2.3 Summarize secure application development, deployment, and automation concepts Flashcards
The 4 Computing Environments
Development, Test, Staging, and Production. Needs to be separated so you test each stage for untested code.
Development Environment
Where new software code is being made. OS type and version needs to match.
Test Environment
Mimics the production environment. Test environment is to ensure that it is bug free.
Staging Environment
You ensure quality assurance and validate security and baseline config.
Production Environment
The product does what it is designed to do. Is working with real data.
Quality Assurance (QA)
Evaluation process that test security and quality. (Happens in the Staging environment)
Provisioning
Making apps. and services available. May be related to lifecycle of a app.
Deprovisioning
Application end of life. Should be deprovision with HIPPA or GDPR.
Integrity management
Maintaining control over the copies of code. Also placing a hash on the code to reference it to a table to which version you have.
Normalization
Stored Procedures
Precompiled scripts in the production. Benefit is speed and code is less flexible.
Obfuscation/Camouflage code
Masking source code with XOR and ROT 13 from attackers.
Code Reuse
Also referred to Legacy code. The cold stills needs to go through security.
Saves money in the development environment.
Dead Code
Code that isn’t used anywhere in software.
Server-Side vs. Client-Side Execution and Validation
Sever-side checks data on the server side, only safe way
Client-side, can’t validate any inputs. Can inject malicious code, JavaScript, HTML, or URLs
Memory Management
Process: Use memory, return memory back to the system if not used.
If not managed correctly it could cause a memory leak.
SDK
(Software development kit)
Third party set of software programs and tools to create apps.
Data Exposure
Losing data or control of data during operations
OWASP
(Open Web Application Security Project)
Non-profit that has update list on he most common application vulnerabilities
Software Diversity
Taking the “High-level language” (readable English code) and converting into Machine language (1&0). Can be done instantly or scripted.
Complier
Take High level Language and converts it into Machine code.
Continuous monitoring
Auto detecting security issues and sending alerts to security personnel. Uses Scripts
Continuous Validation
Testing code to see if the code functional with the existing codebase.
Continuous Integration
Allows for testing and updating parts of the codebase without uploading the entire codebase.
Continuous Delivery
Allows automated testing and is a automated release that you allow updates when they are complete.
Continuous Deployment
Release if the update automatically without you enabling it. Just like Continuous Delivery but you don’t control it.
Version Control
Documenting software updates and having a list of what is what. Good for reverting back to the previous versions.
Elasticity
The ability of a system to
automatically grow and shrink based on app demand