Academy Central
----
Weather

CCSP LearnZApp Practice Test 2 弱點分析與補強講義

題源:ISC2 LearnZApp / Practice Test 2
題數:125
分數:77%
產出日期:2026-06-01
分析基準:本次 zapp_6.zip 內的 Practice Test 2 結果頁與錯題 review screenshots。
注意:壓縮檔內含 32 張截圖,其中 28 張為 2026-06-01 Practice Test 2 錯題 review,另有 4 張 2026-05-30 截圖看起來屬於前次 D3 drill;本講義的進步判斷與主要弱點以 Practice Test 2 為主。


1. Executive Summary

Practice Test 2 是明確進步。

指標Practice Test 1Practice Test 2變化
題數129125-4
答對8597+12
答錯4428-16
分數65%77%+12 points
平均作答時間28s / 題41s / 題放慢且更準
Readiness42% → 46%47% → 52%持續上升

結論:

Practice Test 2 已從「補弱期」進入「模擬考穩定化期」。D1、D2、D3、D5、D6 均達約 78% 以上,主要短板轉移到 D4 Application Security 與部分跨域名詞/定義題。


2. Practice Test 2 Domain-wise Performance

DomainCorrect / TotalScore判斷
D1 Cloud Concepts, Architecture and Design26 / 3379%接近穩定
D2 Cloud Data Security14 / 1878%回到可接受區
D3 Cloud Platform & Infrastructure Security12 / 1580%明顯修起來
D4 Cloud Application Security22 / 3171%本次相對弱點
D5 Cloud Security Operations11 / 1479%穩定
D6 Legal, Risk and Compliance12 / 1486%明顯改善

3. 是否有進步?

3.1 Overall Progress

Practice Test 1 到 Practice Test 2:

65% → 77%

這是實質進步,不是隨機波動。原因:

  1. 題數相近,兩次都是 full practice test。
  2. 錯題數從 44 題降到 28 題。
  3. 平均作答時間從 28 秒提高到 41 秒,表示讀題品質提升。
  4. 多個過去弱 domain 在 PT2 進入 78%+ 區間。

3.2 Domain Progress

Domain前期狀態Practice Test 2判斷
D1之前 custom test 約 56–69% 波動79%改善明顯
D2曾在 D2 drill 掉到 56%78%全局題中回穩
D3PT1 54%,D3 drill 64% / 68%80%patch 有效
D4之前表現通常不差71%新短板
D5PT1 60%79%改善
D6曾在 custom test 掉到 23%86%大幅改善

結論:

D3 / D6 補強已經轉化成 full mock 分數;D4 變成新的優先補強區。


4. 本次錯題主題總覽

本次 28 題錯題可分為以下類型:

Category代表錯題Domain
Cloud architecture / service modelType 1 hypervisor, hybrid cloud, SaaSD1 / D3
IT governance / standardsITIL, FedRAMP, NIST 800-53, Common CriteriaD6 / D5
Application securityDAST/SAST, OWASP, API Gateway OSI layer, secure SDLCD4
Storage / networkingvolume storage, VLAN, SDN control planeD2 / D3
Crypto / data securityPKI, ECC, TDE, anonymization, degaussingD2
Risk / BC-DRqualitative risk, ALE, RPOD3 / D6
Identity / authenticationtwo-factor authentication, enhanced authenticationD5 / D3
Audit / complianceauditability, HIPAAD6

5. P0 Weakness:D4 Cloud Application Security

D4 本次為 71%,是六個 domain 中最低。雖然不是災難分數,但在目前整體 77% 的狀態下,D4 已成為首要提升點。

5.1 錯題模式

1. DAST / SAST / black-box testing

錯題線索:

  • Black-box test
  • Tool must discover individual execution paths
  • 誤把其他掃描/測試類型當成答案

規則:

DAST = black-box / running application / external behavior testing
SAST = white-box / source code / static analysis
IAST = inside running application / instrumentation
RASP = runtime protection inside app

秒殺判斷:

black-box + running app + discover execution paths = DAST
source code / no execution = SAST

2. OWASP framework

錯題線索:

  • Application security best practices catalogued
  • Framework leveraged by organizations
  • Common components / app security guidance

規則:

OWASP = application security best-practice community / catalog
OWASP Top 10 = common web application risks
NIST / ISO = broader standards, not app-specific best-practice catalog

