Domain 8: Software Development Security Flashcards
Where Do We Place Security? - Introduction
- Software is responsible for the vast majority of vulnerabilities
- The importance of implementing proper security in software is a relatively new focus
- It is very uncommon to find a software developer who is also a security professional
- Software vendors are trying to get products to market as soon as possible and do not make security a priority
- Customers have become accustomed to receiving software with security flaws that are then patched
- Customers cannot fix the security flaws in software they purchase, so they resort to perimeter solutions
Where Do We Place Security? - Environment vs. Application
- Environment (At the OS)
- Great to ensure a consistent approach, but the OS has no visibility or control of access activities within an application
- Perimeter devices are more reactive in nature: they protect best against known vulnerabilities that are discovered over time
- Application
- Provides very granular control, but does nothing for security outside of the application, including any external resource the application requires
- The more functionality that is packed into an application, the more difficult it becomes to achieve a good level of security hygiene
Software Development Life Cycle - Phases
- Requirements gathering: Figure out what the product will do when completed
- Design: Plan how the product will be put together
- Development: Put the product together
- Testing/validation: Make sure the product does what the requirements said it should do
- Release/maintenance: Ship the product and update as-needed
Software Development Models - Rapid Application Model (RAD)
- Working product is quickly developed
- The intention is to use the product to elicit requirements, as opposed to using the requirements to build the product
- It is a good fit when the customer is unsure of what they want, or requirements are guaranteed to change quickly and often at the beginning of a project
- Phases
- Analysis and quick design
- RAD (build, demonstrate, refine)
- Testing
- Implementation
Integrated Product Team - DevOps
- Intersection of
- Software development
- IT
- QA
- Security is the big winner as it is addressed from the beginning because of IT’s involvement
Software Development Models - Agile Models - Scrum
- Most widely recognized Agile model
- Can handle projects of any size
- Very focused on customer feedback
- Recognizes upfront that customer needs will never be fully understood and will change. Therefore, focus is put on close collaboration with the customer and continuous delivery
- Allows for interruptions at clearly defined points (sprints), after which everyone gathers back together and puts the ball back into play
- Sprints:
- Pre-defined interval (usually 2 weeks) during which the customer is not allowed to make changes
- At the end of each sprint, the customer has the freedom to completely change direction if it so desires
- At the beginning of each sprint, the development team selects the user stories, starting at the top of the backlog
- Backlog: Prioritized list of user stories
Change Control - Definition
- Process of controlling any changes that take place during a product’s lifetime and documenting the activities that result
- Should be in place at the beginning of a project or chaos will result
Programming Languages and Concepts - Object-Oriented Concepts - Object-Oriented Programming (OOP)
Focuses on objects instead of a linear progression of code
API
API stands for Application Programming Interface. In the context of APIs, the word Application refers to any software with a distinct function. Interface can be thought of as a contract of service between two applications. This contract defines how the two communicate with each other using requests and responses.
Distributed Computing - Component Object Model (COM)
- Created by Microsoft
- Goal: Provide the ability for Interprocess communication (IPC) on a single computer
- It is language independent
- Only used for Windows systems
