Chapter 9 - 03 - Understand Secure Application, Development, Deployment, and Automation_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Chapter 9 - 01 - Understand Secure Application Design and Architecture - 03_ocred.pdf
- Chapter 9 - 03 - Understand Secure Application, Development, Deployment, and Automation_ocred.pdf
- Chapter 9 - 01 - Understand Secure Application Design and Architecture - 01_ocred_fax_ocred.pdf
- Chapter 9 - 01 - Understand Secure Application Design and Architecture - 03_ocred_fax_ocred.pdf
- Chapter 9 - 02 - Understand Software Security Standards, Models, and Frameworks_ocred_fax_ocred.pdf
- Introduction-to-Application-Security_compressed.pdf
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Application Security Module Flow Understand Secure Understand Secure Ap...
Certified Cybersecurity Technician Exam 212-82 Application Security Module Flow Understand Secure Understand Secure Application Design and o e Application, Development, Architecture Deployment, and Automation = i @ Understand Software Application Security Security Standards, Models, e o Testing Techniques and and Frameworks Tools Understand Secure Application, Development, Deployment, and Automation Most organizations concentrate on automation for the development and deployment of an application to cut superfluous operating costs. Although automation can make the software fast and efficient, it can also degrade the performance if proper security baselining is not followed. A security analyst should follow development lifecycle models and techniques to prevent any unknown vulnerabilities and backdoors in the application. This section discusses secure application development, deployment, and automation. Module 09 Page 1181 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Exam 212-82 Certified Cybersecurity Technician Application Security Secure Application Development Environment.......................................... Development fl a Application Secure Applicat ion Development Life Development Quality Quality Cycle Testing Tosgina :H Assurance (QA) pment environment isis aa protected @ @ i secure applica “‘ AA secure tion develo application development environment protected ies from the design to deployment deployment o CHED ClED — nment in which strateg environment ~ enviro strategies - tion and mainte implemented nance are implemented maintenance WIS B Y """""""" Y """"""" - |\ of an applica application Production Staging Secure Application Development Environment (Cont’d) or software runs according to the = Programs are tested in this phase to guarantee that the application Development Development given piece of code applicationn program controls to keep track of any changes to the applicatio = Developerss define change and version controls Developer to guarantee that the application The program is tested during the development and staging processes or software accomplishes given tasks without any complications A e is again tested in the staging phase Staai Once testing is performed in the development phase, the program taging Staging to ensure the stability of the application applicatioonn is deployed phases, the applicati : Once the code is successfully tested in the development and staging Production Product ion environment allowing access to end users to a real-time environment whether end users face any issue in Quality Testers perform quality checks on the deployed software to check Assurance (QA) accessing the application accessing Secure Application Development Environment nment in which strategies A secure application development environment is a protected enviro are implemented. The from the design to deployment of an application and maintenance cture. It begins with secure application development lifecycle has a five-tier archite production and quality development, testing, and staging, following which it moves into the EC-Council Certified Cybersecurity Technician Copyright © by EG-Counci Module 09 Page 1182 All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security assurance (QA) levels, thereby ensuring the overall efficiency and integrity of the software or application. The five tiers of the secure application development lifecycle are described below. Development Secure Application Development Life Quality Cycle Testing Assurance (QA) H Production Staging Figure 9.9: Secure application development lifecycle = Development: The program is tested in this phase to guarantee that the application or software runs according to the given piece of code. Subsequently, the program is transferred to the next environment for additional enhancements. In the development phase, developers define change and version controls to keep track of any changes to the application program. = Testing: The program is tested during the development and staging processes to guarantee that the application or software accomplishes given tasks without any complications. In this phase, testers receive the application code from various developers, and they scan the code to identify any bugs or errors. = Staging: After testing is performed in the development phase, the program is again tested in the staging phase to ensure the stability of the application. Once the program is tested in this environment, it is transferred to the production phase. This phase provides a later copy of the testing environment. * Production: Once the code is successfully tested in the development and staging phases, the application is deployed to a real-time environment to allow access to end users. This stage provides everything required to run an application. * Quality Assurance (QA): In this phase, the application’s performance is monitored, and its quality is evaluated in the end users’ network. Testers perform quality checks on the deployed software to determine whether end users face any issue in accessing the application. Module 09 Page 1183 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security Secure Baseline A secure baseline defines how the application should operate in a real-time environment. The baseline should be established with a standard setup. Firewall and operating-system