2.3 Summarize secure application development, deployment, and automation conpcepts. Flashcards
This must be configured and segmented to properly implement staging. This often requires at least four main network divisions: development, test, staging, and production.
Secure IT environment.
Where new software code is being crafted by on-staff programmers and developers. For some organizations, this might also be where custom-built hardware is being created.
Development (Environment)
An essential part to the security requirements of every modern organization. A key element of a software development program is this and code review.
Test (Environment)
Where new equipment or code, whether developed in-house or obtained from external vendors, is configured to be in compliance with the company’s security policy and configuration baseline. Once a system or software goes through this process, it can be moved to the test network for evaluation. After the system has passed evaluation, it can be deployed into the production network.
Staging (Environment)
The network where the everyday business tasks and work processes are accomplished. It is also known as the operations network. It should only be operating on equipment and systems that have been properly staged and tested.
Production (Environment)
An evaluation process employed by many organizations to ensure that newly integrated hardware and software do not reduce performance or efficiency nor introduce any unexpected security issues.
Quality Assurance (Environment)
A new IT movement in which many elements and functions of IT management are being integrated into a single automated solution. It typically consists of IT development, operations, security, and quality assurance.
Secure DevOps
Used to ensure that sufficient resources are available to support and maintain a system, software, or solution. Also known as preallocation.
Provisioning
Can focus on streamlining and fine-tuning resource allocation to existing systems for a more efficient distribution of resources.
Deprovisioning
Accomplished through the cryptographic concept of hashing.
Integrity measurement
Those efforts designed to implement security into software as it’s being developed.
Secure coding concepts/ techniques
A database programming and management technique used to reduce redundancy.
Normalization (secure coding)
A subroutine or software module that can be called upon or accessed by applications interacting with an RDBMS.
Stored procedures (secure coding)
The coding practice of crafting code specifically to be difficult for other programmers to decipher.
Obfuscation/ camouflage (secure coding)
The inclusion of preexisting code in a new program. It can be a way to quicken the development process.
Code reuse (secure coding)
Dead code is any section of software that is executed but the output or result of the execution is not used by any other process.
Dead code (secure coding)
Suited for protecting a system against input submitted by a malicious user. It should include a check for input length, a filter for known scriptable or malicious content (such as SQL commands or script calls), and a metacharacter filter.
Server-side validation (secure coding)
Focuses on providing better responses or feedback to the typical user. It can be used to indicate whether input meets certain requirements, such as length, value, content, and so on.
Client-side validation (secure coding)
Includes software management techniques such as preallocating memory buffers but also limiting the input sent to those buffers. Including input limit checks is part of secure coding practices.
Memory management (secure coding)
Essential tools for a programmer that allows them to use preexisting code can allow programmers to focus on their custom code and logic.
Third-party libraries and SDKs (secure coding)
When software does not adequately protect the data it processes. Programmers need to include authorization, authentication, and encryption schemes in their products to protect against this.
Data exposure (secure coding)
A nonprofit security project focusing on improving security for online or web-based applications, mobile device applications, and IoT equipment.
Open Web Application Security Project (OWASP)
The use of several high-level languages more similar to human languages that aid people in the crafting of new software.
Software diversity
Used to convert a high-level language or human-readable source code into machine language or binary executable code for execution.
Compiler
