secure application development, deployment, and automation concepts

Question 1

Environment

Answer 1

Development
Test
Staging
Production
Quality assurance (QA)

Question 2

Development

Answer 2

The code will be hosted on a secure server. Each developer will check out a portion of code for editing on his or her local machine. The local machine will normally be configured with a sandbox for local testing. This ensures that whatever other processes are being run locally do not interfere with or compromise the application being developed.

Question 3

Test

Answer 3

In this environment, code from multiple developers is merged to a single master copy and subjected to basic unit and functional tests (either automated or by human testers). These tests aim to ensure that the code builds correctly and fulfills the functions required by the design.

Question 4

Staging

Answer 4

In software development, a user acceptance testing environment that is a copy of the production environment.
This is a mirror of the production environment but may use test or sample data and will have additional access controls so that it is only accessible to test users. Testing at this stage will focus more on usability and performance.

Question 5

Production

Answer 5

The application is released to end users.

Question 6

Quality assurance (QA)

Answer 6

Policies, procedures, and tools designed to ensure defect-free development and delivery.

Question 7

Provisioning and deprovisioning

Answer 7

The process of deploying an application to the target environment, such as enterprise desktops, mobile devices, or cloud infrastructure.

The process of removing an application from packages or instances.

Question 8

Integrity measurement

Answer 8

this process determines whether the development environment varies from the configuration baseline. Perhaps a developer added an unauthorized tool to solve some programming issue. Integrity measurement may be performed by scanning for unsigned files or files that do not otherwise match the baseline.

Question 9

Secure coding techniques

Answer 9

Normalization
Stored procedures
Obfuscation/camouflage
Code reuse/dead code
Server-side vs. client-side execution and validation
Memory management
Use of third-party libraries and software development 
     kits (SDKs)
Data exposure

Question 10

Normalization

Answer 10

A routine that applies a common consistent format to incoming data so that it can be processed safely. Normalization is referred to in the context of log collection and software coding.

Question 11

Stored procedures

Answer 11

One of a set of pre-compiled database statements that can be used to validate input to a database.

Using a pre-built function to perform a database query. A stored procedure is a part of a database that executes a custom query. The procedure is supplied an input by the calling program and returns a predefined output for matched records. This can provide a more secure means of querying the database. Any stored procedures that are part of the database but not required by the application should be disabled.

Question 12

Obfuscation/camouflage

Answer 12

Well-documented code is also easier to analyze, however, which may assist the development of attacks. Code can be made difficult to analyze by using an obfuscator, which is software that randomizes the names of variables, constants, functions, and procedures, removes comments and white space, and performs other operations to make the compiled code physically and mentally difficult to read and follow.

Question 13

Code reuse/dead code

Answer 13

Code in an application that is redundant because it will never be called within the logic of the program flow.

Potentially unsecure programming practice of using code originally written for a different context.

Question 14

Server-side vs. client-side execution and validation

Answer 14

A web application (or any other client-server application) can be designed to perform code execution and input validation locally (on the client) or remotely (on the server). An example of client-side execution is a document object model (DOM) script to render the page using dynamic elements from user input. Applications may use both techniques for different functions. The main issue with client-side validation is that the client will always be more vulnerable to some sort of malware interfering with the validation process. The main issue with server-side validation is that it can be time-consuming, as it may involve multiple transactions between the server and client. Consequently, client-side validation is usually restricted to informing the user that there is some sort of problem with the input before submitting it to the server. Even after passing client-side validation, the input will still undergo server-side validation before it can be posted (accepted). Relying on client-side validation only is poor programming practice.

Question 15

Memory management

Answer 15

Many arbitrary code attacks depend on the target application having faulty memory management procedures. This allows the attacker to execute his or her own code in the space marked out by the target application. There are known unsecure practices for memory management that should be avoided and checks for processing untrusted input, such as strings, to ensure that it cannot overwrite areas of memory.

Question 16

Use of third-party libraries and software development kits (SDKs)

Answer 16

Third-party library—using a binary package (such as a dynamic link library) that implements some sort of standard functionality, such as establishing a network connection or performing cryptography. Each library must be monitored for vulnerabilities and patched promptly.
Coding resources provided by a vendor to assist with development projects that use their platform or API.

Question 17

Data exposure

Answer 17

A software vulnerability where an attacker is able to circumvent access controls and retrieve confidential or sensitive data from the file system or database.

Question 18

Open Web Application Security Project (OWASP)

Answer 18

The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.

Question 19

Software diversity

Answer 19

Compiler
Binary

Software diversity can refer to obfuscation techniques to make code difficult to detect as malicious. This is widely used by threat actors in the form of shellcode compilers to avoid signature detection, such as the venerable Shikata Ga Nai. This can be used as a defensive technique. Obfuscating API methods and automation code makes it harder for a threat actor to reverse engineer and analyze the code to discover weaknesses.

Question 20

Compiler

Answer 20

Compiled code is converted to binary machine language that can run independently on the target OS.

Question 21

Binary

Answer 21

Code language consisting of 1s and 0s

Question 22

Automation/scripting

Answer 22

Automated courses of action
Continuous monitoring
Continuous validation
Continuous integration
Continuous delivery
Continuous deployment

Coding projects are managed using different life cycle models. The waterfall model software development life cycle (SDLC) is an older paradigm that focuses on the successful completion of monolithic projects that progress from stage-to-stage. The more recent Agile paradigm uses iterative processes to release well-tested code in smaller blocks or units. In this model, development and provisioning tasks are conceived as continuous.

Question 23

Automated courses of action

Answer 23

You can also automate the courses of action that a monitoring system takes, like configuring an IPS to automatically block traffic that it deems suspicious. This sort of capability is provided by security orchestration and response (SOAR) management software.

Question 24

Continuous monitoring

Answer 24

The technique of constantly evaluating an environment for changes so that new risks may be more quickly detected and business operations improved upon.

Question 25

Continuous validation

Answer 25

An application model is a statement of the requirements driving the software development project. The requirements model is tested using processes of verification and validation (V&V):

Verification is a compliance testing process to ensure that the product or system meets its design goals.
Validation is the process of determining whether the application is fit-for-purpose (so for instance, its design goals meet the user requirements).
With the continuous paradigm, feedback from delivery and deployment must be monitored and evaluated to ensure that the design goals continue to meet user and security requirements. The monitoring and validation processes must also ensure that there is no drift from the secure configuration baseline.

Question 26

Continuous integration

Answer 26

Software development method in which code updates are tested and commited to a development or build server/code repository rapidly.

Question 27

Continuous delivery

Answer 27

Software development method in which app and platform requirements are frequently tested and validated for immediate availability.

Question 28

Continuous deployment

Answer 28

Software development method in which app and platform updates are commited to production rapidly.

Question 29

Elasticity

Answer 29

The property by which a computing environment can instantly react to both increasing and decreasing demands in workload.

Question 30

Scalability

Answer 30

The property by which a computing environment is able to gracefully fulfill its ever-increasing resource needs.

Question 31

Version control

Answer 31

The practice of ensuring that the assets that make up a project are closely managed when it comes time to make changes.