Exam CCSK topic 1 question 71 discussion

Changing threat models. The cloud provider relationship and the shared security model will need to be included in the threat model, as well as in any operational and incident response plans. Threat models also need to adapt to reflect the technical differences of the cloud provider or platform in use

CSA CCSK Security Guidance pg. 112 Design: During the application design process, especially when PaaS is involved, the focus for security in cloud is on architecture, the cloud provider’s baseline capabilities, cloud provider features, and automating and managing security for deployment and operations. We find that there are often significant security benefits to integrating security into the application architecture since there are opportunities to leverage the provider’s own security capabilities. For example, inserting a serverless load balancer or message queue could completely block certain network attack paths. This is also where you perform threat modeling, which must also be cloud and provider/platform specific. If threat modeling must be cloud and provider/platform specific, it stands to reason that the threat and trust models must be modified in the event you switch CSPs or move from one platform to another.

I don't see how using cloud infra makes any difference for the importance of use of IDEs

To address application security in a Cloud Computing environment, the SDLC (Software Development Life Cycle) should be modified by: E. Both B and C Updated threat and trust models: Cloud Computing introduces new security considerations and risks compared to traditional environments. It is important to update threat models and trust models to account for the unique characteristics of the Cloud, such as shared responsibility models, multi-tenancy, and potential vulnerabilities associated with virtualization and cloud infrastructure. No modification is needed: While some aspects of the SDLC may remain the same, it is crucial to recognize that Cloud Computing environments introduce new considerations and requirements. Therefore, modifications to the SDLC are necessary to address these specific challenges and ensure application security in the Cloud. By combining the updated threat and trust models with the recognition that modifications are necessary, organizations can effectively address application security within the context of Cloud Computing.

The given answer is correct.

Modification of the SDLC to use an IDE will have very little impact on application security. Although no option is very strong here B is the answer for me, use of threat and trust models.