAD (disaster, reproducibility, exploitability, affected users and discoverability) and ATASM (architecture, threats, attack surfaces and mitigations.


Software configuration management (SCM) and versioning


Candidates need to understand the importance of SCM and versioning in managing software assets, configuration management (including change management), and configuration management databases (CMDB) tools such as Chef, Puppet and Ansible.


4.4 Apply cloud software assurance and validation


Candidates need to understand the importance of testing and auditing in developing secure applications and various application security testing methodologies.


Functional and non-functional testing


Candidates need to understand the difference between functional and non-functional testing.

  • Functional testing ensures that the functions and features of the application work correctly.
  • Non-functional testing only looks at the performance or usability of these functions.


Security testing methodologies


Candidates need to understand the various software testing methodologies, such as black-box testing, white-box testing, static application security testing (SAST), dynamic application security testing (DAST), software composition analysis (SCA), and interactive application security testing (IAST).


Quality assurance and abuse case testing


Both are essential for security testing of new applications.


4.5 Use verified secure software


Candidates must understand the significant components of secure software a security-conscious organization uses. These components include:

  • Approved APIs
  • Supply chain management
  • Third-party software management
  • Validated open-source software


4.6 Comprehend the specifics of cloud application architecture


Candidates need to understand the various security components and technologies required in a cloud application architecture.


Supplemental security components


Candidates need to understand how security components such as web application firewall (WAF), database activity monitoring (DAM), Extensible Markup Language (XML) firewalls, and application programming interface (API) gateway work in a cloud environment.




Candidates need to understand data encryption at rest and in motion in the cloud, using technologies/protocols such as transport layer security (TLS), a virtual private network (VPN) and the management of encryption keys in the cloud by the cloud service provider (CSP) and the cloud consumer.


Sandboxing, application virtualization and orchestration


Candidates need to understand how sandboxing, application virtualization and application orchestration (e.g., microservices, containers) work in a cloud environment. Popular cloud orchestration tools include AWS Cloud Formation, Terraform, Azure Automation, etc.


4.7 Design appropriate identity and access management (IAM) solutions


Candidates need to understand identification, authentication and authorization in the cloud and the components and protocols that make up an IAM solution.


Federated identity and single sign-on


Candidates need to understand federated identity (e.g., Security Assertion Markup Language (SAML), Open Authorization (OAuth), etc.) and single sign-on, the benefits of those protocols and how they work.


Identity providers (IdP)


Candidates need to understand how identity providers such as Azure Active Directory, AWS IAM, Google Cloud Identity, Okta Identity Management, etc., interface with cloud applications.


Single sign-on (SSO) and multifactor authentication (MFA)


Candidates need to understand the concepts of SSO and its ability to let users access all needed applications by authenticating themselves only once and MFA with its need for various authentication factors (i.e., something you know, something you have and something you are).


Cloud access security broker (CASB)


Candidates need to understand how a CASB works to mitigate high-risk security events and manage user activities in the cloud.


Secrets management


Candidates need to be familiar with solutions that can help improve the IAM methods to control access to cloud assets.

Earn your CCSP, guaranteed!

Earn your CCSP, guaranteed!

Save your spot for an upcoming CCSP Boot Camp and earn one of the most in-demand cloud security certifications — guaranteed!


How to prepare for the CCSP exam


Studying suitable material is recommended by ISC2 to take the CCSP exam. The official preparation material includes:

  • Official ISC2 CCSP Study Guide, 2nd Edition
  • Official ISC2 CCSP CBK Reference, 3rd Edition
  • Official ISC2 CCSP Practice Tests, 2nd Edition
  • Official ISC2 CCSP Flash Cards 
  • Official ISC2 CCSP Study App

Need training? Design a learning path that fits your needs to prepare for the CCSP certification. Start validating your cloud security knowledge by reviewing all the key elements found in the fourth domain of the CCSP common body of knowledge (CBK) — Cloud Application Security.

For more on the CCSP certification, check out our CCSP certification hub.




Mosimilolu Odusanya
Mosimilolu Odusanya

Mosimilolu (or 'Simi') works as a full-time cybersecurity consultant, specializing in privacy and infrastructure security. Outside of work, her passions includes watching anime and TV shows and travelling.