2.3 - Secure Application Development Flashcards
Define Sandboxing.
An isolated testing environment that has no connection to the real world or production system. It is a technological safe space.
It is used during the development process.
List out the steps to building an application.
1) Development
- Secure Environment -Writing Code
- Developers test in their sandboxes
2) Test
3) Quality Assurance (QA)
- Verifies features are working as expected
- Validates new functionality
- Verifies old errors don’t reappear
4) Staging
- Works and feels exactly like the production
environment
- Run performance tests
5) Production
What are some logistical challenges to deploying a new application for the onsite IT team and the users?
Users: New application to learn
IT: New Servers?, New Software, Restart or interrupt of service
What are two measures you should take once the application is deployed? (Baseline)
Establish security baselines
Measure integrity for secure baselines
What might you need to provision an application?
To deploy:
Web server, database server, middleware server, user workstation configurations, certificate updates, etc.
Application software security (OS and application)
Network Security:
Secure VLAN, internal access, external access
Define Scalability.
The ability to increase the workload in a given infrastructure.
Define Elasticity.
The ability to increase or decrease available resources as the work load changes.
Define Orchestration.
The process of automating the tasks needed to manage connections and operations of workloads on private and public clouds.
Define Deprovisioning.
Dismantling and removing an application instance.
Define Provisioning.
Bringing up an application instance.
Define Stored procedures.
Procedures that limit the client interactions with databases. This prevents users from being able to modify client requests.
Define Obfuscation in terms of application development.
Taking readable code and turning it into a format that is not readable. This prevents the user from being able to probe the code for security holes.
What are some cons of reusing code? (Code reuse)
The new code will exhibit the same security flaws as the old code.
Define Dead Code.
Code that provides no functionality. It might run calculations that aren’t used.
How can you ensure that all that you are receiving only expected input? (Input validation)
Document all input methods (forms, fields, type)
Check and correct all input (normalization)
- A zip code should only be X characters
- Fix any data with improper input
Define Server-side validation.
When the user input is validated by the server after it is received by the browser. The safer validation.
Define Client-side validation.
The end-user’s app makes the validation decisions.
Which is safer, server-side validation or client-side validation?
Server-side validation
What is a major consequence of improper memory management?
Buffer overflows are a security risk that can be manipulated by a bad actor.
What is a major risk of using third-party libraries and SDKs?
You don’t know how secure it is. You don’t know the code base.
How can you protect an application against data exposure?
Check all input and output processes for data exposure
Encryption when stored
Encryption across the network
Define Version Control.
The practice of tracking and managing changes to software code. Keep information concerning versions safe.
Define Software Diversity.
Evolving one program into a population of diverse programs that all provide similar services to users, but with a different code. This diversity of code enhances the protection of users against one single attack that could crash all programs at the same time.
Define Continuous Integration (CI).
Code is constantly written and merged into the central repository many times a day.
How can you secure an application during continuous integration?
1) Basic set of security checks during development
- Documented security baselines as the bare
minimum
2) Large- scale security analysis during the testing
phase
Define Continuous deliver/ deployment (CD).
Continuous delivery
- Automate the testing process
- Automate the release process
- Click a button and deploy the application
Continuous deployment
- Even more automation
- Automatically deploy to production
- No human integration of manual checks
