Architecture Vulnerabilities
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.
Included in this chapter:
- The architecture-vulnerability model
- Shared-substrate: virtualization, containers, cloud
- Data, OT, and constrained-device architectures
- Decentralized architectures: distributed, microservices, serverless, edge, HPC
- Exam-pattern recognition
Signature vulnerability and primary mitigation by architecture type
| Architecture type | Signature vulnerability | Primary mitigation |
|---|---|---|
| Database systems | Inference and aggregation; SQL injection | Polyinstantiation, query restriction/views, parameterized queries |
| Cryptographic systems | Weak key management, hardcoded/poorly stored keys, deprecated algorithms | HSM-backed key storage, key rotation, retire weak algorithms |
| Virtualized systems | VM escape; hypervisor compromise; VM sprawl | Harden/patch hypervisor, isolate high-value VMs, control sprawl |
| Cloud (SaaS/PaaS/IaaS) | Misconfigured customer-owned layer; shared-responsibility confusion | Apply correct service-model split; secure data, identity, config |
| ICS / SCADA | Legacy unauthenticated protocols; cannot patch or actively scan | Zone/conduit segmentation, passive monitoring, secure the EWS |
| IoT / embedded | Default credentials, no patch path, long lifespan | Change defaults, segment, plan for end-of-support |
| Containers | Shared host kernel; insecure images; weak isolation | Minimal trusted images, scan registry, restrict kernel capabilities |
| Microservices / serverless | Large API surface; over-trusted internal calls; over-broad function permissions | AuthN/AuthZ every call, API gateway/mTLS, least-privilege function roles |
| Distributed / edge / HPC | No single perimeter; physically exposed nodes | Zero-trust between components; protect exposed edge nodes |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
References
- NIST SP 800-125: Guide to Security for Full Virtualization Technologies Whitepaper
- NIST SP 800-190: Application Container Security Guide Whitepaper
- AWS Overview: Security and Compliance (Shared Responsibility Model)
- NIST SP 800-145: The NIST Definition of Cloud Computing Whitepaper
- NIST CSRC Glossary: Inference
- NIST CSRC Glossary: Aggregation
- NIST SP 800-82 Rev. 3: Guide to Operational Technology (OT) Security Whitepaper