2.3 Application Development, Deployment, & Automation Flashcards
the process of designing, building, and implementing software applications. It can be done by massive organizations with large teams working on projects, or by a single freelance developer.
• Your programming team has been working on a new application
– How will you deploy it safely and reliably?
• Patch Tuesday
– Test and deploy Wednesday? Thursday? Friday?
• Manage the process
– Safely move from a non-production phase to full production
Development
an isolated testing environment that enables users to run programs or open files without affecting the application, system or platform on which they run. Software developers use [this] to test new programming code. Cybersecurity professionals use [this] to test potentially malicious software.
• Isolated testing environment
– No connection to the real world or production system
– A technological safe space
• Use during the development process
– Try some code, break some code, nobody gets hurt
• Incremental development
– Helps build the application
Sandboxing
the process that converts files and other assets under the developers' responsibility into a software product in its final or consumable form. [This] may include: compiling source files. packaging compiled files into compressed formats (such as jar, zip) • Development – Secure environment – Writing code – Developers test in their sandboxes • Test – Still in the development stage – All of the pieces are put together – Does it all work? – Functional tests
Building the application
the process for determining whether or not a product fulfills the requirements or specifications established for it. [this] is the assessment of a planned or delivered system to meet the sponsor's operational need in the most realistic environment achievable. • Quality Assurance (QA)* – Verifies features are working as expected – Validates new functionality – Verifies old errors don’t reappear • Staging* – Almost ready to roll it out – Works and feels exactly like the production environment – Working with a copy of production data – Run performance tests – Test usability and features
Verifying the application
the final environment in your software development process. It is the work that is ready to be publicly available, and only the most thoroughly tested code should end up here. • Production – Application is live – Rolled out to the user community • A challenging step – Impacts the users • Logistical challenges – New servers – New software – Restart or interrupt of service
Using the application
the process of setting up the common, minimum requirements of an enterprise. This could be for a group of computers or all the computers in the network. When a new computer is added to the domain, the common minimum requirements are installed and applied automatically.
• The security of an application environment should
be well defined
– All application instances must follow this baseline
– Firewall settings, patch levels, OS file versions
– May require constant updates
• Integrity measurements* check for the secure baseline
– These should be performed often
– Check against well-documented baselines
– Failure requires an immediate correction
Secure baselines
automatically creating user identities and roles for applications for access
• Deploy an application
– Web server, database server, middleware server, user
workstation configurations, certificate updates, etc.
• Application software security
– Operating system, application
• Network security
– Secure VLAN, internal access, external access
• Software deployed to workstations
– Check executables for malicious code, verify security
posture of the workstation
Provisioning
[This(a)] is the ability of the system to accommodate larger loads just by adding resources either making hardware stronger (scale up) or adding additional nodes (scale out). [this(b)] is the ability to fit the resources needed to cope with loads dynamically usually in relation to scale out.
• Handle application workload
– Adapt to dynamic changes
• [This(a)]
– The ability to increase the workload in a
given infrastructure
– Build an application instance that can handle
– 100,000 transactions per second
• [this(b)]
– Increase or decrease available resources as the
workload changes
– Deploy multiple application instances to handle
– 500,000 transactions per second
Scalability and elasticity
the automated configuration, management, and coordination of computer systems, applications, and services.
• Automation is the key to cloud computing
– Services appear and disappear automatically,
or at the push of a button
• Entire application instances can be instantly provisioned
– All servers, networks, switches, firewalls, and policies
• Instances can move around the world as needed
– Follow the sun
• The security policies should be part of the [this]
– As applications are provisioned, the proper security is
automatically included
Orchestration
the process of removing user access to software and network services.
• Dismantling and removing an application instance
– All good things
• Security [this] is important
– Don’t leave open holes, don’t close important ones
• Firewall policies must be reverted
– If the application is gone, so is the access
• What happens to the data?
– Don’t leave information out there
Deprovisioning
a set of practices that applies security considerations to how software will be coded and encrypted to best defend against cyber attack or vulnerabilities.
• A balance between time and quality
– Programming with security in mind is often secondary
• Testing, testing, testing
– The Quality Assurance (QA) process
• Vulnerabilities will eventually be found
– And exploited
Secure coding concepts
• SQL databases
– Client sends detailed requests for data
– ‘SELECT * FROM wp_options WHERE option_id = 1’
• Client requests can be complex
– And sometimes modified by the user
– This would not be good
• [this] limit the client interactions
– ‘CALL get_options’
– That’s it. No modifications to the query are possible.
• To be really secure, use only stored procedures
– The application doesn’t use any SQL queries
Stored procedures
part of secure coding techniques
an umbrella term for a variety of processes that transform data into another form in order to protect sensitive information or personal data.
• [this]
– Make something normally understandable very
difficult to understand
• Take perfectly readable code and turn it into nonsense
– The developer keeps the readable code and gives you
the chicken scratch
– Both sets of code perform exactly the same way
• Helps prevent the search for security holes
– Makes it more difficult to figure out
what’s happening - But not impossible
Obfuscation/camouflage
[this(a)] the practice of using existing code for a new function or software. But in order to reuse code, that code needs to be high-quality. And that means it should be safe, secure, and reliable.
[this(b)] a section in the source code of a program which is executed but whose result is never used in any other computation. The execution of dead code wastes computation time and memory.
• [this(a)]
– Use old code to build new applications
– Copy and paste
• If the old code has security vulnerabilities, reusing
the code spreads it to other applications
– You’re making this much more difficult for everyone
• [this(b)]
– Calculations are made, code is executed,
results are tallied
– The results aren’t used anywhere else in the
application
• All code is an opportunity for a security problem
– Make sure your code is as alive as possible
Code reuse/dead code
this is the proper testing of any input supplied by a user or application. Input validation prevents improperly formed data from entering an information system.
• What is the expected input?
– Validate actual vs. expected
• Document all input methods
– Forms, fields, type
• Check and correct all input (normalization*)
– A zip code should be only X characters long with a
letter in the X column
– Fix any data with improper input
• The fuzzers will find what you missed
– Don’t give them an opening
Input validation
