Time
33 hours 23 minutes
Difficulty
Beginner
CEU/CPE
33

Video Transcription

00:00
Hello and welcome back to the side. Berry 2019 Comp Tia Security Plus Certification Preparation Course.
00:09
We're going to continue our discussion of marginal with three,
00:12
and the topic of discussion will be domain three. Architecture and design.
00:18
Surprisingly enough, we have a brand new objective, which is 3.6 What we have to summarize secure application development and deployment concepts.
00:28
The first item on our agenda is a pre assessment quiz, in fact, is a true or false statement, and it reads as follows. The waterfall is a structure software development methodology, so most times it can be quite rigid.
00:42
Suffered, developed will be completed as one single project. This is a chew off false statement.
00:52
In this case, if you slept the true, you're absolutely correct.
00:56
As mentioned, this is a brand new objectives 3.6 where we have to literally summarize secure application development and deployment concepts.
01:03
Let's not take a look at some topics which encompasses this particular objective.
01:08
And what we're gonna do doing this particular presentation is highlight. These topics we begin by first are discussing development lifecycle models
01:18
the waterfall Mara versus the edge. Out
01:22
they were. Take a look at a concept called Secure Dev Ops. Some sub categories within Secure Dev ops. We could take a look at security automation,
01:30
continuous integration
01:33
base lining
01:34
immutable systems,
01:38
infrastructure as cold.
01:41
Some additional concept which encompasses this objective.
01:45
Go take a look and secure coding techniques
01:49
such as data exposure.
01:51
Take a look at cool quality and testing
01:55
steadied court analyzers,
01:57
dynamic and alive that such as fuzzing
02:01
stress testing,
02:04
same boxing,
02:06
morrow verification
02:07
and last but not cities which compiled versus runtime cold.
02:13
So that further do Let's begin by first saw discussing system development. Life cycle,
02:19
which is often referred to, is your s DLC or software development. Life cycle is a process that produces software with the highest quality and the lost cause in the shortest time.
02:30
Your software development lifecycle includes a detailed plan for how to develop,
02:36
alter, maintained and replace a software system.
02:39
USD Els See involves several distinct stages, including planning, design, building testing and deployment.
02:50
Popular software development Lifecycle martyrs include a waterfall model spiral model and the agile model.
02:58
Continue our discussion of development lifecycle models. There are two models was we're gonna discuss during this particular video we can take a look first at the waterfall, which in fact is a Scripture software development methodology. So most times it can be quite rigid.
03:12
Software development will be completed as one single project.
03:15
Then we have agile, which is quite a flexible method which allows change to be made in the project development requirement even if the initial planning has been completed.
03:27
Secure Dev Ops is a specified type of software methodology that follows an agile model and heavy incorporate security concepts.
03:38
Taking a look at some sub categories which encompasses secure, develop pops the first want to take a look. It's called security automation.
03:46
Basically what that encompasses tools that test for vulnerabilities.
03:51
Then we have continuous integration simply means insurance that the security features are incorporated. Each stage of the application development
04:00
base lining means simply creating a starting point for comparison purposes to apply targets and goes to major success
04:09
immutable systems That simply means ensuring that once a value oh configuration is employed as part of an application. It is not modified
04:18
and lastly infrastructures. A coat means Maginness hardware and software infrastructure, using the same principles as developing computer code.
04:29
This brings us to a brand new topic, which encompasses this objective of 3.6. What we're gonna set me going to do is take a look at birth control and change management
04:39
as well as provisioning and deeper visiting.
04:43
We think about birth control. It can be described. A software allows changes to be made automatically. We automatically, in other words recorded and, if necessary, go back to a previous version of the software.
04:55
While changed, Man refers to a methodology for making modification to a system and keeping track of those changes
05:04
provisioning and deeper visiting.
05:08
Did you know that deeper visiting is the process of removing a resource that is no longer needed?
05:13
On the other hand, provision, it is the enterprise wide configuration
05:17
deployment. Imagine a multiple types of RT system. Resource is,
05:24
this brings us to secure coding techniques. Secure coding is the practice of writing software that's protected from vulnerabilities
05:30
and insecure application. Let's hack us in.
05:34
They can take direct control of a device or provide an excess path to another device
05:42
to maximize security application using incorporate the following secure coding techniques. So example, proper air handling. This evolved taking the correct steps when it air occurs so the application does not have bought unexpectedly
