Welcome to Cyber is video Siris on the Company, a Security Plus certification and Exam. I'm your instructor, Rahm Warner.
In this video on security plus section 3.5,
I will summarize secure application development and deployment concepts
with an increasing number of companies welcoming the idea of developing their own APS in addition to person purchasing record numbers of ABS and incorporating open source code into their own software.
The risks and vulnerabilities associate ID have also arisen.
Security professionals need to be well versed on application security. Best practices.
That's what I'll be covering in this video.
The next few minutes we'll discuss the following topics on application security
development, lifecycle models, Secure Dev Ops, SEC Dev Ops
version control and change management. Provisioning and deep provisioning, secure coding techniques and coat quality and testing.
This is a large topic area that could easily be its own video. Siri's and certification.
You take additional time to review your study material and resource is
no amount of network hardening. Auditing or user training can compensate for bad programming.
Solid application security is essential to the long term survival of any organization
application. Security begins with secure coding and design,
which is then maintained over the life of the software through testing and patching.
There are two primary software development Life cycle or S. D. L C model she should be aware of for security, Plus,
the first is the waterfall model. This is the more traditional of the two
that walks through each phase one by one. Each step by itself starts with requirements gathering than design of the product
testing, verification, deployment and maintenance.
Each stage is completely self contained and completed in order.
Hopefully, you see there are challenges associated with it, especially waiting for testing until after development,
when it could be too late to fix major challenges. This has been solved with the agile method
agile works in cycles, with each cycle producing specific delivery. Bols. Each cycle has its own phase of requirements, design and test IQ. Much more modular, an approach.
It's also a type of rapid prototyping through repeated processes.
Methods for agile development includes scrum adaptive software development, crystal featured driven development, dynamic systems, development method, lean software development and extreme programming
rather than developers handing off buggy software to an I T. Group. It saying It's your problem now,
Dev ops developers working with operations asked developers to take responsibility for software all the way through production
secure. Dad Bob's takes that paradigm one step further to ensure that developers air using APP security testing to deliver software that it's free, or at least minimize, is the number of vulnerabilities
from Day one
from a Secure Dev Ops Perspective, software should be developed and maintained, so it's secure and resilient.
These concepts are built into secure development and operations, also known as DEV Ops,
where security is integrated into the developers operations, including their database design programming and how it works within the company's infrastructure,
it's incorporating security practices into the entire software delivery cycle.
It addresses security concerns at the beginning of projects where it's a lot quicker and easier to solve them.
And it provides added automated security testing techniques.
On your screen, you see other ideas associated with Secure Dev ops,
including continuous integration where security is every step
of the development, S. D. L. C.
Automating security through repeatable scripted tasks. Base lining as we've discussed in previous video where you have reference points that require completion and approval of said of predefined project requirements to prevent uncontrolled change
and reduce the number of vulnerabilities
immutable systems, meaning that no changing to the systems should be allowed. They maintain known, documented and repeatable configuration setting
and lastly, infrastructure as a code were I A C.
This is programmable infrastructure.
Infrastructure configuration is included with the application code.
You should refer to your own study material for more information on Secure Dev ops.
As a cyber security professional, you need to be aware of how code is compiled and run within operating systems.
They're two primary methods. One is compiled code, the other is run time,
and these are the methods for creating running excusable Could
compiled code uses a compiler program such a C or C plus plus,
while run time code uses an interpreter
so compiled versus interpreter. Code interpreted code.
Example is java or dot net
interpreted code tends to be faster
but less secure.
Another concept you need to know for security plus is change management and version control. These go hand in hand, and they control and manage software Changes needed for both quality and security
version control or source control. Prevents tampering or changing of the source code or execute a bles. Your source code should be be maintained in its own secure repositories.
Any changes to the production code needs to go through specific version control,
where you might have checks for security and quality.
Version control also tracks software life changes. Our application code changes so no changes are made by accident or surprise.
Version Control also uses distributed storage for codes such as Get get hub or subversion.
The benefits of having a robust change management and version control system is that there's historical data on changes to files, so you know who made what changes went.
Another benefit is branching and merging capabilities. You see a capability within an application you can branch it were merged them together to create a successful software package.
Lastly, traceability. You know who made what changes when, where and how.
Provisioning and d provisioning or two additional concepts you need to be aware of associating with applications security
provisioning is the creation or update of a resource.
De provisioning is the removal of the resource
provisioning in deep provisioning are part of the organizational lifecycle management and can affect any number of assets, software provisioning and deep provisions are generally automated processes in which the software packages air made available to computers and users through a self service portal.
Additionally, provisioning can be integrated with other technologies.
This is especially true for cloud based environments, benefits of provisioning and D provisioning, including the reduction of application environment processing time, an increase in developer productivity's improved capacity and significant cost savings.
Security must be implemented from the very beginning of the software development life cycle and be included with every phase in every step of application development.
In the early design phase, potential threats to the application must be identified and addressed.
Organizations must have must take into consideration ways to reduce the associated risks. Over the next few slides, I'll walk you through some secure coding techniques that you need to be familiar with and work with your application developers to make sure they are also familiar with these techniques.