installations, as well as their patches, need to be configured appropriately to secure the application. When patches are released, the baseline should be changed in accordance with the changes or developments to the operating system. Integrity Measurement After the successful creation of a secure baseline, testers examine the application against the new baseline provided. They ensure that all the application components maintain this baseline to ensure the integrity of the application. Module 09 Page 1184 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security Resiliency and Automation Strategies 0O Systems that can be restored to their usual operating conditions after facing an interruption or outage are known and resilient systems QO The resiliency of systems can be improved by adopting a proper configuration or using methods such as snapshots, strengthening the ability to return to the original state, and appropriate fault tolerance and redundancy methods O Automation can also be used to make systems, applications, or networks resilient through continuous automated operations Continuous Automated Course of Actions Roll-out Secure staging Testing/integration f h: process 7 Programmers’ ~ environment Resiliency and Automation Strategies (Cont’d) Continuous 1 Itis a practice followed in the software development process in which programmers Integration 1 frequently integrate, develop, and inspect their tasks, typically through automation. Continuous ; Itisa continuous operation in which the integration process ends and the software Delivery 1 development teams are allowed to automate the development and testing process Continuous : It simplifies the integration process further through automated testing that Deployment 1 validates changes to the code Continuous : The continuous monitoring process ensures that all components are working as Monitoring 1 intended and generates alerts if any failure occurs 1 Continuous Itis used in an application or service environment to validate application compliance Validation 1 and check whether the application meets the defined goals Resiliency and Automation Strategies Systems that can be restored to their usual operating conditions after an interruption or outage are known as resilient systems. The risks associated with a system are reduced when it is resilient to attacks. The resiliency of systems can be improved by adopting proper configuration or setting methods such as snapshots, strengthening the ability to return to the original state, and also by implementing fault tolerance and redundancy methods. Automation can also be Module 09 Page 1185 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security used to make systems, applications, or networks resilient through continuous operations that boost efficiency and ensure accuracy while deploying software and running scripts or commands. The following are different areas where automation is involved. Continuous integration: It is a practice followed in software development, wherein programmers frequently integrate, develop, and inspect their tasks, typically through automation. Each integration process is validated by an automated build that runs all the automated tasks, which could discover integration errors or bugs as early as possible. Continuous delivery: It is a continuous operation performed after the completion of the integration process, and it allows the software development teams to automate the development and testing processes in the software development lifecycle. The secure staging process is performed in this phase. It offers many advantages while provisioning an integrated toolset. The major advantages include the following: o Minimization of the deployment time by continuous development and testing o Reduction in the costs associated with conventional software development o Extension of software development depending on the project size o Automatic deployment of code into different phases of SDLC Continuous deployment: It simplifies the integration process further through automated testing, which validates changes to the code and could result in the faster delivery of updates or new versions of the software. Automated course of actions: Automation is often implemented by running appropriate scripts in a process known as an automated course of action. It has the following benefits over manual implementation. o If they are inspected, predefined scripts can potentially minimize the possibility of user errors. o Scripts can be bounded together to automate various commands. o They consume less time because they run at the speed of the system and are not dependent on the speed of manual inputs. o They can be used to continuously monitor and instantly identify incidents and outages. Continuous monitoring: It refers to a system that has a default monitoring feature, rather than a monitoring feature implemented externally. The continuous monitoring process ensures that all components are working as expected and generates alerts if any failure occurs. It is tied up with automation because the responses and dashboards are employed in conjunction with monitoring. Continuous validation: This process can also use automation techniques. In this process, when the system is turned on, the configuration files are automatically validated Module 09 Page 1186 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security according to the specified standards. This process is also used in application or service environments to validate application compliance and check whether the application meets the defined goals. Automation can make the validation mechanism easy to execute and less prone to errors. The continuous strategy fetches reports from the delivery and deployment stages to monitor and analyze the software to meet the security standards. It also ensures that there is no deviation from the defined baselines. Roll-out Secure staging o ai Testing/integration / 2 s process Programmers’ environment N Continuous Deployment «-seereeee > Figure 9.10: Resiliency and automation strategies Module 09 Page 1187 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.
