Summarize secure application development, deployment, and automation concepts Flashcards
(35 cards)
Requires at least four main network divisions: development, test, staging, production
Environment
Network where new software code is being crafted. Fully isolated from other network divisions
Development
Typical SDLC includes these phases
Initiation preliminary analysis
Systems analysis, requirements definition
Systems design
Development
Integration and testing
Acceptance, installation, deployment
Maintenance
Evaluation
Revise, replace, retire
Where new equipment/code, is configured to be in compliance w/security policy and configuration baseline
Staging
Evaluates software security by evaluating source code or complied application w/o execution
Can be conducted manually or using tools
Static testing
Executes code in constrained environment
Fuzz testing/fuzzing
Use of various inputs to stress test code, w/goal of finding input causing abnormal/insecure responses
Dynamic testing
Where business functions take place, also known as operations network
Production
Evaluation process employed by many orgs to ensure newly integrated hardware/software do not reduce performance/security
Quality assurance (QA)
It is preallocation
Assignment of resources to new function or task prior to initiation
Provisioning
Two primary elements:
Focus on streamlining and finetuning resource allocation to existing systems
Decommissioning of servers
Deprovisioning
Accomplished through hashing
Known trusted versions of code should have est. identity/origin hash
Integrity measurement
Code signing
Crafting a digital signature of software program for non-repudiation
Secure coding techniques
Programming and mgt technique to reduce redundancy, often related to DB mgt
Can also implement standardization
Normalization
Subroutine/software module called on by apps interacting with a relationship DB mgt system (RDBMS)
Stored procedures
Crafting code specifically to be difficult to decipher
Obfuscation/camouflage
Inclusion of preexisting code, care must be taken
Code reuse
Section of software executed, but output/result is not used by any processes
Dead code
Suited for protecting a system against input submitted by malicious user
Server-side data validation
Focus on providing better responses/feedback to typical user
Can be used to indicate whether input meets requirements
Client-side validation
Software should preallocate memory but also limit input sent to those buffers
Memory management
Using preexisting code so programmers can focus on custom code and logic
Precrafted code can include flaws, backdoors, or other exploits
Use of third-party libraries and software development kits (SDKs)
When software does not adequately protect data it processes
Programmers need to include authorization, authentication, and encryption schemes in their product
Data exposure
Non-profit security project focusing on improving security for online/web-based apps, mobile device apps, and IoT equipment
Open Web Application Security Project (OWASP)
Software languages easier for people to learn for crafting software solutions
Must be converted to machine language
High-level languages
