2.3 Application dev, deployment and automation Flashcards
Secure deployment: what is sandbxing ?
It refers to an isolated testing environment process that can be use by the dev to test different aspect of the application (code testing): no connection to the production system.
Secure deployment: how to build an application securely ?
- Development: secure environment, dev can test in their sandboxe
- Test: dev if all of the pieces still work once put together
Secure deployment: once the application is build by the dev, why the QA team need to verify it ?
The Quality Assurance team need to verify that the features work as expected and validate the new functionality.
Once it is fone, they put it in a staging environment which simulate a production env using production data. This is done to test the performance, usability and features of the app.
Secure deployment: what is a secure baseline?
It defines:
- the security of an application environment: firewall settings, patch levels, OS file versions
- peform an integrity check once the application is in production (check the environment and ensure it comply with the security baseline)
Provisioning & deprovisioning: what is provisioning ?
The process of making something available (deployment).
Provisioning & deprovisioning: what can be provisioned?
- Application: web server, database server, middleware server, workstation, certificates …
- Application software security: OS, app
- Network security: secure VLAN for the deployed app, internal/external access
- Software depoyed to workstations: check executable for malicious code
Provisioning & deprovisioning: what is scalability ?
The ability to increase the workload in a given infrastructure. Ex: build an app instance that can handle 100k transactions/second
Provisioning & deprovisioning: what is elasticity ?
The ability to increase or decrease available resources as the workload changes. Ex: deploy multiple app instances to handle 500k transactions/second
Provisioning & deprovisioning: what is orchestration?
The automated process for provisioning and deprovisioning application in cloud computing.
Provisioning & deprovisioning: what is deprovision?
The process of removing an application instance. This should be done in a secure way and firewall policies must also be reverted.
Secure coding techniques: what is stored procedures ?
It is a way to make an application more secure by limiting the client interaction with the application. Ex: impossible to run certain sql query for DB
Secure coding techniques: what is obfuscation/camouflage?
It is a way to make an application more secure by making something normally understandable very difficult to understand. EX: take perfectly readle code and turn it into nonsense.
It helps prevent the search of vulnerability
Secure coding techniques: what is code reuse ?
The use of old code to build new application (copy/paste). However, if the code has security vulnerabilities, reusing the code spreads it to other applications.
Secure coding techniques: what is dead code ?
Code that is put in the application but the results aren’t used anywhere within the app
Secure coding techniques: what is input validation ?
Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering malfunction of various downstream components.
Secure coding techniques: what are the validation points in input validation ?
The dev can chose to validate the input in different locations :
- Server-side validation: all checks (data, code) occur on the server. It prevent to user to make changes to the data before it is send to the server.
- Client-side validation: the end-user’s app makes the validation of the input on the client machine and decide if it’s appropriate to send to the server.
Both can be use but the most important is server-side
Secure coding techniques: what is the memory management in input validation ?
Dev must be midnful of how memory is used (ex: where the variable are stored, is the information available to the app) to prevent malicious attempt to circumvent the code (ex: doing a buffer overflows)
Secure coding techniques: what are third-party libraries and Software Development Kits (SDK) ?
It is code that already been written by someone else. This represent a security risk because we don’t know how secure the library might be so extensive testing is required.
Secure coding techniques: what are sensitive data and sensitve data exposure ?
Sensitive data can be card nb, social security nb, medical info, address details etc
Sensitive data exposure refers to exposes sensitive data or when a security incident leads to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to sensitive data.
It is important that data / network are encrypted
Secure coding techniques: what is version control ?
The process of tracking the code changes. It is useful in security to compare or identify the important modifications
Software diversity: what is software diversity ?
Each compiled application is little bit different (but functionnality is the same). So an attack against different binaries would only be successful on a fraction of users.
Automation and scripting: what is continuous integration ?
When the app dev may constantly be updating an application and perhaps merging it into a central repository multiple times a day. So basic check of security should be in place and code should be validated in accordance with the security baseline
Automation and scripting: what is continuous delivery/deployment ?
- Delivery: Automation of the testing and release process of an application (click a button and deploy the app).
- Deployment: Even more automation with automatic deploy to production (no human integration or anual checks)
