Hello and welcome to the side. Very cop TIA Certified Van Security Practitioners Certification Preparation Course.
This is Martin of A five, which is titled Whole Security Controls.
These are the learning objective, which encompasses marjoram. A five
that's not turn a teaching award. The discussion of application development, security.
This particular section is actually set your number two.
We have only 1 90 objective.
Let's begin by taking a look at a pre assessment question, and the question is as follows. A blank addresses a specific customer situation and often may not be discredited. Outside that customer organization is a rule up. Be a service pack, see a patch or D ah, hot fix.
If you said like the day you absolute correct, it is in fact, a hot pics.
Now we begin the process of taking a look at application security
as a future certified advance secreted practiced. Besides protecting operating system on the holes, there's also a need for you to protect application of run on. These devices now forced the aspects of Appalachian security. We have application development, security, and then we have application heartening and patch management.
The first item on our agenda is taking a look at security for these applications, and obviously, as a certified advance security practices, you must be considered us through all phases of the development life cycle. The application configuration Baseline, which encompasses a standing environment settings, can extend a secure base line.
It includes each development system, built system and test system
and must include systems as well as network configuration.
Another area of concern is making sure that we have secure or engage in what we call secure coding practices. Because when you engage in that process, code and standards, what is going to increase the application consistency with liability Security code instead will also allow developed, quickly, understand and work with cold.
There has been developed by different members of a team,
and last, a coder stands are useful in code review process. Now, good example of coding standard is to use a rapid function. Other words, a substitute for regular function use in testing to I error checkin routine for P existing system function.
This brings us to air of an exception handling when you think about Eric. Basically what era is it's fault that occurs when applications running. Obviously we look at response to the user should be based on the error. The African should be coded so that each era is caught and effectively handle. Obviously, when you have improper
error handling an application, it can lead ultimate to some type of application failure.
Now follow may indicate potential error handling issues. First of all, failure to check return Coz I handle exceptions and papa checking up perceptions or return Cold Helen all return cold exception in the same manner.
Aaron Firm is that it bulges potential assistive data. Now there's a process called fuzz tested, and basically it's a software testing technique that it literally provides invalid, unexpected or random data as inputs to a program.
Then we have a term called input validation, not input validation, a specific type of air handling. It's verify responses that user makes to the application. When you engage in what we call improper verification, it results in a cause for, you know, s S s s Curiel injection or XML injection attacks.
We have a term called cross site request forgery,
this particular type of situations and intact that uses again to use his Web browsers setting to impersonate the user, so to prevent cross site scripting and program should trap or type for these usual responses.
Julie speaking in bit input validation. Julie uses a server to perform validation. In this case, we're talking about a service I validation. It is possible to have the client perform validation of words. Client science validation. When you look at a client's eyes validation, all input validations and error recovery procedures perform
by the user's Web browser.
Now, obviously, there's approach to preventing SQL Injection tank is about using SQL Relational databases. No, SQL is a non relation database that's better. Tune for accessing large data sets
another thing that we can do as a future certified advance security practices. You want to make sure we ensure that the application of harden and the purpose is to is intended to prevent Attackers from explored the vulnerabilities. When we think about our vulnerability, it is a weakness in the software or application.
We also engaged in a process called Patch Man rare until recently in this case, uses one weapon exists of patches or where took want him more application Patch ministers have been developed to again to patch these various vulnerable is that become readily apparent
now It's time for post assessment question, and the question is as follows.
Which of the following is not an advantage to a secure coding? Is it a cordon standards? Increase application? Mississippi Deniability in security. Be courted. Stannis. Allow developers to quickly understand and work through cold. There has been developed by different members of a team or see Kota Standish
useful in court review process
And lastly uses can disable our circumvent updates. Jess as they can if they're computer, is configured used of vendors online updates service.
If you select that D, that's absolutely correct.
Uses Candace Able or circumvent updates just as they can. If they're computer is configured, used the vendors or line update service
for the review. During this presentation, we discuss protecting application of running your heart where discussed create configuration baseline as well as secure coding practice.
This brings us to an upcoming topic, which is Title section three. How to secure data. Look forward to seeing you in a very next video