2.3 - Secure Application Development

Question 1

Define Sandboxing.

Answer 1

An isolated testing environment that has no connection to the real world or production system. It is a technological safe space.

It is used during the development process.

Question 2

List out the steps to building an application.

Answer 2

1) Development
- Secure Environment -Writing Code
- Developers test in their sandboxes
2) Test
3) Quality Assurance (QA)
- Verifies features are working as expected
- Validates new functionality
- Verifies old errors don’t reappear
4) Staging
- Works and feels exactly like the production
environment
- Run performance tests
5) Production

Question 3

What are some logistical challenges to deploying a new application for the onsite IT team and the users?

Answer 3

Users: New application to learn

IT: New Servers?, New Software, Restart or interrupt of service

Question 4

What are two measures you should take once the application is deployed? (Baseline)

Answer 4

Establish security baselines

Measure integrity for secure baselines

Question 5

What might you need to provision an application?

Answer 5

To deploy:
Web server, database server, middleware server, user workstation configurations, certificate updates, etc.

Application software security (OS and application)

Network Security:
Secure VLAN, internal access, external access

Question 6

Define Scalability.

Answer 6

The ability to increase the workload in a given infrastructure.

Question 7

Define Elasticity.

Answer 7

The ability to increase or decrease available resources as the work load changes.

Question 8

Define Orchestration.

Answer 8

The process of automating the tasks needed to manage connections and operations of workloads on private and public clouds.

Question 9

Define Deprovisioning.

Answer 9

Dismantling and removing an application instance.

Question 10

Define Provisioning.

Answer 10

Bringing up an application instance.

Question 11

Define Stored procedures.

Answer 11

Procedures that limit the client interactions with databases. This prevents users from being able to modify client requests.

Question 12

Define Obfuscation in terms of application development.

Answer 12

Taking readable code and turning it into a format that is not readable. This prevents the user from being able to probe the code for security holes.

Question 13

What are some cons of reusing code? (Code reuse)

Answer 13

The new code will exhibit the same security flaws as the old code.

Question 14

Define Dead Code.

Answer 14

Code that provides no functionality. It might run calculations that aren’t used.

Question 15

How can you ensure that all that you are receiving only expected input? (Input validation)

Answer 15

Document all input methods (forms, fields, type)

Check and correct all input (normalization)
- A zip code should only be X characters
- Fix any data with improper input

Question 16

Define Server-side validation.

Answer 16

When the user input is validated by the server after it is received by the browser. The safer validation.

Question 17

Define Client-side validation.

Answer 17

The end-user’s app makes the validation decisions.

Question 18

Which is safer, server-side validation or client-side validation?

Answer 18

Server-side validation

Question 19

What is a major consequence of improper memory management?

Answer 19

Buffer overflows are a security risk that can be manipulated by a bad actor.

Question 20

What is a major risk of using third-party libraries and SDKs?

Answer 20

You don’t know how secure it is. You don’t know the code base.

Question 21

How can you protect an application against data exposure?

Answer 21

Check all input and output processes for data exposure

Encryption when stored

Encryption across the network

Question 22

Define Version Control.

Answer 22

The practice of tracking and managing changes to software code. Keep information concerning versions safe.

Question 23

Define Software Diversity.

Answer 23

Evolving one program into a population of diverse programs that all provide similar services to users, but with a different code. This diversity of code enhances the protection of users against one single attack that could crash all programs at the same time.

Question 24

Define Continuous Integration (CI).

Answer 24

Code is constantly written and merged into the central repository many times a day.

Question 25

How can you secure an application during continuous integration?

Answer 25

1) Basic set of security checks during development
- Documented security baselines as the bare
minimum
2) Large- scale security analysis during the testing
phase

Question 26

Define Continuous deliver/ deployment (CD).

Answer 26

Continuous delivery
- Automate the testing process
- Automate the release process
- Click a button and deploy the application
Continuous deployment
- Even more automation
- Automatically deploy to production
- No human integration of manual checks