Chapter 9 - 03 - Understand Secure Application, Development, Deployment, and Automation_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Application Security Exam 212-82 Module Understand Secure Application Design and Flow o e Understand Secure Application, Development, Deployment, and Automation o Application Security Testing Techniques and Tools Architecture = i Understand Software Security Standards, Models, and Frameworks @ e Understand Secure Application, Development, Deployment, and Automation Most organizations concentrate on automation for the development and deployment of an application to cut superfluous operating costs. Although automation can make the software fast and efficient, it can also degrade the performance if proper security baselining is not followed. A security analyst should follow development lifecycle models and techniques to prevent any unknown vulnerabilities and backdoors in the application. This section discusses secure application development, deployment, and automation. Module 09 Page 1181 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Exam 212-82 Certified Cybersecurity Technician Application Security Secure Application Development Environment Development fl Secure Application Development Life Cycle Quality Assurance (QA) @ A secure application development environment is a protected environment in which strategies from the design to deployment | of an application and maintenance are implemented B o Y """"""" Production CHED - Tosgina : — i Staging Secure Application Development Environment (Cont’d) = Development = A Staging Production Quality Assurance (QA) or software runs according to the Programs are tested in this phase to guarantee that the application given piece of code changes to the application program Developers define change and version controls to keep track of any to guarantee that the application The program is tested during the development and staging processes ions complicat any or software accomplishes given tasks without is again tested in the staging phase Once testing is performed in the development phase, the program to ensure the stability of the application phases, the application is deployed Once the code is successfully tested in the development and staging to a real-time environment allowing access to end users check whether end users face any issue in Testers perform quality checks on the deployed software to accessing the application Secure Application Development Environment nment in which strategies A secure application development environment is a protected enviro are implemented. The from the design to deployment of an application and maintenance cture. It begins with secure application development lifecycle has a five-tier archite the production and quality development, testing, and staging, following which it moves into Module 09 Page 1182 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 assurance (QA) levels, thereby ensuring the overall efficiency and integrity of the software or application. The five tiers of the secure application development lifecycle are described below. Development Secure Application Development Life Quality Assurance (QA) Cycle Testing H Production Staging Figure 9.9: Secure application development lifecycle = Development: The program is tested in this phase to guarantee that the application or software runs according to the given piece of code. Subsequently, the program is transferred to the next environment for additional enhancements. In the development phase, developers define change and version controls to keep track of any changes to the application program. = Testing: The program is tested during the development and staging processes to guarantee that the application or software accomplishes given tasks without any complications. In this phase, testers receive the application code from various developers, and they scan the code to identify any bugs or errors. = Staging: After testing is performed in the development phase, the program is again tested in the staging phase to ensure the stability of the application. Once the program is tested in this environment, it is transferred provides a later copy of the testing environment. to the production phase. This phase * Production: Once the code is successfully tested in the development and staging phases, the application is deployed to a real-time environment to allow access to end users. This stage provides everything required to run an application. * Quality Assurance (QA): In this phase, the application’s performance is monitored, and its quality is evaluated in the end users’ network. Testers perform quality checks on the deployed software application. Module 09 Page 1183 to determine whether end users face any issue in accessing the Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Secure Baseline A secure baseline defines how the application should operate in a real-time environment. The baseline should be established with a standard setup. Firewall and operating-system installations, as well as their patches, need to be configured appropriately to secure the application. When patches are released, the baseline should be changed in accordance with the changes or developments to the operating system. Integrity Measurement After the successful creation of a secure baseline, testers examine the application against the new baseline provided. They ensure that all the application components maintain this baseline to ensure the integrity of the application. Module 09 Page 1184 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Resiliency and Automation Strategies 0O Systems that can be restored to their usual operating conditions after facing an interruption or outage are known and resilient systems QO The resiliency of systems can be improved by adopting a proper configuration or using methods such as snapshots, strengthening the ability to return to the original state, and appropriate fault tolerance and redundancy methods O Automation can also be used to make systems, applications, or networks resilient through continuous automated operations Continuous Automated Course of Actions Testing/integration Programmers’ environment Roll-out Secure staging process f h: 7 ~ Resiliency and Automation Strategies (Cont’d) Continuous Integration 1 1 Itis a practice followed in the software development process in which programmers frequently integrate, develop, and inspect their tasks, typically through automation. Continuous Delivery ; 1 Itisa continuous operation in which the integration process ends and the software development teams are allowed to automate the development and testing process Continuous : 1 validates changes to the code Continuous Monitoring : 1 The continuous monitoring process ensures that all components are working as intended and generates alerts if any failure occurs Deployment Continuous Validation 1 1 It simplifies the integration process further through automated testing that Itis used in an application or service environment to validate application compliance and check whether the application meets the defined goals Resiliency and Automation Strategies Systems that can be restored to their usual operating conditions after an interruption or outage are known as resilient systems. The risks associated with a system are reduced when it is resilient to attacks. The resiliency of systems can be improved by adopting proper configuration or setting methods such as snapshots, strengthening the ability to return to the original state, and also by implementing fault tolerance and redundancy methods. Automation can also be Module 09 Page 1185 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 used to make systems, applications, or networks resilient through continuous operations that boost efficiency and ensure accuracy while deploying software and running scripts or commands. The following are different areas where automation is involved. Continuous integration: It is a practice followed in software development, wherein programmers frequently integrate, develop, and inspect their tasks, typically through automation. the Each integration process is validated automated tasks, which could discover by an automated integration errors build that runs all or bugs as early as possible. Continuous delivery: It is a continuous operation performed after the completion of the integration process, and it allows the software development teams to automate the development and testing processes in the software development lifecycle. The secure staging process is performed in this phase. It offers many advantages while provisioning an integrated toolset. The major advantages include the following: o Minimization of the deployment time by continuous development and testing o Reduction in the costs associated with conventional software development o Extension of software development depending on the project size o Automatic deployment of code into different phases of SDLC Continuous deployment: It simplifies the integration process further through automated testing, which validates changes to the code and could result in the faster delivery of updates or new versions of the software. Automated course of actions: Automation is often implemented by running appropriate scripts in a process known as an automated benefits over manual implementation. course of action. It has the following o If they are inspected, predefined scripts can potentially minimize the possibility of user errors. o Scripts can be bounded together to automate various commands. o They consume o They can outages. less time because they run at the speed dependent on the speed of manual inputs. Continuous be used monitoring: to continuously monitor and of the system and are not instantly identify incidents and It refers to a system that has a default monitoring feature, rather than a monitoring feature implemented externally. The continuous monitoring process ensures that all components are working as expected and generates alerts if any failure occurs. It is tied up with automation because the responses and dashboards are employed in conjunction with monitoring. Continuous validation: This process can also use automation techniques. In this process, when the system is turned on, the configuration files are automatically validated Module 09 Page 1186 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 according to the specified standards. This process is also used in application or service environments meets to validate the defined application goals. Automation compliance can make and check whether the validation the application mechanism easy to execute and less prone to errors. The continuous strategy fetches reports from the delivery and deployment stages to monitor and analyze the software to meet the security standards. It also ensures that there is no deviation from the defined baselines. Roll-out Programmers’ environment Testing/integration process Secure staging o / N ai 2 s Continuous Deployment «-seereeee > Figure 9.10: Resiliency and automation strategies Module 09 Page 1187 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.