2.3 Summarize secure application development, deployment, and automation concepts

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Software Diversity

Alternative complier paths would result in a different binary each time, An attack against different binaries would only be successful on a fraction of the users

Continuous delivery (CD)

Automate the testing, Automate the release, click a button and deploy the application

Orchestration

Automation is key to cloud computing, Entire application instances can be instantly provisioned, Instances can move around the world as needed, The security policies should be part of the orchestration

Continuous Integration (CI)

Code is constantly written, So many chances for security problems, Basic set of security checks during development, Large-scale security analysis during the testing phase

Provisioning

Deploy an application, Application software security, Network security, Software deployed to workstations.

Building the application

Development - Secure environment, writing code. Test - Still in development stage, all pieces are put together, does it all work?

Deprovisioning

Dismantling and removing an application instance, Security deprovisioning is important, Firewall policies must be reverted

Sandboxing

Isolated testing environment, Use during the development process, Incremental development

Using the Application

Production - Application is live and rolled out to the user community, A challenging step, Logistical challenges.

Third-party libraries and SDKs

Third-party libraries and software development kits, Security risk, balancing act

Code reuse

Use old code to build new applications, If the old code has security vulnerabilities, reusing the code spreads it to other applications

Secure coding concepts

A balance between time and quality, testing, testing, testing, vulnerabilities will eventually be found

Exploiting an application

Attackers often exploit application vulnerabilities, Once you exploit one binary, you can exploit them all

Memory Management

As a developer, you must be mindful of how memory is used, Never trust data input, Buffer overflows are a huge security risk, Some built-in functions are insecure

Dead Code

Calculations are made, code is executed, results are tallied, the results aren't used anywhere else in the application, All code is an opportunity for a security problem

Version Control

Create a file, make a change, make another change, and another change, Commonly used in software development, Useful for security

Continuous deployment (CD)

Even more automation, Automatically deploy to production, No human integration or manual checks

Elasticity

Increase or decrease available resources as the workload changes, Deploy multiple application instances to handle 500,000 transactions per second

Automation and scripting

Plan for change, automated course of action, Continuous monitoring, Configuration validation

Verifying the application

Quality Assurance (QA) - verifies features, and old errors don't appear, validates new functionality. Staging - Almost ready to roll out, works and feels like production environment, run performance tests

Stored procedures

SQL databases, Client requests can be complex, Stored procedures limit the client interactions, To be really secure, use only stored procedures

Validation points

Server-side validation, Client-side validation, Use both - but especially server-side validation

Data exposure

So much sensitive data, How is the application handling the data, All input and output processes are important

Scalability

The ability to increase the workload in a given infrastructure, Build an application instance that can handle 100,000 transactions per second

Secure baselines

The security of an application environment should be well defined, integrity measurements check for the secure baseline

Obfuscation/Camouflage

To make something normally understandable very difficult to understand, Take perfectly readable code and turn it into nonsense, Helps prevent the search for security holes.

Input validation

What is the expected input, document all input methods, check and correct all input (normalization), The fuzzers will find what you missed


Ensembles d'études connexes

Quiz 1 Male/Female Reproductive System/Disorder

View Set