Key Concepts of 8.2 Identify and apply security controls in software ecosystems Flashcards
Domain 8
Java, C++, Python, C#
Security Concerns
– Inheritance and polymorphism: Misuse of inheritance and polymorphism can lead to
unexpected behavior and security vulnerabilities.
– Object lifetime management: Improper object lifetime management can result in
resource leaks and security risks.
– Class design: Poorly designed classes can create vulnerabilities, such as insecure
default constructors or access modifiers.
Object Oriented Languages
A blueprint or template for creating objects. It defines a set of attributes (data) and
methods (functions) that the objects will have. include properties, which are the characteristics or data that the object can have,
and methods, which are the functions or behaviors that the object can perform.
Class
a mechanism where a new class (called a subclass or child class) is created
based on an existing class (called a superclass or parent class). The subclass automatically
inherits attributes and methods from its parent, allowing for code reuse and the creation of
more specialized versions of the parent class.
Inheritance
allows objects of different types to be treated as objects of a common base
type. It enables a single interface to represent different underlying forms (data types or
classes). This means that a method or function can work with objects of multiple classes, as
long as they share a common interface or base class.
Polymorphism
C, Pascal, Fortran
– Memory management: Manual memory allocation and deallocation can lead to
buffer overflows and memory leaks.
– Pointer arithmetic: Incorrect pointer usage can result in access violations and
security vulnerabilities.
– Lack of type safety: Weak type checking can enable unintended code execution and
data corruption.
Compiled Languages
Python, JavaScript, PHP
Security concerns:
– Dynamic typing: Loose type checking can make it easier for attackers to exploit
vulnerabilities.
– Sandboxing: Insufficient sandboxing can allow scripts to execute with excessive
privileges.
– Cross-site scripting (XSS): Improperly sanitized user input can lead to XSS attacks.
Scripting Languages
Assembly language
– Direct hardware interaction: Direct access to hardware can introduce vulnerabilities
if not handled carefully.
– Manual memory management: As with procedural languages, manual memory
management can lead to buffer overflows and memory leaks.
– Complexity: Low-level languages can be more complex to write and maintain,
increasing the risk of errors and vulnerabilities.
Low-Level Languages
- Use of Static Analysis Tools: Tools that can detect common vulnerabilities in code before
deployment. - Regular Updates: Keeping languages, frameworks, and libraries up-to-date.
- Security Training: Educating developers on secure coding practices.
- Automated Testing: Including security testing in CI/CD pipelines.
- Least Privilege: Running applications with the least privileges necessary.
Mitigation Strategies for Programming languages
are reusable code components that developers can incorporate into their projects to
streamline development and enhance functionality. They offer significant benefits but they can also introduce security risks if not handled carefully
Libraries
- Git/GitHub/GitLab: These tools provide version control, which is fundamental for collaborative
development, allowing for distributed version control, issue tracking, code review,
continuous integration, and deployment pipelines. - Docker: Docker allows developers to package an application with all its dependencies into
a container, ensuring consistency across different environments. - Kubernetes (K8s): Kubernetes automates deployment, scaling, and management of
containerized applications, offering orchestration, load balancing, auto-scaling, and selfhealing
capabilities. - Jenkins: Jenkins is an open-source automation server used for building, testing, and
deploying through continuous integration and continuous delivery (CI/CD) pipelines. - Postman: Postman is a platform for API development and testing, offering tools for API
testing, documentation, mocking, and monitoring. - npm (Node Package Manager): npm is the package manager for JavaScript, handling
dependency management, package installation, and version control for Node.js modules. - Maven/Gradle: Maven and Gradle are build automation tools primarily for Java projects,
managing dependencies, defining build processes, and providing plugin ecosystems for
various build tasks. - Vagrant: Vagrant helps in creating and managing virtual development environments,
providing consistency across different systems, which is particularly useful for teams.
Examples of Software Development Tool Sets
provide specific types of functionality to facilitate application development,
testing, and functionality.
