Application Security

Software Development Life-Cycle SDLC Models

  • Waterfall
    • Steps:
      • Requirements Gathering
      • Design
      • Implementation/Coding
      • Testing/Verification
      • Deployment
      • Maintenance
    • Each stage is completely self-contained and completed in order.
  • Agile
    • Works in cycles, with each cycle producing specific deliverables.
    • A type of rapid prototyping through repeated processes.
    • Methods:
      • Scrum
      • Adaptive Software Development
      • Crystal
      • Feature-Driven Development
      • Dynamic Systems Development Method
      • Lean Software Development
      • XP (Extreme Programming)

Secure DevOps

  • Also called DevSecOps or Rugged DevOps
  • Security integrated into all of your dev ops, which includes database design, programming, and infrastructure.
  • Having security practices integrated into the entire software delivery cycle.
  • Address security concerns at the beginning of projects.
  • Add automated security testing techniques.
  • Continuous Integration - Security in every step with updates from a centralized, controlled repository.
  • Security Automation - Repeatable/scripted tasks.
  • Baselining - Reference points that require completion and approval of a set of predefined project requirements to prevent uncontrolled change and lesson vulnerabilities.
  • Immutable systems - no changing to systems in place. They maintain a known, documented, and repeatable configuration.
  • Infrastructure as Code (IaC) - Programmable infrastructure. Infrastructure configuration is included with application code.
    • The process of using definition and configuration files to provision and manage data centers.
    • Automating this process through scripts can ensure that there is more control and less opportunity for error when deploying servers, as compared with manual configuration.
    • The foundation for secure DevOps.

Compiled vs Runtime Code

  • Method for creating executable code.
  • Compiled code uses a compiler program such as C or C++
  • Runtime uses interpreters such as Java or .NET
    • Generally faster but less secure.

Change Management / Version Control

  • These go hand-in-hand.
  • Control and manage software changes - needed for quality and security.
  • Version Control (AKA Source Control)
    • Prevents tampering or changing the source code or executables. Tracks software file changes or application code changes.
    • Uses distributed storage for code (Git / GitHub or Subversion)
  • Benefits
    • Historical data on changes to files.
    • Branching and merging capabilities.
    • Traceability.

Provisioning and Deprovisioning

  • Provisioning - The creation or update of a resource.
  • Deprovisioning - The removal of a resource.
  • Part of the SLDC
  • Generally automated where software packages are made available to users through a self-service portal.

Secure Coding Techniques

  • Authentication
    • Hard-coding credentials into code.
    • Use of cookies.
  • Proper Error Handling
    • Errors should be generic / not divulge specific system or application information.
    • Comments should not be visible in the end-product.
    • Every input is validated against a range of acceptable values.
      • If the input does not match that range of values, the input is rejected and an error message is generated.
  • Proper Input Validation
    • Scrub & validate input from outside or untrusted sources.
    • Use of default values and character limitations.
  • Normalization
    • The conversion of data to its anticipated, simplest known form.
  • Stored Procedures
    • Associated with database queries / precompiled SQL statements.
  • Code Reuse/Dead Code
    • Reusing existing software modules.
    • Reused code should be validated for vulnerabilities.
    • Dead Code: no longer provides useful function, but not scrubbed.
  • Use of Third-Party Libraries and SDKs
    • SDK - Software Dev Kit
    • Know where your code comes from - trusted source.
    • Check for CVE (Common Vulnerabilities and Exposures)
  • Code Signing
    • Signing executable code using a certificate-based digital signature.
    • Proves the author's identity and provides code integrity.
  • Data Exposure
    • Encryption of sensitive data at all times (in transit and at rest).
  • Encryption
    • Standard encryption algorithms, hashing, and digital signatures.
    • TLS for data in transit.
  • Obfuscation/Camo
    • Hiding back-end code.
    • Prevents code from being reverse-engineered.
  • Memory Management
    • Optimizes performance by assigning blocks of memory to programs and processes.
    • Vulnerabilities may exploit improper memory utilization (buffer overflow).
  • Server-Side vs Client-Side Execution and Validation
    • Client-Side Validation - Entered data is validated via a script on the user's browser before the form is sent to the server.
    • Server-Side Validation - Occurs on the back-end server housing the application code. Protects against malicious attempts by the user to bypass validation.

Java

  • Unsigned Java applets in Java Development Kit 1.1 use sandboxes to enforce security.
Copy link
On this page
Software Development Life-Cycle SDLC Models
Secure DevOps
Compiled vs Runtime Code
Change Management / Version Control
Provisioning and Deprovisioning
Secure Coding Techniques
Java