These objectives can be accomplished in a variety of ways, such as threat modeling, mitigation, planning, analyzing potential vulnerabilities and attack vectors,
and secure coding within the application development life cycle.
The first consideration is authentication.
How does your application authenticate Neto authenticate toe a back end database
concept to remember is no hard coating any user. 80 your passwords user credentials into the code.
Also, be aware of how cookies are enabled within Web applications.
Proper error handling also needs to be a consideration.
Errors that are generated should be generic, not dive, old specific system or application information. Additionally, comments should not be made visible in the end user product
exception. Handling should log the air and provide the user with a standard message.
Input into applications is often in avenue into exploiting vulnerabilities associated with them.
Input validation tests whether an application properly handles input from a source outside the application that is destined for internal processing.
The most common result of improper input validation is buffer, overflow exploitation or cross site scripting
additional types of input. Validation Aires result in formats during in denial of service exploits,
and there should be a use of default values and character limitations for input Validation.
Normalization is the conversion of data to its anticipated simplest known form.
Applications often accept untrusted input strings and instead used techniques such as validation methods and input fit filtering.
These methods are based on strings character data and are similar to blacklisting, although they're not really sufficient for complete input, Validation and sanitation. Thes methods do provide some level of security
stored Procedures are most often associated with databases and database queries. Maybe a combination of pre compiled sequel statements stored in the database that executes some task
stored procedures can also be used for security by encapsulating certain logic and server side persistent modules
to increase security and reduce sequel injection vulnerabilities.
Data manipulation statements such a select and delete their sequel type statements selector Delete have to go through stored procedures before returning data.
This provides a safe use of sequel
code. Reuse its re using existing software modules, which can prove to be very efficient. The challenge with security is if those modules have not been tested prior to being put into use.
So therefore, reuse code should be validated for vulnerabilities.
Dead code is that code that no longer provides a useful function,
but there's still available within the application.
It should be removed.
Last lease, the idea and the use of third party libraries and software development kits.
I know where your source code is coming from On Li Yu's source code from a trusted location should also check for vulnerabilities associated with your third party, get libraries and software development cats
Code signing leverages a certificate based digital signature associated with the code.
The most common example of code signing his drivers.
For example, by default, Microsoft Operating system blocks the installation of unsigned drivers.
Code signing consists of signing executed bols using certificate based digital signatures. This is done to provide trustworthiness in the execute a ble code.
Another secure coding technique
is to limit the exposure of data. Any sensitive data should always be encrypted at rest in transit and what's being processed.
This is accomplished through encryption, using standard encryption algorithms, hashing and digital signatures.
I talking length about digital signature certificates, P k i in a different video.
Also leverage T. L s transport layer security. For that encryption over the network
could obvious cation and camouflage is a way of hiding the back end code. It's been used for a long time and interpreted languages.
This is often done by shortening function, invariable names and removing white space.
The best way to see the prevalence of this technique is the view the source code of a Web home page, such as Google
camouflage can predict software from reverse engineering.
Fake source code is created by modifying a piece of the original source code.
When an attacker analyzes the program, the attacker sees the fake code,
but the program executes the original one. It is run.
Use of these techniques can affect the functionality of the software programs,
so be aware how you're leveraging obfuscation and camouflage
memory management optimizes performance by assigning blocks of memory to various processes and programs.
It makes sure that sufficient memory is available for any current running program or process.
Memory management is used in all computing functions and plays an integral part in programming applications.
Programs are written to request blocks of memory, and the Allocator is used to assign that block to the program.
When the program no longer needs the data in the allocated
memory block, the blocks can then be reassigned.
Vulnerabilities may exploit and proper memory utilization
such as a both buffer overflow.
Suggestions for mitigating vulnerability, such as buffer overflows, include verifying that the buffer is on Leah's large as needed and as specified,
use input output control for data that is untrusted,
properly free allocated memory upon completion of the functions
and do not use known vulnerable functions.
Clearing sensitive information stored in memory to avoid unintentional, unintentional disclosure should also be included in memory management. Best practices.
The last concept associated with a secure coding. Our service side versus client side execution and validation
client side validations were enter. Data is validated by a script on the user's browser
before the form is sent to the servers. You validate at the end point that the data is true as opposed to server side validation, which occurs on the back end, say, Web server housing the application code.
This protects against malicious attempts by the user to bypass any input validation.
Be familiar with each of these secure coding methodologies and techniques.
The number one resource for understanding applications security. It's a wasp o W. A s p dot org's the open Web Applications Security project.
Every few years they public they published their top 10 Web application vulnerabilities.
They also provide great advice on how to exploit those vulnerabilities so you know how to protect it within your application source code.
I highly recommend checking out a wasp dot or GE for more information on applications security
in this video, I summarize secure application development and deployment concepts.
Let's practice on a few sample quiz questions.
Which of the following will be the most secure way to deploy a legacy application that requires a legacy operating system?
The answer is
a sand boxing
creates a separate environment for that application
Alice wants to reduce the probability of sequel injection attacks against the company's Web server.
What secure development measure would work best?
The answer is
be input validation the only answer,
which will prevent sequel injection by scrubbing the input.
This concludes the video for section 3.6 on secure development in deployment concept, view your study material form or information.