Summarize secure application development, deployment, and automation concepts

Question 1

Requires at least four main network divisions: development, test, staging, production

Answer 1

Environment

Question 2

Network where new software code is being crafted. Fully isolated from other network divisions

Answer 2

Development

Question 3

Typical SDLC includes these phases

Answer 3

Initiation preliminary analysis

Systems analysis, requirements definition

Systems design

Development

Integration and testing

Acceptance, installation, deployment

Maintenance

Evaluation

Revise, replace, retire

Question 4

Where new equipment/code, is configured to be in compliance w/security policy and configuration baseline

Answer 4

Staging

Question 5

Evaluates software security by evaluating source code or complied application w/o execution

Can be conducted manually or using tools

Answer 5

Static testing

Question 6

Executes code in constrained environment

Fuzz testing/fuzzing

Use of various inputs to stress test code, w/goal of finding input causing abnormal/insecure responses

Answer 6

Dynamic testing

Question 7

Where business functions take place, also known as operations network

Answer 7

Production

Question 8

Evaluation process employed by many orgs to ensure newly integrated hardware/software do not reduce performance/security

Answer 8

Quality assurance (QA)

Question 9

It is preallocation

Assignment of resources to new function or task prior to initiation

Answer 9

Provisioning

Question 10

Two primary elements:

Focus on streamlining and finetuning resource allocation to existing systems

Decommissioning of servers

Answer 10

Deprovisioning

Question 11

Accomplished through hashing

Known trusted versions of code should have est. identity/origin hash

Answer 11

Integrity measurement

Question 12

Code signing

Crafting a digital signature of software program for non-repudiation

Answer 12

Secure coding techniques

Question 13

Programming and mgt technique to reduce redundancy, often related to DB mgt

Can also implement standardization

Answer 13

Normalization

Question 14

Subroutine/software module called on by apps interacting with a relationship DB mgt system (RDBMS)

Answer 14

Stored procedures

Question 15

Crafting code specifically to be difficult to decipher

Answer 15

Obfuscation/camouflage

Question 16

Inclusion of preexisting code, care must be taken

Answer 16

Code reuse

Question 17

Section of software executed, but output/result is not used by any processes

Answer 17

Dead code

Question 18

Suited for protecting a system against input submitted by malicious user

Answer 18

Server-side data validation

Question 19

Focus on providing better responses/feedback to typical user

Can be used to indicate whether input meets requirements

Answer 19

Client-side validation

Question 20

Software should preallocate memory but also limit input sent to those buffers

Answer 20

Memory management

Question 21

Using preexisting code so programmers can focus on custom code and logic

Precrafted code can include flaws, backdoors, or other exploits

Answer 21

Use of third-party libraries and software development kits (SDKs)

Question 22

When software does not adequately protect data it processes

Programmers need to include authorization, authentication, and encryption schemes in their product

Answer 22

Data exposure

Question 23

Non-profit security project focusing on improving security for online/web-based apps, mobile device apps, and IoT equipment

Answer 23

Open Web Application Security Project (OWASP)

Question 24

Software languages easier for people to learn for crafting software solutions

Must be converted to machine language

Answer 24

High-level languages

Question 25

Used to convert high-level language/human-readable source code into machine language or binary executable for execution

Answer 25

Compiler

Question 26

Shorthand for binary code/machine language

Answer 26

Binary

Question 27

Ensure specific series of steps or activities performed in correct order, ensuring consistency

Answer 27

Automated courses of action

Question 28

Requires all user be monitored equally, from moment of connection/entrance till disconnection/departure

When monitoring fails, all user activity should cease and admins notified

Continuous across all accounts, not just end users

Continuous across entire infrastructure

Answer 28

Continuous monitoring

Question 29

Ensuring integrity and validity of automation regularly

Repeating execution of flawed programs can reduce security

Answer 29

Continuous validation

Question 30

Ensuring automated tools, testing, and manual injection of security elements included throughout process of product development

Answer 30

Continuous integration

Question 31

As updates are made to scripts and code of automation, changes should be released to users/production (after testing and validation)

Answer 31

Continuous delivery

Question 32

Extension of continuous delivery, implementation of new code occurs automatically into production (after testing and validation)

Answer 32

Continuous deployment

Question 33

Ability of system to adapt to workload changes by allocation/de-allocation

Answer 33

Elasticity

Question 34

Ability for system to handle increasing level of work and expansion

Answer 34

Scalability

Question 35

Management of progress of changes in software code

Ensuring final versions of products are released

Enables back-tracking and roll-back capabilities

Answer 35

Version control