05:57
proper input. Validation is accounted for errors such as incorrect user input.
06:02
For example, in a fire name for father doesn't exist, normalization is another practiced. The golden normalization is to reduce any limit redundancy to make fewer indexes per table and make searching much faster.
06:16
Store procedures transact SQL is used to query in SQL Server database and
06:25
can suffer from SQL injection attacks when Attackers attacks some cold in the query
06:30
colt signing
06:31
hashes a coat so that you know that it's that result cold and has not been tampered with.
06:36
Encryption
06:39
is a technique to for technical from being stolen. To use the CO, you must have the private key to decipher it.
06:47
You're too under discussion of secure coding techniques. Were afis cation or can camouflage under words, Opposition or campfires turns lines of code into an obscure format so that if the cold as stone, it cannot be understood.
07:02
Call reuse and dead coat Court we used involved reusing cold has already been written either, as it is a starting point in a new application
07:14
service, I vs client side execution and validation and service. I'd validation all the input of validation errors with curry process is care in the service side.
07:25
In the client side validation method, all of the input validations and the error recovery process is carried out on the client side. Other words on the user's browser.
07:34
Then we have memory. Management is important that when the developer rights and application, they control how much memory it can consume as it can create performance issues.
07:46
Then we have used third party libraries In SD case, The use of APS on mobile devices is a fierce marketplace where, as soon as you purchase a domain name, someone has email, you offer you a good deal on mobile APS for your business.
08:03
Then we have data exposed, which is another technique in terms of secure coding technique. This out of recommended,
08:09
since the data is normal encrypted to prevent it from being stolen by Attackers. This would include passwords as well as your credit card details.
08:18
Then we come to call quality and testing
08:22
some techniques you might want employed. Call static court analyzers. When developers you steadied co analyzes the code is not executed locally. Instead, they launched aesthetic court analyzer to then the source quarters. One insider tool that reports any flaws or witnesses.
08:39
Dynamic analysis. In other words, fuzzing.
08:41
When developers used dynamic analyzes, the corners run, and then they use a technique called fuzzing, where they rented. Input is inserted into the application to see what the output will be.
08:54
White box pin test and use fuzzing to see the flaws and weaknesses in an application before it's rolled out to production. Environment.
09:03
Stress testing is where the lower is put the an application
09:07
to see how it processes memory and this can deal with the load.
09:11
Sandboxes is where the Africans have run inside a virtual machine for testing purposes before it's put into production,
09:20
model verification
09:20
and validation, other primary sources or processes. To ensure that an application has no books that need to be fixed and that it conforms to specifications that were written.
09:35
This brings us to compile versus runtime cold
09:37
Compile court runs to a compiler to become native cold. Many language or compile language. Such a C plus plus
09:46
compile court is you the faster than interpreted cold runtime Cole is that colder compound at the runtime. Other words, Just in time.
09:56
This brings us to our post assessment question,
10:00
and it reads as follows. In fact, it's a true or false statement.
10:03
Data exposure happens when sensitive invasion is disposed outside of your app or even inside of your app. Is this true or false?
10:13
In this case, if you said true, you're absolutely correct
10:18
at this point time. We have our key takeaways
10:20
doing this particular presentation. We learned that deeper visiting is the prices of removing. Resource is there are no longer needed.
10:28
But visiting is the enterprise. Why configuration deployment and management Multiple types of I t system resource is
10:37
secure. Coding is the pride is a writing software that's protected from vulnerabilities.
10:45
Versatile Choke can be describing software that allows change to be made automatically recorded and, if necessary, roll back to a previous version of the software
10:54
change man. Refer to a methodology for making modifications to a system and keeping track of those changes
11:01
in our upcoming video. We'll continue on by taking a look at the brand new objective, which is 3.7. What we have to summarize cloud and virtualization concepts. And again, I look forward to seeing you in a very next video

Up Next

CompTIA Security+

Interested in the cybersecurity industry? The CompTIA Security+ is the gold standard for those looking to enter the cybersecurity industry. Join thousands of professionals who have gained this certification through this course and launched their careers in information security.

Instructed By

Instructor Profile Image
Jim Hollis
Independent Contractor
Instructor