secure application development, deployment, and automation concepts Flashcards
Environment
Development Test Staging Production Quality assurance (QA)
Development
The code will be hosted on a secure server. Each developer will check out a portion of code for editing on his or her local machine. The local machine will normally be configured with a sandbox for local testing. This ensures that whatever other processes are being run locally do not interfere with or compromise the application being developed.
Test
In this environment, code from multiple developers is merged to a single master copy and subjected to basic unit and functional tests (either automated or by human testers). These tests aim to ensure that the code builds correctly and fulfills the functions required by the design.
Staging
In software development, a user acceptance testing environment that is a copy of the production environment.
This is a mirror of the production environment but may use test or sample data and will have additional access controls so that it is only accessible to test users. Testing at this stage will focus more on usability and performance.
Production
The application is released to end users.
Quality assurance (QA)
Policies, procedures, and tools designed to ensure defect-free development and delivery.
Provisioning and deprovisioning
The process of deploying an application to the target environment, such as enterprise desktops, mobile devices, or cloud infrastructure.
The process of removing an application from packages or instances.
Integrity measurement
this process determines whether the development environment varies from the configuration baseline. Perhaps a developer added an unauthorized tool to solve some programming issue. Integrity measurement may be performed by scanning for unsigned files or files that do not otherwise match the baseline.
Secure coding techniques
Normalization
Stored procedures
Obfuscation/camouflage
Code reuse/dead code
Server-side vs. client-side execution and validation
Memory management
Use of third-party libraries and software development
kits (SDKs)
Data exposureNormalization
A routine that applies a common consistent format to incoming data so that it can be processed safely. Normalization is referred to in the context of log collection and software coding.
Stored procedures
One of a set of pre-compiled database statements that can be used to validate input to a database.
Using a pre-built function to perform a database query. A stored procedure is a part of a database that executes a custom query. The procedure is supplied an input by the calling program and returns a predefined output for matched records. This can provide a more secure means of querying the database. Any stored procedures that are part of the database but not required by the application should be disabled.
Obfuscation/camouflage
Well-documented code is also easier to analyze, however, which may assist the development of attacks. Code can be made difficult to analyze by using an obfuscator, which is software that randomizes the names of variables, constants, functions, and procedures, removes comments and white space, and performs other operations to make the compiled code physically and mentally difficult to read and follow.
Code reuse/dead code
Code in an application that is redundant because it will never be called within the logic of the program flow.
Potentially unsecure programming practice of using code originally written for a different context.
Server-side vs. client-side execution and validation
A web application (or any other client-server application) can be designed to perform code execution and input validation locally (on the client) or remotely (on the server). An example of client-side execution is a document object model (DOM) script to render the page using dynamic elements from user input. Applications may use both techniques for different functions. The main issue with client-side validation is that the client will always be more vulnerable to some sort of malware interfering with the validation process. The main issue with server-side validation is that it can be time-consuming, as it may involve multiple transactions between the server and client. Consequently, client-side validation is usually restricted to informing the user that there is some sort of problem with the input before submitting it to the server. Even after passing client-side validation, the input will still undergo server-side validation before it can be posted (accepted). Relying on client-side validation only is poor programming practice.
Memory management
Many arbitrary code attacks depend on the target application having faulty memory management procedures. This allows the attacker to execute his or her own code in the space marked out by the target application. There are known unsecure practices for memory management that should be avoided and checks for processing untrusted input, such as strings, to ensure that it cannot overwrite areas of memory.
Use of third-party libraries and software development kits (SDKs)
Third-party library—using a binary package (such as a dynamic link library) that implements some sort of standard functionality, such as establishing a network connection or performing cryptography. Each library must be monitored for vulnerabilities and patched promptly.
Coding resources provided by a vendor to assist with development projects that use their platform or API.
Data exposure
A software vulnerability where an attacker is able to circumvent access controls and retrieve confidential or sensitive data from the file system or database.
Open Web Application Security Project (OWASP)
The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.
Software diversity
Compiler
Binary
Software diversity can refer to obfuscation techniques to make code difficult to detect as malicious. This is widely used by threat actors in the form of shellcode compilers to avoid signature detection, such as the venerable Shikata Ga Nai. This can be used as a defensive technique. Obfuscating API methods and automation code makes it harder for a threat actor to reverse engineer and analyze the code to discover weaknesses.
Compiler
Compiled code is converted to binary machine language that can run independently on the target OS.
Binary
Code language consisting of 1s and 0s
Automation/scripting
Automated courses of action Continuous monitoring Continuous validation Continuous integration Continuous delivery Continuous deployment
Coding projects are managed using different life cycle models. The waterfall model software development life cycle (SDLC) is an older paradigm that focuses on the successful completion of monolithic projects that progress from stage-to-stage. The more recent Agile paradigm uses iterative processes to release well-tested code in smaller blocks or units. In this model, development and provisioning tasks are conceived as continuous.
Automated courses of action
You can also automate the courses of action that a monitoring system takes, like configuring an IPS to automatically block traffic that it deems suspicious. This sort of capability is provided by security orchestration and response (SOAR) management software.
Continuous monitoring
The technique of constantly evaluating an environment for changes so that new risks may be more quickly detected and business operations improved upon.
Continuous validation
An application model is a statement of the requirements driving the software development project. The requirements model is tested using processes of verification and validation (V&V):
Verification is a compliance testing process to ensure that the product or system meets its design goals.
Validation is the process of determining whether the application is fit-for-purpose (so for instance, its design goals meet the user requirements).
With the continuous paradigm, feedback from delivery and deployment must be monitored and evaluated to ensure that the design goals continue to meet user and security requirements. The monitoring and validation processes must also ensure that there is no drift from the secure configuration baseline.
Continuous integration
Software development method in which code updates are tested and commited to a development or build server/code repository rapidly.
Continuous delivery
Software development method in which app and platform requirements are frequently tested and validated for immediate availability.
Continuous deployment
Software development method in which app and platform updates are commited to production rapidly.
Elasticity
The property by which a computing environment can instantly react to both increasing and decreasing demands in workload.
Scalability
The property by which a computing environment is able to gracefully fulfill its ever-increasing resource needs.
Version control
The practice of ensuring that the assets that make up a project are closely managed when it comes time to make changes.