3. API Gateway OSI layer

錯題線索:

  • API gateway operates at which OSI layer
  • 誤選 Session
  • 正解 Application layer

規則:

API gateway = Layer 7 / Application layer
Firewall / router = lower-layer network filtering
Load balancer can vary, but API gateway is L7

4. Secure software development in cloud / side-channel concern

錯題線索:

  • Secure software development for the cloud
  • Shared resources
  • Side-channel attacks

規則:

Shared cloud resources introduce side-channel concerns.
Secure SDLC in cloud must consider co-tenancy, resource isolation, and side-channel leakage.

5.2 D4 Patch Plan

60 分鐘版

時間任務
0–10 minDAST / SAST / IAST / RASP 對照
10–20 minOWASP / secure SDLC / threat modeling
20–30 minAPI Gateway / app-layer security
30–40 minCloud app side-channel / shared resource risk
40–55 minD4 targeted 15–20 題
55–60 min寫 5 條錯題規則

Gate

指標目標
D4 targeted drill75–80%
D4 full mock segment≥75%
錯題類型不再集中於 DAST/SAST/API/OWASP

6. P1 Weakness:D1 / D3 Architecture 與 Cloud Model 題

D1 和 D3 本次分數已經不差,但錯題中仍有幾個基礎概念需要釘死。


6.1 Type 1 Hypervisor

規則:

Type 1 hypervisor = bare-metal hypervisor
Directly runs on hardware
Manages CPU / RAM / storage resources directly

常見混淆:

概念判斷
Type 1runs directly on hardware
Type 2runs on host OS
ContainerOS-level isolation, not hypervisor
VMvirtual machine instance

6.2 Hybrid Cloud

規則:

Hybrid cloud = two or more distinct cloud infrastructures
They remain unique entities
They are bound together by standardized or proprietary technology
They enable data/application portability

不要被以下詞干擾:

  • private + public 出現不一定就足夠
  • multicloud 不一定是 hybrid
  • hybrid 關鍵是 integration / portability / binding technology

6.3 SaaS

錯題線索:

  • application solution running on vendor/cloud provider infrastructure

規則:

SaaS = complete application delivered by provider
PaaS = runtime/platform for customer-developed application
IaaS = infrastructure where customer controls OS/apps/data

6.4 Public cloud governance responsibility

從前次 D3 drill 延續的重點:

Public cloud data center control governance = cloud provider
Regulator sets requirements
Customer defines requirements and evaluates provider
Provider operates provider-owned data center controls

7. P1 Weakness:D2 Data Security / Crypto / Storage

D2 本次達 78%,但錯題仍集中在 classic D2 taxonomy。


7.1 Volume Storage

規則:

Volume storage = virtual disks attached to compute instances
It behaves like a physical drive or array
Block-level storage model

對照:

Storage Type判斷
Volume / block storageattached disk-like storage
Object storagebucket/object/metadata/API
File storageshared filesystem
Raw storagelow-level storage allocation

7.2 PKI

規則:

PKI = framework of policies, procedures, people, software, hardware, and cryptographic mechanisms
Purpose = secure communication and trust using public key cryptography

不要把 PKI 縮小成「只有 encryption algorithm」。


7.3 ECC

規則:

ECC = Elliptic Curve Cryptography
Provides comparable security with smaller keys than traditional public-key crypto

7.4 Transparent Database Encryption

規則:

TDE engine = database / DBMS layer
KMS = manages keys
HSM = hardware-protected key storage / crypto operations

7.5 Anonymization

規則:

Anonymization = permanently removing personal identifiers
Pseudonymization = replacing identifiers but potentially reversible with additional information
Masking = hiding part of data for display/use
Tokenization = replacing value with token, often with vault

7.6 Degaussing

規則:

Degaussing = strong magnetic field used to scramble magnetic media
Works on magnetic disks/tapes
Not suitable for SSD in the same way
Cloud customer usually cannot rely on direct degaussing

8. P1 Weakness:D3 / D5 Networking, BC/DR, Risk Metrics


8.1 VLAN

錯題線索:

  • logical grouping of devices
  • traffic contained
  • high speed

規則:

VLAN = logical segmentation of devices at Layer 2
Contains broadcast domains / traffic segmentation

