2.3 Summarize secure application development, deployment, and automation conpcepts.

Question 1

This must be configured and segmented to properly implement staging. This often requires at least four main network divisions: development, test, staging, and production.

Answer 1

Secure IT environment.

Question 2

Where new software code is being crafted by on-staff programmers and developers. For some organizations, this might also be where custom-built hardware is being created.

Answer 2

Development (Environment)

Question 3

An essential part to the security requirements of every modern organization. A key element of a software development program is this and code review.

Answer 3

Test (Environment)

Question 4

Where new equipment or code, whether developed in-house or obtained from external vendors, is configured to be in compliance with the company’s security policy and configuration baseline. Once a system or software goes through this process, it can be moved to the test network for evaluation. After the system has passed evaluation, it can be deployed into the production network.

Answer 4

Staging (Environment)

Question 5

The network where the everyday business tasks and work processes are accomplished. It is also known as the operations network. It should only be operating on equipment and systems that have been properly staged and tested.

Answer 5

Production (Environment)

Question 6

An evaluation process employed by many organizations to ensure that newly integrated hardware and software do not reduce performance or efficiency nor introduce any unexpected security issues.

Answer 6

Quality Assurance (Environment)

Question 7

A new IT movement in which many elements and functions of IT management are being integrated into a single automated solution. It typically consists of IT development, operations, security, and quality assurance.

Answer 7

Secure DevOps

Question 8

Used to ensure that sufficient resources are available to support and maintain a system, software, or solution. Also known as preallocation.

Answer 8

Provisioning

Question 9

Can focus on streamlining and fine-tuning resource allocation to existing systems for a more efficient distribution of resources.

Answer 9

Deprovisioning

Question 10

Accomplished through the cryptographic concept of hashing.

Answer 10

Integrity measurement

Question 11

Those efforts designed to implement security into software as it’s being developed.

Answer 11

Secure coding concepts/ techniques

Question 12

A database programming and management technique used to reduce redundancy.

Answer 12

Normalization (secure coding)

Question 13

A subroutine or software module that can be called upon or accessed by applications interacting with an RDBMS.

Answer 13

Stored procedures (secure coding)

Question 14

The coding practice of crafting code specifically to be difficult for other programmers to decipher.

Answer 14

Obfuscation/ camouflage (secure coding)

Question 15

The inclusion of preexisting code in a new program. It can be a way to quicken the development process.

Answer 15

Code reuse (secure coding)

Question 16

Dead code is any section of software that is executed but the output or result of the execution is not used by any other process.

Answer 16

Dead code (secure coding)

Question 17

Suited for protecting a system against input submitted by a malicious user. It should include a check for input length, a filter for known scriptable or malicious content (such as SQL commands or script calls), and a metacharacter filter.

Answer 17

Server-side validation (secure coding)

Question 18

Focuses on providing better responses or feedback to the typical user. It can be used to indicate whether input meets certain requirements, such as length, value, content, and so on.

Answer 18

Client-side validation (secure coding)

Question 19

Includes software management techniques such as preallocating memory buffers but also limiting the input sent to those buffers. Including input limit checks is part of secure coding practices.

Answer 19

Memory management (secure coding)

Question 20

Essential tools for a programmer that allows them to use preexisting code can allow programmers to focus on their custom code and logic.

Answer 20

Third-party libraries and SDKs (secure coding)

Question 21

When software does not adequately protect the data it processes. Programmers need to include authorization, authentication, and encryption schemes in their products to protect against this.

Answer 21

Data exposure (secure coding)

Question 22

A nonprofit security project focusing on improving security for online or web-based applications, mobile device applications, and IoT equipment.

Answer 22

Open Web Application Security Project (OWASP)

Question 23

The use of several high-level languages more similar to human languages that aid people in the crafting of new software.

Answer 23

Software diversity

Question 24

Used to convert a high-level language or human-readable source code into machine language or binary executable code for execution.

Answer 24

Compiler

Question 25

Shorthand to reference binary code or machine language. It is usually code that is ready to execute on a CPU.

Answer 25

Binary

Question 26

The control of systems on a regular scheduled, periodic, or triggered basis that does not require manual hands-on interaction. It is often critical to a resilient security infrastructure.

Answer 26

Automation

Question 27

The crafting of a file of individual lines of commands that are executed one after another. These can be set to launch on a schedule or based on a triggering event.

Answer 27

Scripting

Question 28

These ensure that a specific series of steps or activities are performed in the correct order each and every time. This helps ensure consistency of results, which in turn establishes consistent security.

Answer 28

Automated courses of action (automation/scripting)

Question 29

Stems from the need to have user accountability through the use of user access reviews.

Answer 29

Continuous monitoring (automation/scripting)

Question 30

Necessary to maintain integrity of automation.

Answer 30

Continuous validation (automation/scripting)

Question 31

The approach to ensure that automated tools, automated testing, and manual injection of security elements are included throughout the process of product development.

Answer 31

Continuous integration (automation/scripting)

Question 32

The release of updates and changes to customers or production as they are made to the scripts and code of automation.

Answer 32

Continuous delivery (automation/scripting)

Question 33

An extension of continuous delivery, except that the implementation of new code occurs automatically into production.

Answer 33

Continuous deployment (automation/scripting)

Question 34

The ability of a system to adapt to workload changes by allocating or provisioning resources in an automatic responsive manner.

Answer 34

Elasticity

Question 35

The ability of a system to handle an ever-increasing level or load of work. It can also be the potential for a system to be expanded to handle or accommodate future growth.

Answer 35

Scalability

Question 36

The management of the progress of changes in software code. The goal is to ensure that only final version of products are released to the market.

Answer 36

Version Control