Tool sets
are software
applications that provide facilities for software development; writing the code. Examples Visual Studio Code (VS Code), Eclipse, PyCharm
independent development environment (IDE) or Integrated Development Environment
It’s a set of practices that automate the building, testing, and deployment of software.
The goal is to deliver high-quality software to users more frequently and reliably. It’s ubiquitous
in Agile development practices, which would include Scrum and SAFe practices.
Continuous Integration/Continuous Delivery (CI/CD)
is a development practice that requires developers to integrate code
into a shared repository several times a day. Each integration can then be verified by an
automated build and automated tests to detect errors quickly.
Continuous Integration (CI)
is an extension of continuous integration where you ensure that you can release new changes to your customers quickly. In it, you automatically build, test, and get
software release ready at any time.
Continuous Delivery (CD)
takes Continuous Delivery a step further by automatically deploying
every code change that passes all stages of the production pipeline. The tested and approved
code is automatically deployed to the production environment. There’s no manual approval
step before releasing to production. Only a failed test will prevent a new change from being
deployed to production
Continuous Deployment (CD)
- Access Control:
* Implement strong authentication mechanisms (e.g., multi-factor authentication)
* Use role-based access control (RBAC) to limit access to CI/CD tools and environments
* Regularly audit and review access permissions - Secrets Management:
* Securely store and manage sensitive information (e.g., API keys, passwords, certificates)
* Use dedicated secrets management tools or services
* Avoid hardcoding secrets in source code or configuration files - Code Security:
* Implement code review processes
* Use static code analysis tools to identify vulnerabilities
* Scan dependencies for known security issues (e.g., using Software Composition
Analysis (SCA) tools) - Build Environment Security:
* Use isolated and ephemeral build environments
* Ensure build environments are regularly updated and patched
* Implement network segmentation to isolate build environments - Artifact Integrity:
* Sign and verify artifacts (e.g., container images, binaries)
* Implement checksums or hash verification
* Use trusted registries for storing and distributing artifacts - Infrastructure and Container Security
* Scan VM templates for misconfigurations and security issues
* Scan container images for vulnerabilities
* Use minimal base images to reduce attack surface
* Implement runtime container security measures - Pipeline Configuration Security:
* Version control CI/CD pipeline configurations
* Implement approval processes for pipeline changes
* Regularly audit pipeline configurations for security issues - Testing and Validation:
* Include security testing in the CI/CD pipeline (e.g., SAST, DAST, IAST)
* Perform regular penetration testing of the CI/CD infrastructure
* Validate the integrity of deployed artifacts in production
Security Considerations for CI/CD
is a process for maintaining the integrity, consistency,
and security of software across an organization. It is essentially about managing how
software versions are used and updated within an organization. It ensures that all changes to
software configurations are systematic, controlled, and well-documented.
Software Configuration Management (SCM)
are centralized platforms where developers store, manage, and collaborate
on source code, usually based on Git, a popular distributed version control system for hosting
source code. Examples of Git hosting solutions include GitHub, BitBucket, and GitLab.
Code Repositories
Version Control
Collaboration Tools
Integration
Code Repositories Services
Analyzes source code or compiled code for security vulnerabilities without executing the application. It is performed early in the
development process and can identify issues such as code injection, buffer overflows, and
weak cryptography. It requires source code access.
Static Application Security Testing (SAST)
Analyzes a running application by interacting with it through its interfaces and trying to identify security vulnerabilities. IT
is performed later in the development process and can identify issues by simulating real world attacks on a running application such as cross-site scripting (XSS), SQL injection,
and insecure configurations.It does not require source code access.
Dynamic Application Security Testing (DAST)
Combines elements of SAST and DAST by instrumenting the application with sensors that monitor its behavior during manual
or automated testing. It provides real-time feedback on security vulnerabilities as the
application is being tested.
Interactive Application Security Testing (IAST)
Identifies and analyzes the open-source and
third-party components used in a software application for known vulnerabilities and
licensing issues.
Software Composition Analysis (SCA)
