2.3 Summarize secure application development, deployment, and automation concepts. Flashcards
Summarize a DEVELOPMENT environment
A development environment must be defined with a huge number of very specific requirements and goals and then fulfill them on a timely basis. The result of these requirements and goals often manifests as a baseline.
Summarize a TEST environment
Once an application has been written, or at least a functional part of the application is complete, it’s time to move out of development and into testing, also often called debugging. At this stage, the application is tested for code quality—proper logic, efficiency, and response time. Testing is also the perfect place to verify security.
Summarize a STAGING environment
Staging moves the code from the developers’ computers onto servers, bringing the product closer to deployment, but with controls to do critical testing. Staging often employs sandboxing, the use of virtual machines (VMs) to enable aggressive testing of the application without risking any problems with the rest of the network.
Summarize a PRODUCTION environment
There’s a point where the testing is done and it’s time to pull the trigger and get that Web application online and running. This is where all the security issues discussed in this book come into play, such as firewalls, DMZs, load balancing, and intrusion detection/prevention.
Summarize a QUALITY ASSURANCE(QA) environment
Quality assurance (QA) defines the processes used to ensure that the production code meets customer requirements while staying as close to error-free as possible. Two items to note here. First, just because quality assurance is at the end of the five-part application development process, it’s really everywhere in the process. A good QA program includes user training, test standards, and good organization of quality testing personnel and processes.
Summarize PROVISIONING AND DEPROVISIONING
The process of moving an application from the development environment to the production environment is called PROVISIONING.
The process of removing an application from the production environment is called DEPROVISIONING.
Summarize INTEGRITY MEASUREMENT
Integrity measurement shows the honesty, morality, and quality of the application.
Summarize SECURE CODING TECHNIQUES
Whether the platform is client side or server side, good development practices require thinking about security from the moment the application is first considered. The CompTIA Security+ exam objectives mention several specific secure coding techniques, all of which are well known and commonly used on all Web applications.
Summarize NORMALIZATION
Normalization is a database term meaning to store and organize data so that it exists in one form only. Failure to normalize exposes databases to excess size, potential logic errors, and overall inefficiency.
Summarize STORED PROCEDURES
Stored procedures harden Web apps. A stored procedure is a piece of code, custom written by the developers of the app and stored in the database. These stored procedures only respond to a specific query format defined by the developer. Stored procedures make it much harder for bad actors to use common SQL queries to access a database.
Summarize OBFUSCATION/CAMOUFLAGE
There are ways to obfuscate or camouflage code, on the other hand, so that it’s extremely difficult to read.
Summarize CODE REUSE
In every case, though, reusing someone else’s code—code reuse—adds security, saves money, and reduces development time. The downside to code reuse is that bad actors know that Web apps rely on it. These libraries must run in memory to work for the app. Bad actors know they’re running and try to get access to this code and can cause lots of trouble if they do get access.
Summarize SERVER-SIDE VS. CLIENT-SIDE EXECUTION AND VALIDATION
In classic server-side applications, the code executes on the server and the server handles most, if not all, validation. As you might guess, client-side applications execute code on the client and the client has to handle the validation. Look for a question on the exam that asks about server-side versus client-side execution and validation. This essentially asks which machine is doing the work.
Summarize MEMORY MANAGEMENT
Web apps are programs, and programs must run in either the server’s or the client’s memory. Many attacks—buffer overflow and code reuse, for example—work by accessing a system’s memory in some unauthorized fashion. The CompTIA Security+ exam objectives mention memory management as a secure coding technique, but it’s part of the discussion of specific attacks.
Summarize USE OF THIRD-PARTY LIBRARIES AND SOFTWARE DEVELOPMENT KITS (SDKs)
Software development kit (SDK), a combination of documentation, development environment, and premade code (known as libraries) for common tasks and for interfacing with other software via an application programming interface (API) and tutorials. SDKs come with licensing (proprietary or free) and you cannot mix license types. This isn’t that big of a problem if you stick to libraries provided by the SDK. This can be a huge issue if you decide to use third-party libraries.
