2.3 Summarize secure application development, deployment, and automation conpcepts. Flashcards
This must be configured and segmented to properly implement staging. This often requires at least four main network divisions: development, test, staging, and production.
Secure IT environment.
Where new software code is being crafted by on-staff programmers and developers. For some organizations, this might also be where custom-built hardware is being created.
Development (Environment)
An essential part to the security requirements of every modern organization. A key element of a software development program is this and code review.
Test (Environment)
Where new equipment or code, whether developed in-house or obtained from external vendors, is configured to be in compliance with the company’s security policy and configuration baseline. Once a system or software goes through this process, it can be moved to the test network for evaluation. After the system has passed evaluation, it can be deployed into the production network.
Staging (Environment)
The network where the everyday business tasks and work processes are accomplished. It is also known as the operations network. It should only be operating on equipment and systems that have been properly staged and tested.
Production (Environment)
An evaluation process employed by many organizations to ensure that newly integrated hardware and software do not reduce performance or efficiency nor introduce any unexpected security issues.
Quality Assurance (Environment)
A new IT movement in which many elements and functions of IT management are being integrated into a single automated solution. It typically consists of IT development, operations, security, and quality assurance.
Secure DevOps
Used to ensure that sufficient resources are available to support and maintain a system, software, or solution. Also known as preallocation.
Provisioning
Can focus on streamlining and fine-tuning resource allocation to existing systems for a more efficient distribution of resources.
Deprovisioning
Accomplished through the cryptographic concept of hashing.
Integrity measurement
Those efforts designed to implement security into software as it’s being developed.
Secure coding concepts/ techniques
A database programming and management technique used to reduce redundancy.
Normalization (secure coding)
A subroutine or software module that can be called upon or accessed by applications interacting with an RDBMS.
Stored procedures (secure coding)
The coding practice of crafting code specifically to be difficult for other programmers to decipher.
Obfuscation/ camouflage (secure coding)
The inclusion of preexisting code in a new program. It can be a way to quicken the development process.
Code reuse (secure coding)
Dead code is any section of software that is executed but the output or result of the execution is not used by any other process.
Dead code (secure coding)
Suited for protecting a system against input submitted by a malicious user. It should include a check for input length, a filter for known scriptable or malicious content (such as SQL commands or script calls), and a metacharacter filter.
Server-side validation (secure coding)
Focuses on providing better responses or feedback to the typical user. It can be used to indicate whether input meets certain requirements, such as length, value, content, and so on.
Client-side validation (secure coding)
Includes software management techniques such as preallocating memory buffers but also limiting the input sent to those buffers. Including input limit checks is part of secure coding practices.
Memory management (secure coding)
Essential tools for a programmer that allows them to use preexisting code can allow programmers to focus on their custom code and logic.
Third-party libraries and SDKs (secure coding)
When software does not adequately protect the data it processes. Programmers need to include authorization, authentication, and encryption schemes in their products to protect against this.
Data exposure (secure coding)
A nonprofit security project focusing on improving security for online or web-based applications, mobile device applications, and IoT equipment.
Open Web Application Security Project (OWASP)
The use of several high-level languages more similar to human languages that aid people in the crafting of new software.
Software diversity
Used to convert a high-level language or human-readable source code into machine language or binary executable code for execution.
Compiler
Shorthand to reference binary code or machine language. It is usually code that is ready to execute on a CPU.
Binary
The control of systems on a regular scheduled, periodic, or triggered basis that does not require manual hands-on interaction. It is often critical to a resilient security infrastructure.
Automation
The crafting of a file of individual lines of commands that are executed one after another. These can be set to launch on a schedule or based on a triggering event.
Scripting
These ensure that a specific series of steps or activities are performed in the correct order each and every time. This helps ensure consistency of results, which in turn establishes consistent security.
Automated courses of action (automation/scripting)
Stems from the need to have user accountability through the use of user access reviews.
Continuous monitoring (automation/scripting)
Necessary to maintain integrity of automation.
Continuous validation (automation/scripting)
The approach to ensure that automated tools, automated testing, and manual injection of security elements are included throughout the process of product development.
Continuous integration (automation/scripting)
The release of updates and changes to customers or production as they are made to the scripts and code of automation.
Continuous delivery (automation/scripting)
An extension of continuous delivery, except that the implementation of new code occurs automatically into production.
Continuous deployment (automation/scripting)
The ability of a system to adapt to workload changes by allocating or provisioning resources in an automatic responsive manner.
Elasticity
The ability of a system to handle an ever-increasing level or load of work. It can also be the potential for a system to be expanded to handle or accommodate future growth.
Scalability
The management of the progress of changes in software code. The goal is to ensure that only final version of products are released to the market.
Version Control
