Secure application development Flashcards
What is sandboxing in regards to the application development process?
An isolated testing environment used during the development process with no connection to the real world or production systems. A technological safe space.
What is the difference between a testing environment and a sandbox environment in a development environment?
A testing environment will be slightly more formal. All of the pieces are now put together, but it is still in the development stage. Does it all work together after being stitched together? Functional tests happen here.
When does QA happen in development?
QA=quality assurance
After an application has made it through the testing environment and passed the tests there.
This would be a place to validate that everything is working as expected.
This would also be the group that tests new features, and verifies that old errors which were fixed don’t reappear.
When does Staging happen in a development process?
After the QA team has gone through and done their tests. This would be when the product is almost ready to roll out but an additional set of tests must be done before deploying it to production.
A staging environment should work and feel exactly like the production environment, and use a copy of production data.
This is also where you could run performance tests on how it will run in a production environment.
This is your last chance to test the features and usability.
At what point in the process of development would performance tests be run?
Staging.
Which things should be documented in a security baseline of an application?
Firewall settings, patch levels, OS file versions, etc.
This may require constant updates as the application is updated.
What is the difference between Scalability and Elasticity?
Scalability would be creating an application instance that can support a certain load, and quantifying what it can support.
Elasticity would be increasing or decreasing the capabilities of an application instance as needed and possibly deploying multiple application instances that can grow and shrink.
What is orchestration in cloud computing?
In a general sense, it is Automating the provision and deprovisioning of cloud instances like servers, networks, switches, firewalls, and even policies. As well as automating what area of the world you want an instance to be provisioned in. The security policies should be part of the orchestration, and as applications are provisioned the proper security should be automatically included.
When deprovisioning an application instance in the cloud, what are a few things that would be important to remove/change other than just completely turning the thing off.
Focus on rewriting firewall rules and other ACLs since this is no longer available, as well as removing all of the data associated with this instance that is no longer necessary.
In regards to secure coding, what is a stored procedure?
Stored procedures limit the clients interactions with the database. Rather than sending out a direct and detailed request for data, a stored procedure would greatly limit the client’s interactions with the database to one that was reconfigured and stored on the database.
Stored procedure: ‘CALL get_options’
Regular Query: ‘SELECT * FROM wp_options WHERE option_id = 1’
What is dead code?
Dead code is where code has been put in an application and has to do some processing, but there is a dead end and this is never used in the application at all.
It bloats the size, makes things take a little longer, and might add a security issue(all code is an opportunity for a security problem).
What is input validation?
Making sure that input placed in any form in an application is what is expected.
Ex. a zip code should be x numbers long and anything else will be rejected.
You want to be having this validation done on the server side, so that attackers can not make changes to the data before it reaches the server, but you will typically see it happening on both sides to speed things up.
What is an SDK in application development?
Software development kits.
Basically a 3rd party library like the nmap library you used for zpScan
What is Software Diversity?
Software Diversity is a way of minimizing your attack surface by making software slightly different on each machine, using alternate paths during the compiling process. This won’t change the functionality of the software in any way, but it will change the final binary file itself.
This means that exploits against a specific piece of software may not work against all of the devices in your workplace, even though they all have the same piece of software.
What is CI? (Continuous integration)
Continuous Integration is when code is being constantly written and merged into the central repository many times a day.
This takes place during the development process.
There needs to be automated security checks and then we need to evaluate the updated code with the documented set of security baselines.
One the software comes out of the development process there might be even more extensive security checks made.
