Summarize secure application development, deployment, and automation concepts Flashcards
Requires at least four main network divisions: development, test, staging, production
Environment
Network where new software code is being crafted. Fully isolated from other network divisions
Development
Typical SDLC includes these phases
Initiation preliminary analysis
Systems analysis, requirements definition
Systems design
Development
Integration and testing
Acceptance, installation, deployment
Maintenance
Evaluation
Revise, replace, retire
Where new equipment/code, is configured to be in compliance w/security policy and configuration baseline
Staging
Evaluates software security by evaluating source code or complied application w/o execution
Can be conducted manually or using tools
Static testing
Executes code in constrained environment
Fuzz testing/fuzzing
Use of various inputs to stress test code, w/goal of finding input causing abnormal/insecure responses
Dynamic testing
Where business functions take place, also known as operations network
Production
Evaluation process employed by many orgs to ensure newly integrated hardware/software do not reduce performance/security
Quality assurance (QA)
It is preallocation
Assignment of resources to new function or task prior to initiation
Provisioning
Two primary elements:
Focus on streamlining and finetuning resource allocation to existing systems
Decommissioning of servers
Deprovisioning
Accomplished through hashing
Known trusted versions of code should have est. identity/origin hash
Integrity measurement
Code signing
Crafting a digital signature of software program for non-repudiation
Secure coding techniques
Programming and mgt technique to reduce redundancy, often related to DB mgt
Can also implement standardization
Normalization
Subroutine/software module called on by apps interacting with a relationship DB mgt system (RDBMS)
Stored procedures
Crafting code specifically to be difficult to decipher
Obfuscation/camouflage
Inclusion of preexisting code, care must be taken
Code reuse
Section of software executed, but output/result is not used by any processes
Dead code
Suited for protecting a system against input submitted by malicious user
Server-side data validation
Focus on providing better responses/feedback to typical user
Can be used to indicate whether input meets requirements
Client-side validation
Software should preallocate memory but also limit input sent to those buffers
Memory management
Using preexisting code so programmers can focus on custom code and logic
Precrafted code can include flaws, backdoors, or other exploits
Use of third-party libraries and software development kits (SDKs)
When software does not adequately protect data it processes
Programmers need to include authorization, authentication, and encryption schemes in their product
Data exposure
Non-profit security project focusing on improving security for online/web-based apps, mobile device apps, and IoT equipment
Open Web Application Security Project (OWASP)
Software languages easier for people to learn for crafting software solutions
Must be converted to machine language
High-level languages
Used to convert high-level language/human-readable source code into machine language or binary executable for execution
Compiler
Shorthand for binary code/machine language
Binary
Ensure specific series of steps or activities performed in correct order, ensuring consistency
Automated courses of action
Requires all user be monitored equally, from moment of connection/entrance till disconnection/departure
When monitoring fails, all user activity should cease and admins notified
Continuous across all accounts, not just end users
Continuous across entire infrastructure
Continuous monitoring
Ensuring integrity and validity of automation regularly
Repeating execution of flawed programs can reduce security
Continuous validation
Ensuring automated tools, testing, and manual injection of security elements included throughout process of product development
Continuous integration
As updates are made to scripts and code of automation, changes should be released to users/production (after testing and validation)
Continuous delivery
Extension of continuous delivery, implementation of new code occurs automatically into production (after testing and validation)
Continuous deployment
Ability of system to adapt to workload changes by allocation/de-allocation
Elasticity
Ability for system to handle increasing level of work and expansion
Scalability
Management of progress of changes in software code
Ensuring final versions of products are released
Enables back-tracking and roll-back capabilities
Version control
