2.3 Application Development, Deployment, & Automation

Question 1

the process of designing, building, and implementing software applications. It can be done by massive organizations with large teams working on projects, or by a single freelance developer.
• Your programming team has been working on a new application
– How will you deploy it safely and reliably?
• Patch Tuesday
– Test and deploy Wednesday? Thursday? Friday?
• Manage the process
– Safely move from a non-production phase to full production

Answer 1

Development

Question 2

an isolated testing environment that enables users to run programs or open files without affecting the application, system or platform on which they run. Software developers use [this] to test new programming code. Cybersecurity professionals use [this] to test potentially malicious software.
• Isolated testing environment
– No connection to the real world or production system
– A technological safe space
• Use during the development process
– Try some code, break some code, nobody gets hurt
• Incremental development
– Helps build the application

Answer 2

Sandboxing

Question 3

the process that converts files and other assets under the developers' responsibility into a software product in its final or consumable form. [This] may include: compiling source files. packaging compiled files into compressed formats (such as jar, zip)
• Development
– Secure environment
– Writing code
– Developers test in their sandboxes
• Test
– Still in the development stage
– All of the pieces are put together
– Does it all work?
– Functional tests

Answer 3

Building the application

Question 4

the process for determining whether or not a product fulfills the requirements or specifications established for it. [this] is the assessment of a planned or delivered system to meet the sponsor's operational need in the most realistic environment achievable.
• Quality Assurance (QA)*
– Verifies features are working as expected
– Validates new functionality
– Verifies old errors don’t reappear
• Staging*
– Almost ready to roll it out
– Works and feels exactly like the production
environment
– Working with a copy of production data
– Run performance tests
– Test usability and features

Answer 4

Verifying the application

Question 5

the final environment in your software development process. It is the work that is ready to be publicly available, and only the most thoroughly tested code should end up here. 
• Production
– Application is live
– Rolled out to the user community
• A challenging step
– Impacts the users
• Logistical challenges
– New servers
– New software
– Restart or interrupt of service

Answer 5

Using the application

Question 6

the process of setting up the common, minimum requirements of an enterprise. This could be for a group of computers or all the computers in the network. When a new computer is added to the domain, the common minimum requirements are installed and applied automatically.
• The security of an application environment should
be well defined
– All application instances must follow this baseline
– Firewall settings, patch levels, OS file versions
– May require constant updates
• Integrity measurements* check for the secure baseline
– These should be performed often
– Check against well-documented baselines
– Failure requires an immediate correction

Answer 6

Secure baselines

Question 7

automatically creating user identities and roles for applications for access
• Deploy an application
– Web server, database server, middleware server, user
workstation configurations, certificate updates, etc.
• Application software security
– Operating system, application
• Network security
– Secure VLAN, internal access, external access
• Software deployed to workstations
– Check executables for malicious code, verify security
posture of the workstation

Answer 7

Provisioning

Question 8

[This(a)] is the ability of the system to accommodate larger loads just by adding resources either making hardware stronger (scale up) or adding additional nodes (scale out). [this(b)] is the ability to fit the resources needed to cope with loads dynamically usually in relation to scale out.
• Handle application workload
– Adapt to dynamic changes
• [This(a)]
– The ability to increase the workload in a
given infrastructure
– Build an application instance that can handle
– 100,000 transactions per second
• [this(b)]
– Increase or decrease available resources as the
workload changes
– Deploy multiple application instances to handle
– 500,000 transactions per second

Answer 8

Scalability and elasticity

Question 9

the automated configuration, management, and coordination of computer systems, applications, and services.
• Automation is the key to cloud computing
– Services appear and disappear automatically,
or at the push of a button
• Entire application instances can be instantly provisioned
– All servers, networks, switches, firewalls, and policies
• Instances can move around the world as needed
– Follow the sun
• The security policies should be part of the [this]
– As applications are provisioned, the proper security is
automatically included

Answer 9

Orchestration

Question 10

the process of removing user access to software and network services.
• Dismantling and removing an application instance
– All good things
• Security [this] is important
– Don’t leave open holes, don’t close important ones
• Firewall policies must be reverted
– If the application is gone, so is the access
• What happens to the data?
– Don’t leave information out there

Answer 10

Deprovisioning

Question 11

a set of practices that applies security considerations to how software will be coded and encrypted to best defend against cyber attack or vulnerabilities.
• A balance between time and quality
– Programming with security in mind is often secondary
• Testing, testing, testing
– The Quality Assurance (QA) process
• Vulnerabilities will eventually be found
– And exploited

Answer 11

Secure coding concepts

Question 12

• SQL databases
– Client sends detailed requests for data
– ‘SELECT * FROM wp_options WHERE option_id = 1’
• Client requests can be complex
– And sometimes modified by the user
– This would not be good
• [this] limit the client interactions
– ‘CALL get_options’
– That’s it. No modifications to the query are possible.
• To be really secure, use only stored procedures
– The application doesn’t use any SQL queries

Answer 12

Stored procedures

Question 13

part of secure coding techniques
an umbrella term for a variety of processes that transform data into another form in order to protect sensitive information or personal data.
• [this]
– Make something normally understandable very
difficult to understand
• Take perfectly readable code and turn it into nonsense
– The developer keeps the readable code and gives you
the chicken scratch
– Both sets of code perform exactly the same way
• Helps prevent the search for security holes
– Makes it more difficult to figure out
what’s happening - But not impossible

