Each stage is completely self-contained and completed in order.
Works in cycles, with each cycle producing specific deliverables.
A type of rapid prototyping through repeated processes.
Adaptive Software Development
Dynamic Systems Development Method
Lean Software Development
XP (Extreme Programming)
Also called DevSecOps or Rugged DevOps
Security integrated into all of your dev ops, which includes database design, programming, and infrastructure.
Having security practices integrated into the entire software delivery cycle.
Address security concerns at the beginning of projects.
Add automated security testing techniques.
Continuous Integration - Security in every step with updates from a centralized, controlled repository.
Security Automation - Repeatable/scripted tasks.
Baselining - Reference points that require completion and approval of a set of predefined project requirements to prevent uncontrolled change and lesson vulnerabilities.
Immutable systems - no changing to systems in place. They maintain a known, documented, and repeatable configuration.
Infrastructure as Code (IaC) - Programmable infrastructure. Infrastructure configuration is included with application code.
The process of using definition and configuration files to provision and manage data centers.
Automating this process through scripts can ensure that there is more control and less opportunity for error when deploying servers, as compared with manual configuration.
The foundation for secure DevOps.
Method for creating executable code.
Compiled code uses a compiler program such as C or C++
Runtime uses interpreters such as Java or .NET
Generally faster but less secure.
These go hand-in-hand.
Control and manage software changes - needed for quality and security.
Version Control (AKA Source Control)
Prevents tampering or changing the source code or executables. Tracks software file changes or application code changes.
Uses distributed storage for code (Git / GitHub or Subversion)
Historical data on changes to files.
Branching and merging capabilities.
Provisioning - The creation or update of a resource.
Deprovisioning - The removal of a resource.
Part of the SLDC
Generally automated where software packages are made available to users through a self-service portal.
Hard-coding credentials into code.
Proper Error Handling
Errors should be generic / not divulge specific system or application information.
Comments should not be visible in the end-product.
Every input is validated against a range of acceptable values.
If the input does not match that range of values, the input is rejected and an error message is generated.
Proper Input Validation
Scrub & validate input from outside or untrusted sources.
Use of default values and character limitations.
The conversion of data to its anticipated, simplest known form.
Associated with database queries / precompiled SQL statements.
Code Reuse/Dead Code
Reusing existing software modules.
Reused code should be validated for vulnerabilities.
Dead Code: no longer provides useful function, but not scrubbed.
Use of Third-Party Libraries and SDKs
SDK - Software Dev Kit
Know where your code comes from - trusted source.
Check for CVE (Common Vulnerabilities and Exposures)
Signing executable code using a certificate-based digital signature.
Proves the author's identity and provides code integrity.
Encryption of sensitive data at all times (in transit and at rest).
Standard encryption algorithms, hashing, and digital signatures.
TLS for data in transit.
Hiding back-end code.
Prevents code from being reverse-engineered.
Optimizes performance by assigning blocks of memory to programs and processes.
Vulnerabilities may exploit improper memory utilization (buffer overflow).
Server-Side vs Client-Side Execution and Validation
Client-Side Validation - Entered data is validated via a script on the user's browser before the form is sent to the server.
Server-Side Validation - Occurs on the back-end server housing the application code. Protects against malicious attempts by the user to bypass validation.
Unsigned Java applets in Java Development Kit 1.1 use sandboxes to enforce security.