2.3 Summarize secure application development, deployment, and automation concepts
Software Diversity
Alternative complier paths would result in a different binary each time, An attack against different binaries would only be successful on a fraction of the users
Continuous delivery (CD)
Automate the testing, Automate the release, click a button and deploy the application
Orchestration
Automation is key to cloud computing, Entire application instances can be instantly provisioned, Instances can move around the world as needed, The security policies should be part of the orchestration
Continuous Integration (CI)
Code is constantly written, So many chances for security problems, Basic set of security checks during development, Large-scale security analysis during the testing phase
Provisioning
Deploy an application, Application software security, Network security, Software deployed to workstations.
Building the application
Development - Secure environment, writing code. Test - Still in development stage, all pieces are put together, does it all work?
Deprovisioning
Dismantling and removing an application instance, Security deprovisioning is important, Firewall policies must be reverted
Sandboxing
Isolated testing environment, Use during the development process, Incremental development
Using the Application
Production - Application is live and rolled out to the user community, A challenging step, Logistical challenges.
Third-party libraries and SDKs
Third-party libraries and software development kits, Security risk, balancing act
Code reuse
Use old code to build new applications, If the old code has security vulnerabilities, reusing the code spreads it to other applications
Secure coding concepts
A balance between time and quality, testing, testing, testing, vulnerabilities will eventually be found
Exploiting an application
Attackers often exploit application vulnerabilities, Once you exploit one binary, you can exploit them all
Memory Management
As a developer, you must be mindful of how memory is used, Never trust data input, Buffer overflows are a huge security risk, Some built-in functions are insecure
Dead Code
Calculations are made, code is executed, results are tallied, the results aren't used anywhere else in the application, All code is an opportunity for a security problem
Version Control
Create a file, make a change, make another change, and another change, Commonly used in software development, Useful for security
Continuous deployment (CD)
Even more automation, Automatically deploy to production, No human integration or manual checks
Elasticity
Increase or decrease available resources as the workload changes, Deploy multiple application instances to handle 500,000 transactions per second
Automation and scripting
Plan for change, automated course of action, Continuous monitoring, Configuration validation
Verifying the application
Quality Assurance (QA) - verifies features, and old errors don't appear, validates new functionality. Staging - Almost ready to roll out, works and feels like production environment, run performance tests
Stored procedures
SQL databases, Client requests can be complex, Stored procedures limit the client interactions, To be really secure, use only stored procedures
Validation points
Server-side validation, Client-side validation, Use both - but especially server-side validation
Data exposure
So much sensitive data, How is the application handling the data, All input and output processes are important
Scalability
The ability to increase the workload in a given infrastructure, Build an application instance that can handle 100,000 transactions per second
Secure baselines
The security of an application environment should be well defined, integrity measurements check for the secure baseline
Obfuscation/Camouflage
To make something normally understandable very difficult to understand, Take perfectly readable code and turn it into nonsense, Helps prevent the search for security holes.
Input validation
What is the expected input, document all input methods, check and correct all input (normalization), The fuzzers will find what you missed