Answer 13

Obfuscation/camouflage

Question 14

[this(a)] the practice of using existing code for a new function or software. But in order to reuse code, that code needs to be high-quality. And that means it should be safe, secure, and reliable.
[this(b)] a section in the source code of a program which is executed but whose result is never used in any other computation. The execution of dead code wastes computation time and memory.
• [this(a)]
– Use old code to build new applications
– Copy and paste
• If the old code has security vulnerabilities, reusing
the code spreads it to other applications
– You’re making this much more difficult for everyone
• [this(b)]
– Calculations are made, code is executed,
results are tallied
– The results aren’t used anywhere else in the
application
• All code is an opportunity for a security problem
– Make sure your code is as alive as possible

Answer 14

Code reuse/dead code

Question 15

this is the proper testing of any input supplied by a user or application. Input validation prevents improperly formed data from entering an information system.
• What is the expected input?
– Validate actual vs. expected
• Document all input methods
– Forms, fields, type
• Check and correct all input (normalization*)
– A zip code should be only X characters long with a
letter in the X column
– Fix any data with improper input
• The fuzzers will find what you missed
– Don’t give them an opening

Answer 15

Input validation

Question 16

you design an environment, test whether it works as intended, and record the results of the test.
• Server-side [this]
– All checks occur on the server
– Helps protect against malicious users
– Attackers may not even be using your interface
• Client-side [this]
– The end-user’s app makes the [this] decisions
– Can filter legitimate input from genuine users
– May provide additional speed to the user
• Use both - But especially server-side [this]

Answer 16

Validation points

Question 17

keeps track of the status of each memory location, either allocated or free. It determines how memory is allocated among competing processes, deciding which gets memory, when they receive it, and how much they are allowed.
• As a developer, you must be mindful of how memory is used
– Many opportunities to build vulnerable code
• Never trust data input
– Malicious users can attempt to circumvent your code
• Buffer overflows are a huge security risk
– Make sure your data matches your buffer sizes
• Some built-in functions are insecure
– Use best practices when designing your code

Answer 17

Memory management

Question 18

provide developers with the unique opportunity to integrate pre-tested, reusable software that saves development time and cost. This allows the developer to focus on the core features of the game that matter to players.
The SDK brings together a group of tools that enable the programming of mobile applications. This set of tools can be divided into 3 categories: SDKs for programming or operating system environments
• Your programming language does everything - Almost
• [Thisx2]
– Extend the functionality of a programming language
• Security risk
– Application code written by someone else
– Might be secure. Might not be secure.
– Extensive testing is required
• Balancing act - Application features vs. unknown code base

Answer 18

Third-party libraries and SDKs (Software Development Kit)

Question 19

when data is left exposed in a database or server for anyone to see. Sensitive data can be exposed when configuration details for systems and applications are left unsecured online.
• So much sensitive data
– Credit card numbers, social security numbers, medical
information, address details, email information
• How is the application handling the data?
– No encryption when stored
– No encryption across the network
– Displaying information on the screen
• All input and output processes are important
– Check them all for data exposure

Answer 19

Data exposure

Question 20

he practice of tracking and managing changes to software code. [this] systems are software tools that help software teams manage changes to source code over time.
• Create a file, make a change, make another change,
and another change
– Track those changes, revert back to a previous version
• Commonly used in software development
– But also in operating systems, wiki software, and
cloud-based file storage
• Useful for security
– Compare versions over time
– Identify modifications to important files
– A security challenge
– Historical information can be a security risk

Answer 20

Version control

Question 21

to use something to one’s own advantage - is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service (DoS or related DDoS) attack.
• Attackers often [this] application vulnerabilities
– They find the unlocked door and open it
• Once you [this] one binary, you can [this] them all
– The application works the same on all systems
– A Windows 10 [this] affects all Windows 10 users
• What if all of the computers were running different
software?
– Unique binaries
– Functionally identical

Answer 21

Exploiting an application

Question 22

explores different forms of program transformations that slightly vary the behavior of programs. The goal is to evolve one program into a population of diverse programs that all provide similar services to users, but with a different code.
• Alternative compiler* paths would result in a different
binary* each time
– Each compiled application would be a little bit
different
– But functionally the same
• An attack against different binaries* would only be
successful on a fraction of the users
– An attacker wouldn’t know what exploit to use
– Make the game much harder to win

Answer 22

Software diversity

Question 23

the process of using automation software to leverage existing scripts to deliver automation in a managed framework without having to do custom script development and maintenance going forward.
• Plan for change
– Implement automatically
• Automated courses of action*
– Many problems can be predicted
– Have a set of automated responses
• Continuous monitoring*
– Check for a particular event, and then react
• Configuration validation*
– Cloud-based technologies allow for
constant change
– Automatically validate a configuration
before going live
– Perform ongoing automated checks

Answer 23

Automation and scripting

Question 24

the practice of automating the integration of code changes from multiple contributors into a single software project. It’s a primary DevOps best practice, allowing developers to frequently merge code changes into a central repository where builds and tests then run.
• Code is constantly written
– And merged into the central repository many times a day
• So many chances for security problems
– Security should be a concern from the beginning
• Basic set of security checks during development
– Documented security baselines as the bare minimum
• Large-scale security analysis during the testing phase
– Significant problems will have already been covered

Answer 24

Continuous integration (CI)

Question 25

a software engineering practice in which teams develop, build, test, and release software in short cycles. It depends on automation at every stage so that cycles can be both quick and reliable.
• Continuous delivery*
– Automate the testing process
– Automate the release process
– Click a button and deploy the application
• Continuous deployment*
– Even more automation
– Automatically deploy to production
– No human integration or manual checks

Answer 25

Continuous delivery/deployment (CD)

Question 26

a nonprofit foundation dedicated to improving software security. Host the top 10 - a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.

Answer 26

The Open Web Application Security Project (OWASP)