8.2 SDN Control Plane

規則:

SDN separates control plane and data plane
Control plane defines logical networking independent of physical topology

8.3 RPO

規則:

RPO = maximum tolerable data loss measured in time
RTO = maximum tolerable recovery time
MTD/MTPD = maximum tolerable downtime before severe impact

8.4 ALE

規則:

ALE = Annualized Loss Expectancy
ALE = SLE × ARO
Expected annual loss from a specific risk/scenario

8.5 Qualitative Risk Assessment

規則:

Qualitative risk = categories / ratings / high-medium-low / subjective assessment
Quantitative risk = numbers / currency / probability / ALE

9. P2 Weakness:D6 Legal / Compliance / Standards

D6 本次 86%,是強項,但仍有名詞型錯題,需要避免低級失分。


9.1 FedRAMP

錯題線索:

  • Which entities are required to use FedRAMP-accredited CSPs except?

規則:

FedRAMP = U.S. federal cloud authorization program
Federal agencies/entities use FedRAMP-authorized cloud services
Private companies are not required by FedRAMP by default

9.2 NIST 800-53

規則:

NIST SP 800-53 = Security and Privacy Controls for Information Systems and Organizations

9.3 Auditability

規則:

Auditability = state of readiness for auditing
Not the same as being regulated
Not the same as AICPA SOC report itself

9.4 HIPAA

規則:

HIPAA = U.S. healthcare privacy/security law
Covers electronic healthcare transactions, national identifiers, covered entities, providers, health plans, employers

9.5 Common Criteria

規則:

Common Criteria = ISO/IEC 15408-based framework for IT product security evaluation
CC concepts include TOE, Protection Profile, Security Target, EAL

10. Reading Pattern Weakness

本次錯題仍可看到三種答題陷阱:

10.1 看見熟字就選

例如:

  • SAST / DAST
  • Session / Application layer
  • Hybrid / private cloud
  • PKI / ECC / SSL

修正:

先判斷題目問的是:
definition?
function?
layer?
responsibility?
risk metric?
best answer?

10.2 沒有先分類

建議每題先用 3 秒分類:

This is asking about:
1. cloud model?
2. app security?
3. data protection?
4. facility/infrastructure?
5. risk/compliance?
6. legal/report/standard?

10.3 作答仍偏快

PT2 平均 41 秒,已比 PT1 的 28 秒好很多。
但正式考情境題建議目標:

題型建議時間
定義題30–45s
情境題60–90s
best / primary / except 題75–120s
不確定題標記後前進

11. Next 3-Day Plan

Day 1:D4 Application Security

任務
DAST / SAST / IAST / RASP 對照20 min
API Gateway / Layer 710 min
OWASP / secure SDLC20 min
D4 targeted drill25 題
Gate≥75%

Day 2:D2 + D3 維持

任務
D2 crypto / storage / anonymization25 min
D3 RPO/RTO/ALE/VLAN/SDN25 min
D2/D3 mixed drill30 題
Gate≥75–80%

Day 3:Mixed Weak Review

任務
D4 targeted15 題
D1/D2/D3 mixed20 題
D6 standards refresh10 min
Mixed weak test40 題
Gate≥78%

12. Practice Test 3 Readiness

可以做 PT3 的條件

建議滿足以下條件後做 Practice Test 3:

Gate目標
D4 targeted drill≥75%
D2/D3 mixed drill≥75%
D4 錯題不再集中於 DAST/SAST/API/OWASPYes
平均作答時間45–75s
心態不追速度,追 best answer

如果沒有時間補三天,至少補 D4 一天後再做 PT3。


13. Final Judgment

Practice Test 2 是明確進步:

Practice Test 1: 65%
Practice Test 2: 77%

D3 / D6 的前期補強有效,D2 也在 full mock 中回穩。
目前最大風險已轉移到 D4 application security,以及少數 D1/D2/D3/D6 名詞定義題。

最有效策略:

1. 補 D4
2. 維持 D2/D3
3. 用 mixed weak test 驗證
4. 再進 Practice Test 3

如果 Practice Test 3 能穩在 78–80% 以上,考試準備會進入相對安全區。


CCSP D4 (Cloud Application Security) 衝刺特訓講義 - Day 1

Date: 2026-06-01 Target: 擊破 D4 應用程式安全魔王,目標滿血通關 (PT3 ≥ 78%) Focus: 軟體安全測試、API Gateway vs Firewall、Secure SDLC 威脅建模、OWASP 與雲端旁道攻擊


👾 主題一:軟體測試的「四大神獸」 (SAST, DAST, IAST, RASP)

1. 核心定義與適用時機

  • SAST (靜態應用程式安全測試): * 白箱 (White-box)
    • 程式「未執行」,直接掃描 原始碼 (Source Code)
    • 抓取語法錯誤、Hardcode 密碼、未過濾的變數。
  • DAST (動態應用程式安全測試): * 黑箱 (Black-box)
    • 程式「運行中 (Running)」,從外部狂打 Payload / 模擬攻擊
    • 觀察系統崩潰、錯誤訊息外洩、發現執行路徑 (Execution paths)。
  • IAST (互動式安全測試): * 灰箱 (Gray-box)
    • 程式「運行中」,但在應用程式內部植入探測器 (Instrumentation),能精準定位漏洞對應的程式碼行數。
  • RASP (執行期自我防護): * 部署於正式環境 (Production)。
    • 程式「運行中」,具備自我監控與主動阻擋惡意連線的能力。

💡 考場超強防呆機制:兩步靈魂拷問法

遇到測試分類題,立刻問自己兩個問題:

  1. 「程式跑起來了嗎?」 (未執行 ➡️ SAST;執行中 ➡️ DAST/IAST/RASP)
  2. 「看得到原始碼嗎?」 (看得到 ➡️ SAST/白箱;看不到 ➡️ DAST/黑箱)

🛡️ 主題二:應用程式的「守門員」 (API Gateway vs. Firewall)

1. 階層與能力差異

  • Firewall (防火牆): * 運作於 OSI Layer 3/4 (網路層/傳輸層)
    • 只能看懂 IP 位址與 Port 號。負責大範圍的 IP 網段阻擋 (Block IP ranges)。
  • API Gateway / WAF: * 運作於 OSI Layer 7 (應用層)
    • 能看懂 HTTP 協定與 JSON/XML 內容。
    • 專屬技能: 流量限制 (Rate Limiting)、檢查 JWT Token、API 路由解析、防禦應用層攻擊。

2. 業界黃金標準 (Zero Trust 縱深防禦)

  • 邊緣防禦:WAF 攔截 L7 惡意特徵。
  • 基礎網路防禦:Local Firewall 進行 L3/L4 阻擋。
  • 應用服務入口:API Gateway (如 Nginx) 處理路由、負載平衡與 TLS 卸載。
  • 內部微服務防護:Service Mesh 負責東西向流量的加密與動態控制。

🧬 主題三:把安全融入基因 (Secure SDLC & Threat Modeling)

1. 安全左移 (Shift Left)

  • 安全不能留到最後才做。在 CI/CD 與開發流程的最前端,就必須導入安全規範。

2. 威脅建模 (Threat Modeling)

  • 黃金時機: 發生在 「設計階段 (Design Phase)」 (寫第一行程式碼之前)。
  • 核心目的: 對著架構圖分析資料流 (Data Flow),找出系統架構層級的潛在漏洞(如 Spoofing 偽冒、Tampering 竄改)。
  • 考試對照: 只要題目說「對著架構圖分析、提前規劃防禦機制」,答案就是 Threat Modeling;如果是對著程式碼找,那是 SAST。

🏢 主題四:雲端獨有風險與權威指南 (Cloud Risks & OWASP)

1. OWASP Top 10 (武林秘笈)

  • 定位: 業界最權威的 Web 應用程式安全最佳實務指南 (Best practice catalog)
  • 注意: 它是指南與框架,不是一套可以直接拿來掃描的單一工具軟體。

2. 旁道攻擊 (Side-channel Attacks)

  • 發動條件: 雲端公有雲的 「多租戶與共享資源 (Multi-tenancy / Co-tenancy / Shared resources)」 環境。
  • 攻擊手法: 駭客在同一個實體主機的另一個 VM 中,透過監控 CPU 快取 (Cache) 延遲、耗電量等「物理側信道」,反推並竊取其他租戶的加密金鑰。
  • 防禦關鍵: 強制實體硬體隔離 (Dedicated Hosts / HSM)。